A.I. Cybersecurity Tool Marketing: Insanity vs Reality
A.I. insanity has reached no heights. As vendors scream about AI super threats while the reality is boring.
Detection
View all"That Can be Evaded" and the Imperfect Detector
Every detection can be evaded. So what's worse: missing an attack or drowning in noise? The Base-Rate Fallacy shows that false positives are the true limiting factor. The goal isn't to be perfect; it's to be a difficult target. Each layer that forces an adversary to adapt is a win.
Fuzzy Hashing Research: A Paper Highlight with Practitioner's Notes
A new paper questions fuzzy hashing, but real-world data tells a different story. I share practical lessons for reducing false positives and argue that the future of TLSH isn't in alerting, it's in enriching events to create high-fidelity detections.
Maximizing the Value of Indicators of Compromise and Reimagining Their Role in Modern Detection
Have we become so focused on TTPs that we've dismissed the value at the bottom of the pyramid? This post explores what role IOC's have in a modern detection program if any, and what the future may look like for them.
Why the EDR Telemetry Project is Misleading
The EDR Telemetry Project is misleading. Its scoring only defines if telemetry is collected, not if it's actually useable. This post breaks down why the project is flawed in its current state and how some minor tweaks could make it truly valuable.
Announcing CelesTLSH CLI: A Lightweight Tool for TLSH Hash Analysis
I'm excited to announce the release of CelesTLSH CLI, a lightweight CLI interface tool for calculating, comparing, and analyzing TLSH hashes. This tool is designed to help security professionals quickly identify potentially malicious files by comparing them against a database of known attack tools.
Vintage Detection: Applying RADAR Research from 1953 to Detect Modern Cyber Threats
A 1953 mathematical framework reveals how military RADAR research can revolutionize cybersecurity. By transforming threat detection from gut feeling to probabilistic science, signal detection theory offers a powerful approach to distinguishing genuine threats from routine noise.
Research
View allWhat Does "Visibility" Actually Mean When it comes to Cybersecurity?
In cybersecurity, nobody agrees on what "visibility" means. This post cuts through vendor hype with a practical framework, using a Splunk article's model of telemetry, monitoring, and observability to give your entire team a shared language to build better defenses.
Announcing CelesTLSH CLI: A Lightweight Tool for TLSH Hash Analysis
I'm excited to announce the release of CelesTLSH CLI, a lightweight CLI interface tool for calculating, comparing, and analyzing TLSH hashes. This tool is designed to help security professionals quickly identify potentially malicious files by comparing them against a database of known attack tools.
Vintage Detection: Applying RADAR Research from 1953 to Detect Modern Cyber Threats
A 1953 mathematical framework reveals how military RADAR research can revolutionize cybersecurity. By transforming threat detection from gut feeling to probabilistic science, signal detection theory offers a powerful approach to distinguishing genuine threats from routine noise.
Falling in love with NSM again
When I started in cybersecurity, most web traffic wasn’t encrypted, which meant Firewalls and Network Intrusion Detection Systems played a critical role in detecting malicious activity. Endpoint visibility was limited—most organizations still relied on traditional Anti-Virus
UFOs and Mobile Malware - How Retaliation Against a Source Led Me to iVerify
For the past year and a half, I’ve been on one of the wildest adventures of my life, writing a book on UFOs and UAP. It has taken me through a painstaking process of finding and connecting with people who may hold valuable information for my work.
Using A.I. to Expose Redacted Sensitive Information
While reading Imminent, a newly released book on UAPs by Luis “Lue” Elizondo, I noticed something intriguing: the text redacted by the Department of Defense was left in plain sight. Naturally, my curiosity kicked in—who wouldn’t want to uncover what’s hidden behind those blacked-out lines?
The Power of Proactive Cybersecurity with Domain and TLS Monitoring
It is often mistakenly believed that defenders cannot gain visibility into the early stages of the Cyber Kill Chain before the delivery phase.
General
View allSoftware Development Nuggets for Security Analysts Part 2: The Browser
The response to the first article was really positive, and it highlighted something I've seen a lot: many
How I Leveled Up from Help Desk to Cloud Security Researcher
Breaking into cybersecurity feels impossible right now. This isn't a magic formula, but my personal story of navigating the field. Learn from my experiences with degrees, certs, and networking to find your own way in a tough job market.
Announcing CelesTLSH CLI: A Lightweight Tool for TLSH Hash Analysis
I'm excited to announce the release of CelesTLSH CLI, a lightweight CLI interface tool for calculating, comparing, and analyzing TLSH hashes. This tool is designed to help security professionals quickly identify potentially malicious files by comparing them against a database of known attack tools.
