Blue team engineering, threat intel, and the automation turning point.

I defend networks for a living — detection engineering, CTI, and the operational glue between tools. Automation is changing what a small defensive team can do, and I'm writing down what actually works.

# tip: press ` anywhere — this site has a console # tip: tap `console in the header — this site has a shell

ndr — live topology ● monitoring ▲ alert: T1021 ● contained
inet fw-01 srv-web srv-db ws-14 ws-22 sensor
~/writing view all →

hello, world

Why this site exists, what I plan to write here, and how the whole thing ships.

  • meta
~/attack-map what the writing covers
recon
res-dev
init
exec
persist
privesc
evasion
creds
disco
lateral
collect
c2
exfil
impact

0/76 techniques covered · lit cells link to the writing
# tag posts with techniques: ['T1566'] frontmatter to light the map

~/projects view all →
detect/

detection-notes wip

Public detection engineering notes: rules and hunting queries mapped to ATT&CK, with the false-positive war stories included.

  • detection
  • attack
intel/

cti-lab active

Self-hosted threat intelligence stack — OpenCTI, MISP, and the collection pipelines that feed them.

  • cti
  • infrastructure
automate/

glue active

Automation patterns for SOC workflows: enrichment, triage, and the boring plumbing that gives analysts their hours back.

  • automation
  • soar
~/signals newest known-exploited vulns

$ ./sync-signals # first sync pending

# newest CISA KEV entries land here nightly via a scheduled Action.
# populate now: node scripts/update-signals.mjs