Blog
Thoughts, tutorials, news, and field notes from the world of security and tech.
Lazarus Group Targets Crypto Infrastructure in New Campaign
A field-level look at Lazarus Group, the North Korean state-sponsored threat actor behind some of the largest cyber heists on record. Background, observed TTPs, the major public incidents, and what defenders can actually do about it.
Understanding OAuth 2.0 Security Best Practices
OAuth 2.0 is the backbone of modern delegated authorization, but the spec is large and the failure modes are subtle. The grant types that matter, the token storage decisions that actually keep you safe, the scope designs that survive the test of time, and the operational practices that catch the rest.
Phishing-Resistant MFA and WebAuthn: The Practical Choices That Actually Stop Account Takeover
Push-based MFA and SMS one-time passwords are vulnerable to phishing and push fatigue. FIDO2 / WebAuthn with hardware-backed credentials is the standard that holds up. What phishing-resistant MFA actually means, how WebAuthn works, where the failure modes still are, and how to roll it out without breaking everything.
Detection Engineering Fundamentals: From Signatures to Behaviors and Back Again
Detection engineering is the discipline of turning threat-informed hypotheses into alerts that fire on real attacks. The difference between signatures and behaviors, what makes a detection rule useful, how to test and measure detections, and the operational practices that keep the detection pipeline honest.
Secrets Management for Engineers: API Keys, Tokens, and the Operations That Keep Them Safe
Secrets are the credentials that grant access to systems: API keys, database passwords, OAuth tokens, signing keys, encryption keys. The patterns that keep secrets out of code, the patterns that rotate them safely, and the operational practices that catch the secrets that slipped through anyway.
CVE Breakdown: Windows Hyper-V Elevation of Privilege
A look at a recent Windows Hyper-V elevation of privilege vulnerability: root cause, exploitation path, and what defenders should prioritize on multi-tenant hypervisor hosts.
CVE-2026-48027: Malicious Version of Nx Console, Credential Theft, and a Postmortem Worth Reading
On 19 May 2026, a compromised release of the Nx Console VS Code extension was published to the VS Code marketplace for 18 minutes. It harvested credentials from disk and memory. What happened, what to do, and what the postmortem teaches about supply-chain trust.
CVE-2026-42271: Command Injection in LiteLLM via MCP Server Preview Endpoints
LiteLLM 1.74.2 through 1.83.6 had command-injection flaws in two MCP server preview endpoints. Any authenticated user, including low-privilege internal keys, could run arbitrary commands on the host. Fixed in 1.83.7. CISA KEV since 8 June 2026.
CVE-2026-10520: Critical Pre-Auth RCE in Ivanti Sentry (CVSS 10.0)
A pre-authentication OS command injection in Ivanti Sentry, a CVSS 10.0, allows remote unauthenticated root-level code execution on externally-reachable unmanaged appliances. CISA KEV with a 3-day remediation window. What to do now.
Zero Trust Network Access Explained Simply
Zero Trust is sold as a product and misunderstood as a product. It is neither. It is a posture, a set of design choices, and a way of thinking about trust at the boundary of every request. What the principles actually are, what real implementations look like, and where teams get it wrong.
DNS for Security Professionals: Protocol, Attack Surface, and What Defenders Should Actually Do
DNS is the protocol every security incident touches, whether the team knows it or not. The protocol itself, the attack surface around it, and the small set of defensive moves that pay off the most.
The TLS Handshake in 2025 and Beyond: What the Defaults Are, What's Still a Footgun, and What to Check
TLS 1.3 is the default now and most of the footguns from the TLS 1.2 era are gone, but a few remain: certificate validation, downgrade attacks, and the long tail of services still on 1.0 and 1.1. What the protocol actually does, what the operational defaults are, and the small set of checks that catch most of the remaining problems.
Network Segmentation in Practice: VLANs, Microsegmentation, and What Actually Works
Segmentation is the network control that has not gone away just because Zero Trust moved access decisions to identity. What the actual options are (VLANs, VRFs, microsegmentation, service-mesh sidecars), what works at which scale, and how to think about segmentation when your environment is half on-prem and half in a cloud.
Building a Useful Homelab on a Budget
A useful homelab is the best learning environment a security professional can have. The constraint is usually budget. What the build actually looks like, what each component is doing, the pitfalls that waste the most time, and the security posture that keeps the lab from becoming an entry point into the rest of your network.
AI Tools for Security Analysts in 2026
AI tooling for security analysts is past the demo phase. The interesting question is no longer what is possible - it is what is worth the time, what is safe to feed, and what creates real leverage for a tier-1 or tier-2 analyst.
APT28 (Fancy Bear): Russia's GRU Unit 26165, Documented Operations, and What Defenders Should Watch
A field-level look at APT28, the Russian GRU unit behind some of the most consequential state-sponsored intrusions of the last decade. Attribution, observed tradecraft, named operations, and concrete defender guidance.
APT29 (Cozy Bear): Russia's SVR, the SolarWinds Compromise, and Long-Running Espionage
A field-level look at APT29, the Russian SVR-linked threat actor behind the SolarWinds supply-chain compromise and a long-running campaign against governments, think tanks, and COVID-19 vaccine research. Attribution, tradecraft, named operations, and concrete defender guidance.
APT41 (Winnti / BARIUM): Chinese State-Sponsored Operations with a Criminal Side Business
A field-level look at APT41, the Chinese state-sponsored group with an unusual profile: operator-grade tradecraft, public indictments, and a parallel financial-gain mission that makes the group's targets both intelligence and criminal. Attribution, tooling, named operations, and concrete defender guidance.
APT36 (Transparent Tribe): Pakistan-Aligned Operations Against Indian Government, Military, and Education Targets
A field-level look at APT36, the Pakistan-aligned threat actor that has targeted Indian government, military, and education organizations for over a decade. Attribution, tradecraft, named operations, and concrete defender guidance.
Salt Typhoon: Chinese State-Sponsored Targeting of U.S. Telecommunications and Lawful-Intercept Systems
A field-level look at Salt Typhoon, the Chinese state-sponsored threat actor behind the 2024-2025 compromises of U.S. telecommunications providers and lawful-intercept systems. Attribution, tradecraft, named operations, and concrete defender guidance.
Anonymous and the Modern Hacktivist Landscape: From LulzSec to Anonymous Sudan
Anonymous is not a single threat actor and never was. A field-level look at the original Anonymous phenomenon, the post-LulzSec fragmentation, and the modern DDoS-for-hire operations that have adopted the Anonymous brand, with concrete defender guidance.
Showing 21 of 21 articles.