Tips for Reclaiming Your Digital Privacy in 2025
Maintaining online privacy in today’s world is nearly impossible without completely disconnecting—and even then, friends and family may
Falling in love with NSM again
When I started in cybersecurity, most web traffic wasn’t encrypted, which meant Firewalls and Network Intrusion Detection Systems played a critical role in detecting malicious activity. Endpoint visibility was limited—most organizations still relied on traditional Anti-Virus
Using A.I. to Expose Redacted Sensitive Information
While reading Imminent, a newly released book on UAPs by Luis “Lue” Elizondo, I noticed something intriguing: the text redacted by the Department of Defense was left in plain sight. Naturally, my curiosity kicked in—who wouldn’t want to uncover what’s hidden behind those blacked-out lines?
The Power of Proactive Cybersecurity with Domain and TLS Monitoring
It is often mistakenly believed that defenders cannot gain visibility into the early stages of the Cyber Kill Chain before the delivery phase.
SecOps
View allWhat Framing Security Alerts as a Binary True or False Positive is Costing You
Ask anyone who’s worked in a SOC long enough and they’ll tell you: debates over “true positive” versus “false positive” happen a lot. Usually, the conversation goes in circles—one person insists an alert was a false positive, another argues it was technically a true positive,
Announcing CelesTLSH CLI: A Lightweight Tool for TLSH Hash Analysis
I'm excited to announce the release of CelesTLSH CLI, a lightweight CLI interface tool for calculating, comparing, and analyzing TLSH hashes. This tool is designed to help security professionals quickly identify potentially malicious files by comparing them against a database of known attack tools.
Vintage Detection: Applying RADAR Research from 1953 to Detect Modern Cyber Threats
A 1953 mathematical framework reveals how military RADAR research can revolutionize cybersecurity. By transforming threat detection from gut feeling to probabilistic science, signal detection theory offers a powerful approach to distinguishing genuine threats from routine noise.
Falling in love with NSM again
When I started in cybersecurity, most web traffic wasn’t encrypted, which meant Firewalls and Network Intrusion Detection Systems played a critical role in detecting malicious activity. Endpoint visibility was limited—most organizations still relied on traditional Anti-Virus
UFOs and Mobile Malware - How Retaliation Against a Source Led Me to iVerify
For the past year and a half, I’ve been on one of the wildest adventures of my life, writing a book on UFOs and UAP. It has taken me through a painstaking process of finding and connecting with people who may hold valuable information for my work.
The Power of Proactive Cybersecurity with Domain and TLS Monitoring
It is often mistakenly believed that defenders cannot gain visibility into the early stages of the Cyber Kill Chain before the delivery phase.
A Five Year Retrospective on Detection as Code
Five years ago, I co-authored the first public paper on the concept of Detection as Code. While having some technical peers review this paper, we found that a few more advanced security programs were already utilizing this sort of method, just not publicly talking about it.
News
View allTips for Reclaiming Your Digital Privacy in 2025
Maintaining online privacy in today’s world is nearly impossible without completely disconnecting—and even then, friends and family may
Falling in love with NSM again
When I started in cybersecurity, most web traffic wasn’t encrypted, which meant Firewalls and Network Intrusion Detection Systems played a critical role in detecting malicious activity. Endpoint visibility was limited—most organizations still relied on traditional Anti-Virus
UFOs and Mobile Malware - How Retaliation Against a Source Led Me to iVerify
For the past year and a half, I’ve been on one of the wildest adventures of my life, writing a book on UFOs and UAP. It has taken me through a painstaking process of finding and connecting with people who may hold valuable information for my work.
Using A.I. to Expose Redacted Sensitive Information
While reading Imminent, a newly released book on UAPs by Luis “Lue” Elizondo, I noticed something intriguing: the text redacted by the Department of Defense was left in plain sight. Naturally, my curiosity kicked in—who wouldn’t want to uncover what’s hidden behind those blacked-out lines?
The Power of Proactive Cybersecurity with Domain and TLS Monitoring
It is often mistakenly believed that defenders cannot gain visibility into the early stages of the Cyber Kill Chain before the delivery phase.
Detecting RegreSSHion - CVE-2024-6387 a Guide
Recently, the killer vulnerability research team at Qualys discovered a Remote Code Execution (RCE) vulnerability in OpenSSH that exploits a race condition within SSH. This vulnerability is particularly concerning because SSH is commonly exposed to the internet for remote system management.
Operationalizing TLSH Fuzzy Hashing
If you work in cybersecurity or tech, you’re likely familiar with hashing. A cryptographic hash function generates a fixed-size hash value from any given input data. This is a one-way process, making it computationally infeasible to reverse-engineer the original data from the hash value.