This is one of the funniest things I’ve seen this year 😂 😂 vibecoded.vc/cooked/

📢🍏 macOS is now part of the EDR Telemetry Project. After three months of focused work, we’re excited to share a new framework and generator for endpoint visibility on macOS! Huge thank you to everyone who contributed and helped shape this release. Looking forward to what comes next.

It’s been quiet on the EDR Telemetry side lately while working on something big! EDR telemetry's goal was always to set the standard for telemetry visibility, and this is what we're planning to do with tomorrow's release... Keep an eye out for tomorrow's announcement!

Sometimes the call comes a little too late and you gotta do what you gotta do 😂

Phantom Stealer has been prominent across phishing campaigns over the past two weeks. Operationally interesting to me is that it’s not just an infostealer. It also acts as an initial access broker, dropping GuLoader for follow-on activity, and I’ve seen it deploy crypto miners as well.

Clinejection PoC: researcher proved you can compromise a VS Code extension (700k+ weekly users) via prompt injection in GitHub issues. He was kind enough to install harmless software as a POC. Real attackers won't... Vendor ignored him for 47 days, fixed it in 30 min after he went public.

MDX content is awesome, I love it, and I use it whenever I can on my projects. But be careful cause if you’re using next-mdx-remote (4.3.0–5.x) to server‑side render untrusted MDX, you’re potentially exposing yourself to RCE via CVE‑2026‑0969...

At EDR Telemetry project, we spend a lot of time measuring what EDRs can see. This article is about what they still cannot safely stop. From LOLBAS to vulnerable drivers to unauthorized RMMs, I walk through the real-world gaps we keep seeing in telemetry and why application control is...

We have added a new analysis Skill thanks to @BlueTeamSteve! This skill can be used to quickly and accurately map the MITRE ATT&CK tactic and technique to threat behaviors and indicators you enter in the prompt, saving you a ton of time!

𝗘𝗗𝗥 𝗖𝗼𝗺𝗽𝗮𝗿𝗶𝘀𝗼𝗻 𝗣𝗹𝗮𝘁𝗳𝗼𝗿𝗺 𝗨𝗽𝗱𝗮𝘁𝗲: 𝗡𝗲𝘄 𝗜𝗻𝘁𝗲𝗿𝗮𝗰𝘁𝗶𝘃𝗲 𝗖𝗼𝗺𝗽𝗮𝗿𝗶𝘀𝗼𝗻 𝗘𝘅𝗽𝗲𝗿𝗶𝗲𝗻𝗰𝗲, 𝗠𝗜𝗧𝗥𝗘 𝗔𝗧𝗧&𝗖𝗞 𝗜𝗻𝘀𝗶𝗴𝗵𝘁𝘀, 𝗮𝗻𝗱 𝗪𝗮𝘁𝗰𝗵𝗚𝘂𝗮𝗿𝗱 𝗘𝗗𝗥 We want to start by thanking everyone who supported us as early adopters.

𝗝𝘂𝘀𝘁 𝗹𝗮𝘂𝗻𝗰𝗵𝗲𝗱 𝗮𝘄𝗲𝘀𝗼𝗺𝗲-𝗱𝗳𝗶𝗿-𝘀𝗸𝗶𝗹𝗹𝘀 𝘄𝗶𝘁𝗵 @fr0gger_ ! Designed to save time during investigations and everyday DFIR tasks Thomas has built an excellent malware triage skill, and I’ve added a couple of timeline analysis skills to help you get started.

We’ve just added 𝗖-𝗣𝗿𝗼𝘁 EDR to the EDR Telemetry Project and it sets a new bar for Linux telemetry! C-Prot is currently #1 in the Linux EDR table, with exceptional depth and quality of raw telemetry. What really stands out is the level of transparency: we got direct access to a production...

Claude set a strong bar for structured, workflow-driven AI usage, and it’s no surprise we’re now seeing similar ideas across other platforms like OpenAI. I’ve built DFIR and quick triage workflows that save me hours every time! The time savings really add up, and it’s completely changed how I work.

