Field-grade notes for operators, executives, and counsel.

Educational, operationally useful, and intelligence-focused. Published when there's something worth saying — not on a content calendar.

All Ransomware Threat Intel Wazuh SIEM Engineering AI-Assisted Risk Investigations OSINT IR Lessons

FeaturedRansomwareIR Lessons

The 72 hours after the ransom note: what mid-market organizations actually do — and don't.

Five recurring decisions that decide whether a ransomware event becomes a recoverable disruption or a board-level crisis. Drawn from recent matters; identifying details removed.

Apr 22, 2026 · 14 min read Read brief →

Threat IntelInvestigations

Detection by behavior, not by IOC: a working note on dwell time

Why static indicators keep failing mid-market defenders, and what behavior-led detection actually buys you in practice.

Apr 04, 2026Read →

WazuhSIEM

Tuning Wazuh for SMB networks without losing the signal

A pragmatic ruleset baseline for small environments: what we keep on by default, what we tune down, and what we add.

Mar 17, 2026Read →

OSINTInvestigations

OSINT pivots that hold up under scrutiny

A short discipline-first guide to attribution work that survives counsel review, opposing experts, and a court of law.

Feb 28, 2026Read →

InvestigationsExpert Witness

What "co-location" actually means in cellular records

A short primer for counsel: how the term is used in carrier records vs. in expert testimony — and where it's commonly misread.

Feb 02, 2026Read →

AI-AssistedSIEM

Why AI in the SOC has to be auditable, not just fast

Hermes' design choices around audit, replay, and human override — and why those constraints are the point, not a limitation.

Jan 19, 2026Read →

RiskExecutive

Cyber risk for boards: a one-page version that survives the meeting

A short framing that gets executives a defensible answer to "are we okay?" without burying them in maturity grids.

Jan 04, 2026Read →

Load more notes ↓