Insights & Guides

The Attacks You'll Investigate. The Detections You'll Write. The Decisions You'll Defend.

Practical analysis of real attack patterns, detection techniques, identity security, and operational judgment — written by the practitioners who build the courses. Every post teaches something you can apply at work this week.

Browse by Topic ↓ Start Free Courses →

Incident Response & Investigation7 Detection Engineering4 Identity & Cloud Security7 Attacker Tradecraft6 Security Strategy & Operations6

Incident Response & Investigation

Investigation methodology, BEC response, evidence preservation, and the first-responder decisions that determine outcomes.

20 May 2026 · 9 min Native Windows Forensic Commands for Incident Response — When You Have Nothing but the OS 3 May 2026 · 8 min We Open-Sourced Our Incident Response Toolkit: 28 Use Cases, One Binary, Zero Install 3 May 2026 · 10 min How to Investigate an M365 Identity Compromise from Sign-in Logs to Containment 30 April 2026 · 11 min The First 15 Minutes of a BEC Investigation Determine Everything That Follows 28 April 2026 · 9 min Registered Isn't Compliant: The Conditional Access Gap Attackers Use After Token Theft 21 April 2026 · 6 min How Attackers Pivot Through SSH Agent Forwarding — and How to Detect It 4 April 2026 · 10 min Is M365 Security All It's Hyped Up to Be?

Detection Engineering

Detection rules, coverage analysis, and the engineering practices that turn ad-hoc queries into a sustainable detection programme.

27 May 2026 · 10 min KQL Sign-In Log Analysis — What ResultType != 0 Actually Tells You 3 May 2026 · 9 min Five KQL Threat Hunts Every M365 SOC Should Run This Month 15 April 2026 · 7 min The M365 Detections Microsoft Doesn't Give You 7 April 2026 · 5 min Five auditd Rules That Catch Kernel Module Rootkits Before They Load

Identity & Cloud Security

Conditional access, token security, M365 configuration, and the identity-layer gaps attackers exploit after initial access.

27 May 2026 · 10 min KQL Sign-In Log Analysis — What ResultType != 0 Actually Tells You 3 May 2026 · 10 min How to Investigate an M365 Identity Compromise from Sign-in Logs to Containment 3 May 2026 · 9 min Five KQL Threat Hunts Every M365 SOC Should Run This Month 28 April 2026 · 9 min Registered Isn't Compliant: The Conditional Access Gap Attackers Use After Token Theft 15 April 2026 · 7 min The M365 Detections Microsoft Doesn't Give You 7 April 2026 · 12 min Are Current SOCs Adequate for the Threats They Face? 4 April 2026 · 10 min Is M365 Security All It's Hyped Up to Be?

Attacker Tradecraft

How attackers move through environments — lateral movement, persistence, evasion — and the telemetry that catches them.

12 May 2026 · 8 min Service Principal Ownership Is the Attack Path Nobody Governs 3 May 2026 · 9 min Five KQL Threat Hunts Every M365 SOC Should Run This Month 30 April 2026 · 11 min The First 15 Minutes of a BEC Investigation Determine Everything That Follows 28 April 2026 · 9 min Registered Isn't Compliant: The Conditional Access Gap Attackers Use After Token Theft 21 April 2026 · 6 min How Attackers Pivot Through SSH Agent Forwarding — and How to Detect It 7 April 2026 · 5 min Five auditd Rules That Catch Kernel Module Rootkits Before They Load

Security Strategy & Operations

SOC adequacy, compliance vs security, AI in security operations, and the strategic decisions that shape a security programme.

3 May 2026 · 9 min Five KQL Threat Hunts Every M365 SOC Should Run This Month 28 April 2026 · 9 min Is Your Security Operation Just Merely a Compliance Operation? 21 April 2026 · 12 min AI Won't Take Your Security Job. But Someone Who Uses AI Will. 7 April 2026 · 12 min Are Current SOCs Adequate for the Threats They Face? 7 April 2026 · 5 min Five auditd Rules That Catch Kernel Module Rootkits Before They Load 4 April 2026 · 10 min Is M365 Security All It's Hyped Up to Be?

27 May 2026 Detection & Hunting · 10 min read

KQL Sign-In Log Analysis — What ResultType != 0 Actually Tells You

KQL queries for Entra ID sign-in log analysis. What ResultType values mean, how to filter failed sign-ins, and the queries that detect password spray, MFA fatigue, conditional access blocks, and account lockouts.

