hello, world
Why this site exists, what I plan to write here, and how the whole thing ships.
I defend networks for a living — detection engineering, CTI, and the operational glue between tools. Automation is changing what a small defensive team can do, and I'm writing down what actually works.
# tip: press ` anywhere — this site has a console # tip: tap `console in the header — this site has a shell
Why this site exists, what I plan to write here, and how the whole thing ships.
0/76 techniques
covered · lit cells link to the writing
# tag posts with techniques: ['T1566'] frontmatter to
light the map
Public detection engineering notes: rules and hunting queries mapped to ATT&CK, with the false-positive war stories included.
Self-hosted threat intelligence stack — OpenCTI, MISP, and the collection pipelines that feed them.
Automation patterns for SOC workflows: enrichment, triage, and the boring plumbing that gives analysts their hours back.
$ ./sync-signals # first sync pending
# newest CISA KEV entries land here nightly via a scheduled Action.
# populate now: node scripts/update-signals.mjs