Technical Blog

Insider-level research.
Written by practitioners.

Deep-dives into how real attacks work, how detection rules break, and how defenders should actually think.

JWT Security Deep Dive: Algorithm Confusion to Full Bypass

Five JWT failure modes account for the overwhelming majority of real-world authentication bypasses. Each one collapses onto the same root cause - the verifier let data inside the token decide how the token would be verified. Here is how each plays out, why they keep shipping, and what a correct verifier actually looks like.

Active DirectoryAvailable

Kerberos Attack Paths: AS-REP Roasting to Domain Compromise

An end-to-end walk through the Kerberos abuse chain that defines how internal compromise actually unfolds in real engagements: AS-REP roasting, Kerberoasting, constrained delegation, and the Silver Ticket. The fundamental mistake repeats at every stage, and naming it makes the chain stop being magical.

Apr 12, 2026 · 13 min

DetectionAvailable

EDR Bypass via Telemetry Gaps: What Most Rules Miss

Modern EDR is a telemetry funnel - and like every funnel, what doesn't flow through it isn't seen. This post walks the three classes of EDR blind spot that account for the majority of post-exploitation undetections we have observed, and what defenders can do about each.

Apr 6, 2026 · 11 min

AI SecurityAvailable

A Working Taxonomy of LLM Jailbreaks and What They Actually Bypass

The vocabulary around LLM jailbreaks is a mess. People use 'prompt injection', 'jailbreak', and 'extraction' as synonyms. They are not synonymous, and treating them as if they are is what leads to defences that look impressive in slide decks and fail in production. Here is a working taxonomy that has held up across two years of red-team work.

Mar 28, 2026 · 14 min

Supply ChainAvailable

Detecting Supply Chain Compromise via Build Pipeline Telemetry

By the time a malicious dependency lands in production, you are five steps behind the attacker. The cheap, high-value detection happens at the build pipeline - and most teams are barely instrumented there. Here is the small set of build-pipeline signals that catches most realistic supply chain compromise.

Mar 19, 2026 · 9 min

DetectionAvailable

Writing Sigma Rules That Actually Fire

Most detection rules look fine on paper and never fire in production. The problem is rarely the rule itself; it is the rule's relationship to the log source it depends on. A short field guide to writing Sigma rules that survive contact with reality.

Jan 30, 2026 · 8 min

PerspectiveAvailable

On the Asymmetry of Defender Time

There's a popular line that 'attackers only need to be right once; defenders need to be right every time.' It's a memorable line that obscures the real asymmetry. The actual structural advantage attackers hold over defenders is not about correctness; it is about time.

Apr 22, 2026 · 9 min

OSINTAvailable

The Half-Life of a Phishing Kit

Across 217 phishing kits collected and reverse-engineered from live infrastructure over an eight-month window, three distinct populations emerged - distinguished not by language or target, but by the half-life of the underlying operation. The implications for both detection and attribution are non-obvious.

Apr 8, 2026 · 11 min

MethodologyAvailable

Why Most Threat Models Are Wrong (and the One That Wasn't)

The threat model document on every team's wiki has the same structure, the same diagrams, and the same omissions. It captures the threats that fit on the page and misses the ones that don't. There is a different way to do this - uglier on paper, more honest under pressure.

Mar 4, 2026 · 10 min

Insider-level research.Written by practitioners.