detection engineering
16 posts
Article
Copy.fail has been root since 2017
Copy.fail turns an unprivileged Linux user into root via a copy_file_range credential cache flaw. Reachable since 2017. Telemetry gaps explained.
Article
Binding 65535 ports is the easy part
Architecture and evasion realities of an LLM honeypot binding all 65535 ports - TPROXY, latency tiers, fingerprint defence, and detection traps.
Article
Pick offense or defense
Two paths into infosec - offense and defense - broken down at the mechanism level. Foundation, tooling, telemetry, and the divergence point.
Article
Your MSSP is selling you blindness.
MSSPs run perimeter-era detection while attackers operate inside the identity boundary. The gap is structural, not a resourcing problem.