Merry Christmas everyone! Hope everyone’s enjoying some downtime 🎄

I’ve moved all of my blog posts from Medium to a new blog section on my personal website. If you’re looking for a good read, I’d recommend my Cobalt Strike write-ups (Part 1 & Part 2) from 2021–2022. kostas.page/blog/cobalt-...

Many large companies are using AI and forcing their employees to use their AI models. They do this to train their AI models, getting them ready to replace many low-level analyst positions. If you are a security analyst in one of these big organizations, you need to have plan B….

📢 𝗜’𝗺 𝗮𝗻𝗻𝗼𝘂𝗻𝗰𝗶𝗻𝗴 𝗧𝗵𝗿𝗲𝗮𝘁 𝗛𝘂𝗻𝘁𝗶𝗻𝗴 𝗟𝗮𝗯𝘀, 𝗹𝗮𝘂𝗻𝗰𝗵𝗶𝗻𝗴 𝗻𝗲𝘅𝘁 𝘆𝗲𝗮𝗿! After building threat hunting teams for large MSSPs, creating DFIR Labs for TheDFIRReport, and sharing years of free threat hunting material, I want to bring everything together into one platform. Something closer to how investigations...

𝗜𝗻𝘁𝗿𝗼𝗱𝘂𝗰𝗶𝗻𝗴: 𝗧𝗿𝗮𝗻𝘀𝗽𝗮𝗿𝗲𝗻𝗰𝘆 𝗜𝗻𝗱𝗶𝗰𝗮𝘁𝗼𝗿𝘀 𝗶𝗻 𝘁𝗵𝗲 𝗘𝗗𝗥-𝗧𝗲𝗹𝗲𝗺𝗲𝘁𝗿𝘆 𝗣𝗿𝗼𝗷𝗲𝗰𝘁! Transparency has always been central to the EDR Telemetry Project. Evaluations may involve different levels of access, and making that visible adds helpful context for readers.

⊕We’ve added 𝗖𝗶𝘀𝗰𝗼 𝗦𝗲𝗰𝘂𝗿𝗲 𝗘𝗻𝗱𝗽𝗼𝗶𝗻𝘁 to the EDR-Comparison.com platform!! Cisco shows strength in prevention, indicator alerting, and response automation, with solid investigation visuals and well-documented APIs that integrate easily into broader security stacks. It’s a platform that leans more...

As we are are approaching our goal, starting January, we’re updating the pricing for the 𝗘𝗗𝗥 𝗙𝗲𝗮𝘁𝘂𝗿𝗲 𝗖𝗼𝗺𝗽𝗮𝗿𝗶𝘀𝗼𝗻 𝗦𝗲𝗿𝘃𝗶𝗰𝗲. The platform has grown far beyond the initial dataset, and the new pricing reflects the depth of work going into the next phase of the project. 𝗪𝗵𝗮𝘁’𝘀 𝗰𝗼𝗺𝗶𝗻𝗴 𝗻𝗲𝘅𝘁:

I’ve been getting a lot of questions lately about the difference between the 𝗘𝗗𝗥 𝗧𝗲𝗹𝗲𝗺𝗲𝘁𝗿𝘆 𝗣𝗿𝗼𝗷𝗲𝗰𝘁 and the 𝗘𝗗𝗥 𝗖𝗼𝗺𝗽𝗮𝗿𝗶𝘀𝗼𝗻 𝗦𝗲𝗿𝘃𝗶𝗰𝗲. They’re related, but they solve completely different problems. Telemetry 𝗶𝘀 𝗼𝗻𝗲 𝗽𝗶𝗲𝗰𝗲 𝗼𝗳 𝘁𝗵𝗲 𝗽𝘂𝘇𝘇𝗹𝗲. The comparison service 𝗹𝗼𝗼𝗸𝘀 𝗮𝘁 𝘁𝗵𝗲 𝗲𝗻𝘁𝗶𝗿𝗲 𝘀𝗼𝗹𝘂𝘁𝗶𝗼𝗻.

