Memory Forensics
From Memory Dump to Attack Story: Building DeepProbe v2
Documents the evolution of DeepProbe into v2, a tool that transforms raw memory dump analysis into structured, narrative-style attack stories. Instead of raw Volatility output, v2 correlates artifacts across processes, network connections, injected code, and command history to reconstruct attacker timelines automatically. Every finding is tagged to a MITRE ATT&CK technique, connecting forensic evidence to incident response decisions.
Memory Forensics
DeepProbe: Open-Source Memory Forensics with ATT&CK-Mapped Detections
Introduces DeepProbe, an open-source memory forensics tool that automatically maps every forensic finding to MITRE ATT&CK tactics and techniques. Analyzes memory images for injected code, hidden processes, suspicious network connections, and credential artifacts, then annotates each finding with ATT&CK IDs for immediate analyst consumption. Bridges raw forensic analysis with structured threat intelligence that SOC teams can act on without manual mapping.
AI Security
Open Source Tool for AI-Specific Threat Modeling: Fast, Context-Aware, and Developer-Friendly
Introduces an open-source AI threat modeling tool built for AI/ML attack surfaces, covering MITRE ATLAS techniques, OWASP LLM Top 10 risks, and supply chain threats. Unlike STRIDE or PASTA, it generates context-aware threat models from natural-language AI system descriptions, making structured analysis accessible to teams without dedicated security expertise. Its threat library covers adversarial inputs, model poisoning, prompt injection, and inference attacks.
AppSec
Application Security Maturity, Simplified: OWASP SAMM + NIST + One Free Tool
Presents ZTAppSec, a browser-based AppSec maturity assessment combining OWASP SAMM's domain model with NIST Zero Trust principles in a single evaluation. The 70+ question self-assessment scores governance, construction, verification, and deployment with instant weighted output across both frameworks. All data stays browser-local with no installation required, and generates exportable reports for benchmarking AppSec maturity and Zero Trust readiness simultaneously.
Threat Intelligence
Building an Integrated Threat Intelligence Platform Using Python and Kibana
A hands-on guide to building a custom threat intelligence platform using Python for data collection and enrichment and Kibana for visualization and analyst workflows. Covers ingestion from MISP, OTX, VirusTotal, and Shodan; normalization into a common schema; IOC enrichment; and SIEM correlation, with code-level implementation detail. Dashboard designs for CTI analysts include IOC heat maps, threat actor tracking, and campaign correlation panels.
Fraud Detection
Building a Custom Fraud Prevention System: Defending Against Modern Cyber Threats
Details the architecture of a custom fraud detection system built on behavioral analytics, ML models, and real-time event correlation. Feature engineering for fraud signals, model selection trade-offs between interpretability and accuracy, and operational challenges in high-throughput transaction environments are covered. A multi-stage account takeover case study demonstrates detection of fraud that bypassed rules-based controls, showing how adaptive detection handles evolving adversary patterns.
Web Security
Defending Web Portals: Harnessing ModSecurity, Honeypots and AppSensor for Robust Security
Presents a defense-in-depth approach for web portals combining three layers: ModSecurity for real-time request filtering, honeypots for early attacker detection and intelligence gathering, and AppSensor for application-layer intrusion detection based on business logic violations. Correlated outputs from all three layers detect attackers who evade any single control. Practical configuration guidance covers high-traffic performance tuning for ModSecurity and low-false-positive honeypot trap design.
AppSec
Enhancing Web Portal Security: Integrating AppSec and SOC
Addresses the organizational disconnect between AppSec teams and SOC teams, and how web portals are disproportionately affected because runtime attacks are invisible to AppSec tooling and application context is invisible to SOC analysts. A practical integration model covers shared threat models, RASP deployment, application-aware SIEM correlation rules, and joint incident response playbooks. Covers how AppSec and SOC collaboration improves detection and response across OWASP Top 10 attack categories for customer-facing applications.
SOC & Detection
Half-Second Screens: A SOC Dashboard for Multi-Phase Threats
Proposes the "Hunt Model," a SOC detection approach that shifts from alert-centric queues to entity-centric MITRE ATT&CK heatmaps where multi-phase attackers are surfaced quickly. Entities are tracked across a 3-day window and scored by ATT&CK tactics triggered, with high-severity entities triggering SOAR-driven containment before analyst notification, reducing dwell time. Addresses SOC analyst alert fatigue with a practical, buildable implementation guide.
Identity & Access
Credential Stuffing Attack Countermeasures Using Patterns and Machine Learning
Presents a multi-layered defense against credential stuffing that goes beyond CAPTCHA and rate limiting to incorporate ML-based anomaly detection trained on behavioral patterns distinguishing genuine users from automated account takeover attempts. Feature engineering (typing cadence, request timing, device fingerprinting, geographic velocity) and ML architectures suited to high-throughput authentication systems are detailed. A case study shows measurable reduction in account takeover incidents with low false positive rates for legitimate users.
