INSIGHTS
Field notes on integrated cybersecurity engineering
Proactive by design, not reactive by default.
Twenty-four years of building security operations, written down. From ground-floor explainers for newcomers to engineering theses for senior practitioners. Organized by depth, for you to enter the conversation at the level that suits you.
LLMs aren't designed to be secure — they're designed to be helpful. Six data risks senior leaders need to understand before AI adoption becomes AI exposure.
Decades of hands-on experience, distilled into a single visual reference. A mind map for service architects and decision-makers building or maturing an MSSP from the ground up.
What SIEM actually is, why it earns its keep, and how it turns scattered point-solution logs into a single coherent story. A first-principles walk-through for newcomers.
Not every danger signal screams. Some look perfectly normal — even positive — in isolation. Why correlation is what turns valid signals into the wrong they're hiding.
Detection without context is guesswork dressed up as certainty. How a mature SOC turns raw alerts into evidence-weighted decisions — and noise into business consequence.
The discipline that separates a rule writer from a detection engineer — and why raw severity is not the same number as real priority.
The Lockheed Cyber Kill Chain is the executive view. MITRE ATT&CK is the operational view — same story, different resolution.
Four layers, one engineering thesis. The architecture I build toward when a security program needs to move from accumulation to engineering.
The quiet diagnostic that separates senior detection engineers from earnest ones — and why a 350-row spreadsheet is not a use case program.