20 May 2026 Incident Response · 9 min read

Native Windows Forensic Commands for Incident Response — When You Have Nothing but the OS

The native Windows commands every responder needs when forensic tools aren't deployed yet. Volatile data capture with cmd and PowerShell — processes, network connections, logged-in users, scheduled tasks, and services.

12 May 2026 Identity Security · 8 min read

Service Principal Ownership Is the Attack Path Nobody Governs

The Silverfort disclosure proved that owning a service principal means owning its permissions. Most tenants have privileged service principals with no owner governance, no credential rotation, and no attestation. Here's the audit script that finds them before an attacker does.

3 May 2026 Incident Response & Investigation · 8 min read

We Open-Sourced Our Incident Response Toolkit: 28 Use Cases, One Binary, Zero Install

VanGuard is a cross-platform DFIR toolkit that replaces the 45-minute tooling scramble at the start of every IR engagement. Open source, air-gap compatible.

3 May 2026 Incident Response & Investigation · 10 min read

How to Investigate an M365 Identity Compromise from Sign-in Logs to Containment

The sign-in log tells you how they got in. The audit log tells you what they did. Here's the sequence that turns both into a containment decision.

3 May 2026 Detection Engineering · 9 min read

Five KQL Threat Hunts Every M365 SOC Should Run This Month

Your detection rules cover known patterns. These five KQL hunts find the attacker activity that bypasses every analytics rule in your library.

30 April 2026 Security Operations · 11 min read

The First 15 Minutes of a BEC Investigation Determine Everything That Follows

The queries and evidence sources you check in the first 15 minutes of a business email compromise determine whether you catch the attacker mid-operation or write the post-mortem after the wire transfer.

28 April 2026 Security Operations · 9 min read

Registered Isn't Compliant: The Conditional Access Gap Attackers Use After Token Theft

After an AiTM token theft, the attacker's next move is often to register their own device to your tenant. Here is how to detect the pivot in Entra ID.

28 April 2026 Security Operations · 9 min read

Is Your Security Operation Just Merely a Compliance Operation?

Most security programs are compliance programs in disguise. The technology is deployed for frameworks and contracts, not threat models. Here's how to tell the difference — and why it matters when the adversary arrives.

21 April 2026 Security Operations · 12 min read

AI Won't Take Your Security Job. But Someone Who Uses AI Will.

The honest answer to 'will AI replace SOC analysts' is more uncomfortable than either side admits. The job isn't disappearing. But the job you trained for might already be gone.

21 April 2026 Security Operations · 6 min read

How Attackers Pivot Through SSH Agent Forwarding — and How to Detect It

SSH agent forwarding is a convenience feature that becomes a lateral movement highway when a bastion host is compromised. Here is how the attack works and the three log patterns that expose it.

15 April 2026 Detection Engineering · 7 min read

The M365 Detections Microsoft Doesn't Give You

Microsoft ships 200+ Sentinel analytics rule templates. Coverage clusters around brute force, impossible travel, and known malware — leaving significant gaps in mailbox rule abuse, consent grant attacks, data staging, privilege escalation, and cross-tenant movement. Here are five detections you need to build yourself.

7 April 2026 Security Operations · 12 min read

Are Current SOCs Adequate for the Threats They Face?

Most SOCs were built for a threat landscape that no longer exists. Perimeter-era tools, single-environment playbooks, and alert-queue thinking are failing against identity-first, cross-environment attacks. Here's what the gap looks like from inside the operation.

7 April 2026 Detection Engineering · 5 min read

Five auditd Rules That Catch Kernel Module Rootkits Before They Load

Most Linux rootkits load as kernel modules. These five auditd rules create an audit trail for every module operation — giving your SOC visibility into the one action attackers cannot avoid.

4 April 2026 Security Operations · 10 min read

Is M365 Security All It's Hyped Up to Be?

Microsoft would like you to believe that an E5 license is a security strategy. After years operating M365 security in production and running incident response through its tools, the reality is more nuanced than the marketing deck.

The blog shows you what's possible. The courses make you capable.

Every technique, detection rule, and investigation method referenced in these posts is taught in depth across the course catalog. Start with the free modules.

Start Free — No Account Needed Browse All Courses