detection engineering
17 posts
340 million records, unverified seller
Technical analysis of plausible attack vectors behind the claimed OnlyFans 340M record leak, with detection signatures for each path.
Your AI security tool blocks nothing
A red team operator's breakdown of why AI cybersecurity tools are sold as controls but function as telemetry with a verdict attached.
Harvard.edu among 141 hosts serving ClickFix lures
Technical analysis of the campaign that weaponised harvard.edu and 140 other legitimate sites - entry vectors, TDS chain, MITRE mapping, EDR telemetry.
Megalodon hijacked 55,000 GitHub repos via token replay
Megalodon compromised 55,000+ GitHub repositories through PAT harvesting, pull_request_target abuse, and OAuth scope inheritance. Technical breakdown.
Your valid credentials are the breach.
Technical analysis of a coordinated GitHub Actions workflow compromise across 5,561 repositories, with detection guidance for audit log and EDR telemetry.
AI is making attackers worse, not better.
Defender telemetry through 2026 shows model-mediated attackers produce more volume, less variance, weaker adaptation. Substitution is not uplift.
CISA contractor leaked GovCloud keys to GitHub
Technical analysis of a CISA contractor's leaked AWS GovCloud admin keys on GitHub - blast radius, IAM persistence paths, CloudTrail detections, supply-chain tail.
The IIS virtual directory that won't stop bleeding
Technical analysis of the Exchange Server zero-day, the frontend-to-backend trust boundary it abuses, and what fires in EDR and IIS telemetry.
Mandiant clocked 5 days in 2023
Mean time-to-exploit for critical CVEs has collapsed to days. The mechanism is patch diffing, n-day industrialisation, and telemetry gaps on appliances.
NGINX ships emergency patch for HTTP/3 heap overflow
CVE-2026-42945 technical analysis: heap overflow in NGINX HTTP/3 HEADERS frame parsing, worker RCE primitive, telemetry gaps, and patch boundary.
Patching nginx doesn't close this one
CVE-2026-42945 NGINX rewrite module heap buffer overflow: bug mechanism, exploit primitives, MITRE mapping, and EDR telemetry blind spots in worker exploitation.
Dirty Frag races the refcount
Dirty Frag (CVE-2026-XXXX) is a Linux kernel page migration race yielding root LPE on all major distros. Mechanism, telemetry, and patch boundary.