This report from Bleeping is crazy, is You can't make this stuff up! 😂 www.bleepingcomputer.com/news/securit...

Quick update. We just added a new EDR vendor directory page to the platform. If you want a clean overview of who’s included and a preview of the comparison features, start here: www.edr-comparison.com/directory

Heads-up on CVE-2025-55182: a CVSS 10.0 pre-auth RCE affecting React Server Components 19.x. Can be triggered through malicious HTTP payloads, so there will be chaos when a POC comes out. On that note...there are many fake POCs circulating. Be careful what you run. A POC is not available yet.

🚨𝗕𝗶𝗴 𝗱𝗮𝘆 𝗳𝗼𝗿 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻𝗦𝘁𝗿𝗲𝗮𝗺. 𝗢𝗻𝗲 𝗼𝗳 𝗼𝘂𝗿 𝗹𝗮𝗿𝗴𝗲𝘀𝘁 𝗿𝗲𝗹𝗲𝗮𝘀𝗲𝘀 𝘆𝗲𝘁. The platform now supports official pySigma validation fully in-browser, compiled to WebAssembly. Same validation as sigma-cli. Thanks to @sifex from detection.studio for the inspiration behind the implementation. Here’s what we added:👇

A lot of folks have been asking how we run our EDR testing and what the methodology looks like behind the scenes. I put together a full deep dive walking through our process, the tooling we use, and how we score everything based on direct telemetry.

If you’re trying to use Wazuh for threat hunting or incident response, stop wasting your time. Wazuh is fine for compliance and system visibility, but that’s where it ends.

𝗥𝗼𝗮𝗱𝗺𝗮𝗽 𝘂𝗽𝗱𝗮𝘁𝗲: the first milestone is done. The Interactive Comparison Interface now has its core engine in place. Good progress for week one, and more updates are coming along with more EDR vendors!

I just finished a big update for the EDR Telemetry website. We’re preparing for many exciting updates and want to make sure we’re ready 🙂 Check it out and let me know what you think - www.edr-telemetry.com

I'm reviving Teletracker. Missed working on it and it deserved a second life. I'm rt is way more useful for investigations. Drop in a bot token from malware and see threat actor comms directly from a clean web interface. Demo video attached. Let me know your thoughts!

𝗦𝘂𝗿𝗶𝗰𝗮𝘁𝗮 𝗶𝘀 𝗻𝗼𝘄 𝗽𝗮𝗿𝘁 𝗼𝗳 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻𝗦𝘁𝗿𝗲𝗮𝗺 𝘄𝗶𝘁𝗵 𝗽𝗹𝗮𝘆𝗴𝗿𝗼𝘂𝗻𝗱𝘀 𝗮𝗻𝗱 𝗰𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗲𝘀! Big update for anyone working on network detections. 𝗜𝗻𝗰𝗹𝘂𝗱𝗲𝗱: • 45k+ ET rules available out of the box • Full ET Open ruleset preloaded • Build and validate custom Suricata rules

Cloud Flare’s outage yesterday came down to one thing. A feature file in Bot Management quietly doubled in size and blew past an internal limit, which cascaded across their proxies. Full writeup ➡️ blog.cloudflare.com/18-november-...

Me trying to launch my new EDR comparison service while Cloudflare has an outage🤦‍♂️

🚀 𝗧𝗵𝗲 𝗘𝗗𝗥 𝗖𝗼𝗺𝗽𝗮𝗿𝗶𝘀𝗼𝗻 𝗦𝗲𝗿𝘃𝗶𝗰𝗲 𝗶𝘀 𝗻𝗼𝘄 𝗹𝗶𝘃𝗲. If you’ve been following the EDR Telemetry Project, this is the next step: A full breakdown of how each EDR actually implements its features. 🔥 𝗟𝗶𝗳𝗲𝘁𝗶𝗺𝗲 𝗮𝗰𝗰𝗲𝘀𝘀 𝗮𝘃𝗮𝗶𝗹𝗮𝗯𝗹𝗲 𝗳𝗼𝗿 𝗲𝗮𝗿𝗹𝘆 𝗮𝗱𝗼𝗽𝘁𝗲𝗿𝘀 (𝗹𝗶𝗺𝗶𝘁𝗲𝗱 𝘁𝗶𝗺𝗲). Intro blog: edr-comparison.com/blog/navigat...

