detection engineering
24 posts
AI is making attackers worse, not better.
Defender telemetry through 2026 shows model-mediated attackers produce more volume, less variance, weaker adaptation. Substitution is not uplift.
CISA contractor leaked GovCloud keys to GitHub
Technical analysis of a CISA contractor's leaked AWS GovCloud admin keys on GitHub - blast radius, IAM persistence paths, CloudTrail detections, supply-chain tail.
The IIS virtual directory that won't stop bleeding
Technical analysis of the Exchange Server zero-day, the frontend-to-backend trust boundary it abuses, and what fires in EDR and IIS telemetry.
Mandiant clocked 5 days in 2023
Mean time-to-exploit for critical CVEs has collapsed to days. The mechanism is patch diffing, n-day industrialisation, and telemetry gaps on appliances.
NGINX ships emergency patch for HTTP/3 heap overflow
CVE-2026-42945 technical analysis: heap overflow in NGINX HTTP/3 HEADERS frame parsing, worker RCE primitive, telemetry gaps, and patch boundary.
Patching nginx doesn't close this one
CVE-2026-42945 NGINX rewrite module heap buffer overflow: bug mechanism, exploit primitives, MITRE mapping, and EDR telemetry blind spots in worker exploitation.
Dirty Frag races the refcount
Dirty Frag (CVE-2026-XXXX) is a Linux kernel page migration race yielding root LPE on all major distros. Mechanism, telemetry, and patch boundary.
The dashboard pushed every critical CVE to GitHub
Technical analysis of a unified vulnerability dashboard pushed to a public GitHub repo, the scanner token blast radius, and what defenders actually see.
Copy.fail has been root since 2017
Copy.fail turns an unprivileged Linux user into root via a copy_file_range credential cache flaw. Reachable since 2017. Telemetry gaps explained.
Binding 65535 ports is the easy part
Architecture and evasion realities of an LLM honeypot binding all 65535 ports - TPROXY, latency tiers, fingerprint defence, and detection traps.
Pick offense or defense
Two paths into infosec - offense and defense - broken down at the mechanism level. Foundation, tooling, telemetry, and the divergence point.
Your MSSP is selling you blindness.
MSSPs run perimeter-era detection while attackers operate inside the identity boundary. The gap is structural, not a resourcing problem.