Web Security
Not Just a Regex Filter: What Modern WAFs Actually Do (and Don't)
Dismantles the misconception that Web Application Firewalls are simple pattern-matching tools by explaining the full detection stack modern WAFs employ: behavioral profiling, reputation scoring, anomaly detection, and ML-based classification. Bypass techniques attackers use to evade regex rules are analyzed alongside WAF evolution in response. Critically covers what WAFs cannot address: business logic flaws, authenticated abuse, and broken authorization.
DevSecOps
DevSecOps: Beyond Tools Integration
Argues that DevSecOps success depends more on cultural transformation and organizational design than on tool selection, challenging the common "plug in a SAST scanner" approach. Genuine DevSecOps maturity treats security requirements as product features and security testing as part of definition-of-done, contrasted with surface-level deployments that generate noise without changing outcomes. Practical transformation roadmaps cover organizations at different starting maturity levels, with analysis of common failure modes.
AppSec
Vulnerability Management: Scanning is Easy. Securing Is Strategy
Challenges the scan-and-report model by showing how known, patchable vulnerabilities continue enabling major breaches, including analysis of a credit agency breach caused by a single unscoped asset. Presents a modern five-stage VM lifecycle with a case for risk-based prioritization using EPSS, Tenable VPR, and TruRisk over CVSS scoring alone. Peer case studies from Microsoft, Mayo Clinic, and Walmart show how organizations adapt VM for scale and legacy constraints.
AI Security
The Machine Learning Pipeline: Attacks and a Zero Trust Framework
Maps the complete ML pipeline from data ingestion through model inference as a chain of exploitable trust boundaries, proposing ZT-MLSF, a Zero Trust framework built specifically for ML systems. Each stage receives concrete controls: cryptographic dataset and model signing, schema-gated ingestion, workload identity federation, immutable registries, and inference rate limiting. Includes an OWASP ML Top 10 mapping, a four-level Zero Trust Maturity Model, and a self-assessment checklist.
Zero Trust
Secure-by-Design: Engineering Applications for Zero Trust Environment
A technical guide for rearchitecting applications around Zero Trust, opening with real-world failures including a 100M+ record financial SSRF breach and a CI/CD token compromise. Draws implementation lessons from Google's BeyondCorp, Netflix's paved-road model, and Shopify's OPA+Istio stack. The secure CI/CD section covers OIDC credential federation, artifact signing with Cosign/Sigstore, SLSA provenance, and GitOps deployment gates with runtime drift detection.
Identity & Access
OWASP NHI Top 10: Why Non-Human Identities Are Your Largest Unsecured Attack Surface
Covers the OWASP Non-Human Identities (NHI) Top 10, examining the ten most dangerous risks from service accounts, API keys, OAuth tokens, CI/CD credentials, and machine identities proliferating across modern environments. NHIs now vastly outnumber human users yet receive far less identity governance attention, making them common targets for lateral movement. Each risk includes concrete mitigations: secrets rotation, just-in-time access, and workload identity federation.
AI Security
Penetration Testing of AI: Why and How
Examines AI penetration testing as a discipline where traditional pentest methods miss attack surfaces extending to training data, model weights, prompt interfaces, and inference APIs. AI-specific attack categories are detailed with practical testing techniques: prompt injection, jailbreaking, model extraction, membership inference, and adversarial input crafting. A structured AI pentest methodology covers pre-engagement scoping, AI-specific threat modeling, active testing phases, and reporting.
Memory Forensics
Memory Forensics with Volatility: Detecting Fileless Malware and Living off the Land Attacks
A hands-on Volatility guide focused on fileless malware and LotL attacks that leave no disk artifacts. Walks through a complete IR case study: live memory acquisition, process analysis with pslist/malfind, command history extraction via cmdscan, network tracing with netscan, and YARA-based Cobalt Strike beacon confirmation. WannaCry's memory investigation is analyzed to show how RAM artifacts exposed the attack chain where disk forensics found nothing.
AppSec
From Bottlenecks to Built-In Security: Reading the Industry's Shift
Draws a parallel between the evolution of software QA from centralized gatekeeping to shift-left practice, and where application security is heading. Argues that "security is a bottleneck" is a systems problem: controls applied too late, too inconsistently, and without developer-facing tooling. Examines how AI-assisted tooling, security champions, and federated AppSec models are reshaping security leadership in modern engineering organizations.
