Detection-engineering walkthroughs, threat analysis, and mitigation guides. Sourced, reproducible, and defensive in scope. Two published so far - this index grows as writeups ship.
The phishing class that never asks for a password and sails through MFA - illicit OAuth consent grants (MITRE ATT&CK T1528) in Entra ID, the audit-log artifacts they leave, and KQL detections with tuning notes.
How Kerberoasting (MITRE ATT&CK T1558.003) works, why RC4 service tickets give it away, and three layered Sigma detections - RC4 downgrade, request fan-out, and a honeypot SPN - with tuning and false-positive notes you can run against your own logs.
On the bench: an OWASP LLM Top 10 explainer (prompt injection as a defensive class), a detection guide for a recent CISA KEV-listed CVE, and a writeup on detecting OAuth consent phishing. Want to suggest a topic or flag an error in what's published? Open an issue →