Sign in

No-code tools are booming, enabling anyone with an idea to create a product quickly. Before long, once an idea gets large enough, engineers can be brought on to help run everything. The product will need to become more reliable and stable than the initial MVP. At this point, it can be challenging and time-consuming to move from the no-code abstractions back into code-based tools that were skipped initially because of the complexity to implement them!

Not long ago, I joined Tines which is a low/no-code platform that enables anyone to create complex cybersecurity workflows involving any tool with an API…

Part One:

Part Two:

Detection & Validation

Detection is the third part of this series and for a very important reason. Not because I saved the best for last (this post might not even be the last part!), but because the first two parts frequently get skipped over in favor of the question “what SIEM rules are available?” Detection helps describe what exists in the expansive grey area between alerts and general telemetry. Detection is incredibly powerful but requires a number of building blocks to even happen…some obvious and some less so.

Detection can potentially occur in a lot of different…

Part One:


Now visibility of your network (covered in part one) is great, but at the end of the day, the prevention of attacks should be always taking place in your environment. It is easy to overlook prevention and to focus on visibility and detection far too much. Visibility and detection won’t help when you have an understaffed team, a taxing on-call schedule, and/or the attacker is already advanced far into your network.

Once you have an understanding of what your products and services cover from the visibility phase, utilize the prevention phase to review best practices to stop…

MITRE ATT&CK is perhaps a cyber security industry buzzword at this point, becoming just another feature included in RFPs as a prerequisite for products to have some mention of it included prior to purchase. The status of being overused is at least well deserved because of its usefulness that can be applied in many different situations when working between assessment teams and defenders.

Over the past years, I’ve been able to introduce and help a number of blue teams with MITRE ATT&CK. A common response when I ask people if they have any experience working with the ATT&CK framework is…

The EDR market has proven itself to be incredibly valuable over the past 5–6 years. I think many security practitioners would agree there is no larger return on investment than buying an EDR. It has even become such a large and wide market that 1. marketing has taken the entire segment over and 2. the vendors have started really competing against each other for dominance from a features perspective (both probably very related). One feature I key in on is the ability to make your endpoint telemetry (the data you own!) accessible outside of the vendor provided platforms.

The most…


Focusing on infosec writing, many other hobbies here:

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store