Purple Team
Purple Team Activities: Where Offense Meets Defense to Strengthen Cyber Resilience
Examines purple team exercises as a structured methodology for closing the feedback loop between red team findings and blue team detections, moving beyond siloed pentest reports that rarely translate into detection improvements. Exercise design is detailed: ATT&CK-aligned simulation playbooks, real-time detection validation, and collaborative debriefs that immediately improve SIEM rules and response playbooks. Covers why continuous small-scale purple teaming delivers more security improvement per dollar than annual penetration tests.
AppSec
Everything About Secure Code Reviews: Mastering SAST Techniques for Robust Software
A guide spanning manual and automated secure code review, from SAST tool configuration and tuning through human-led review for security-critical code paths. A taxonomy of vulnerability classes commonly found in code review (injection, insecure deserialization, cryptographic misuse, race conditions) is presented with language-specific examples and detection patterns. Includes a section on reviewing AI-generated code, which presents trust and verification challenges that traditional checklists were not designed to handle.
Vulnerability Research
Password Managers: The Need, the Breaches, and the Story Behind My CVE (CVE-2021-31857)
A first-person account of discovering and responsibly disclosing CVE-2021-31857 in a widely-used password manager. The article contextualizes password managers within the broader credential security landscape, analyzing major product breaches and the case for using them despite known risks. The full vulnerability research methodology is detailed: test environment setup, flaw identification, vendor coordination, and public disclosure.
Threat Modeling
Why Threat Modeling Is Security's Compass
Makes the case for threat modeling as a foundational security practice, covering major methodologies (STRIDE, PASTA, LINDDUN, VAST) with practical guidance on selecting the right approach by context and team size. Common objections (too time-consuming, requires experts, only useful at design time) are addressed with scaled templates, automation tools, and continuous threat modeling patterns for agile delivery.
SOC & Detection
Logging in the Dark: How Security Teams Keep Every Byte, Yet Miss the Story
Explores the paradox where enterprises store terabytes of logs yet routinely fail to detect breaches because logging is driven by compliance requirements rather than detection objectives. Three breach case studies (a major retailer, a credit bureau, and a multinational bank) each show how missing or misconfigured log sources extended attacker dwell time. A seven-step playbook surfaces log sources routinely overlooked: DNS resolvers, webhook audit logs, Sysmon events, and cloud role-assumption API calls.
AI Security
Cybersecurity in 2025: Leveraging AI Without Losing Control
Examines AI in cybersecurity as a capability used by both defenders and attackers, providing a framework for organizations to harness it without creating new blind spots. Practical AI use cases in threat detection, SOC automation, vulnerability prioritization, and phishing simulation are covered alongside the risks: overconfidence from automated tools and AI-generated code vulnerabilities. Governance recommendations cover AI-specific security policies, model validation requirements, and human oversight thresholds.
Mobile Security
Hacked in Your Hand: The Fight Against Mobile Malware
Covers the mobile malware landscape: how attackers embed malicious payloads inside legitimate-looking utilities, fake updates, and weaponized links targeting both Android and iOS. Attack vectors including trojanized apps, SMS phishing, overlay attacks stealing banking credentials, and mobile RATs are analyzed. Defense strategies span MDM policies, app vetting frameworks, behavioral on-device detection, and network-layer controls for organizations securing mobile-heavy workforces.
Web Security
Bad Bots: The Unseen Cyber Threat and the Fight to Secure the Internet
Covers the automated bot threat landscape including credential stuffing, content scraping, inventory hoarding, fake account creation, and API abuse, and explains why traditional controls consistently fail against sophisticated bot operators. Business impact across industries is quantified and the detection arms race between bot operators and mitigation vendors is explored. A layered mitigation strategy covers CAPTCHA, device fingerprinting, behavioral analytics, and threat intelligence sharing.
Email Security
Why Traditional Phishing Trainings Fail and How Firewalls Fill the Gap
Challenges click-rate-based phishing simulation programs, citing research showing training alone produces minimal long-term behavioral change. The improving quality of AI-powered spear-phishing is analyzed alongside cognitive biases that make the human layer persistently exploitable. A technical countermeasure framework centered on email security gateways, DNS-based filtering, and browser isolation argues for shifting primary reliance to technical prevention rather than user training.
SOC & SOAR
Why a SOAR Team Is Critical for Managing Cyber Security Attacks
Makes the operational case for SOAR as a force-multiplier for overstretched security teams, focusing on the human element that separates effective deployments from shelf-ware. Playbook design principles, integration patterns with SIEM, EDR, and threat intel platforms, and the role of a dedicated SOAR engineering team in maintaining automation are covered. Covers time-to-containment improvements across phishing, ransomware precursors, and insider threats in operationalized SOAR deployments.
