detection engineering
16 posts
Your AI security tool blocks nothing
A red team operator's breakdown of why AI cybersecurity tools are sold as controls but function as telemetry with a verdict attached.
Harvard.edu among 141 hosts serving ClickFix lures
Technical analysis of the campaign that weaponised harvard.edu and 140 other legitimate sites - entry vectors, TDS chain, MITRE mapping, EDR telemetry.
Megalodon hijacked 55,000 GitHub repos via token replay
Megalodon compromised 55,000+ GitHub repositories through PAT harvesting, pull_request_target abuse, and OAuth scope inheritance. Technical breakdown.
Your valid credentials are the breach.
Technical analysis of a coordinated GitHub Actions workflow compromise across 5,561 repositories, with detection guidance for audit log and EDR telemetry.
AI is making attackers worse, not better.
Defender telemetry through 2026 shows model-mediated attackers produce more volume, less variance, weaker adaptation. Substitution is not uplift.
CISA contractor leaked GovCloud keys to GitHub
Technical analysis of a CISA contractor's leaked AWS GovCloud admin keys on GitHub - blast radius, IAM persistence paths, CloudTrail detections, supply-chain tail.
The IIS virtual directory that won't stop bleeding
Technical analysis of the Exchange Server zero-day, the frontend-to-backend trust boundary it abuses, and what fires in EDR and IIS telemetry.
Mandiant clocked 5 days in 2023
Mean time-to-exploit for critical CVEs has collapsed to days. The mechanism is patch diffing, n-day industrialisation, and telemetry gaps on appliances.
NGINX ships emergency patch for HTTP/3 heap overflow
CVE-2026-42945 technical analysis: heap overflow in NGINX HTTP/3 HEADERS frame parsing, worker RCE primitive, telemetry gaps, and patch boundary.
Patching nginx doesn't close this one
CVE-2026-42945 NGINX rewrite module heap buffer overflow: bug mechanism, exploit primitives, MITRE mapping, and EDR telemetry blind spots in worker exploitation.
Dirty Frag races the refcount
Dirty Frag (CVE-2026-XXXX) is a Linux kernel page migration race yielding root LPE on all major distros. Mechanism, telemetry, and patch boundary.
The dashboard pushed every critical CVE to GitHub
Technical analysis of a unified vulnerability dashboard pushed to a public GitHub repo, the scanner token blast radius, and what defenders actually see.