My favourite thing about using AI is that I don't have to choose how to name sh*t anymore. That's mostly: - Blog Titles - Script names/variables/functions etc. - DB table names/columns It was draining me, I can't go back... 😂

Proud to share that DetectionStream is now collaborating with the Sigma community to create opportunities for people to learn and grow within detection engineering. We’ve set up two channels for general discussions and challenge creation. Join here: discord.gg/KfdbeQpp

Suricata support is coming to DetectionStream.com this upcoming week! You’ll be able to: ➡️ View and edit all emerging rules ➡️ Test your detections instantly against your PCAPs (everything client-side) ➡️ Create your detections and share them with everyone (AI optional😉) 🔜🔜🔜

As I was looking for malware (like you do on a quiet Friday afternoon 😂) I found a classic fake “your system is infected” page. After the fake scan, the Renew Now button goes straight to Avast through an affiliate link🤣🤣 TAs doing a 180, selling AV to get their commission LOL

Anthropic basically spent the whole piece highlighting how their AI can be leveraged for intrusion activity, but didn’t give defenders a single IOC or attribution hint 😩 But hey, you now know their AI is good for pen-tests... 90% Flex 10% Value 🔗: www.anthropic.com/news/disrupt...

Just in: DoorDash breached… “unauthorized third party gaining access to and taking certain user contact information…but may have included first and last name, phone number, email address and physical address” Next paragraph: “No sensitive information was accessed” 🤦‍♂️

Did a big server rack upgrade today and took cable management seriously for the first time. It all looks so neat and professional. I don’t think I could ever go back, there is something special about it😮‍💨 Time to put it to use 😆 Big things coming next year… watch this space!

🍁🍂 Winter rides are 🔥

It’s been just 1 week since launch and 150+ people have registered, shared feedback & competed on the leaderboard! Huge motivation to keep building 💪 More challenges next week and with a FREE training module coming up!! Appreciate the support!!🙏 🔗detectionstream.com/sigma/training/gamified

A new strain called PromptFlux uses Google’s Gemini to regenerate its code every hour for evasion. Its prompts are basically self-update instructions. Imagine if you tweak the txt prompts to say “Create a 10,000-word report on...”, that'd be funny 😂💸💸 cloud.google.com/blog/topics/... #ImposeCost😂

Linux is finally getting some love 🐧 CrowdStrike now covers service + driver + user events, a big win for investigators tracking system-level activity. In our testing, we only use system-level operations and ignore indirect events. Details edr-telemetry.com/linux

This is the coolest coin I’ve ever received. Huge props to @Defcon604 for everything they do for the Vancouver community. Was awesome presenting to a packed room of 50+ folks, great energy and engagement all around. 🔥

When I started DetectionStream, I wanted to make learning detection frameworks less…boring. Theory is great, but where do you actually practice? So I built something: the Sigma Training Platform. It’s basically what I wish existed when I was learning this stuff….👇

📢DetectionStream quick update. The 𝗦𝗶𝗴𝗺𝗮 𝗧𝗿𝗮𝗶𝗻𝗶𝗻𝗴 𝗣𝗹𝗮𝘁𝗳𝗼𝗿𝗺 is almost ready. I’m planning to launch it next week with 𝟭𝟬+ 𝗰𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗲𝘀 you can dive into right away. Each challenge is designed to help you: ➡️ Practice Sigma rule creation ➡️ Understand detection logic fundamentals...👇

A normal InfoSec Friday be like... 😂

🚀 𝗕𝗶𝗴 𝘂𝗽𝗱𝗮𝘁𝗲 𝗳𝗼𝗿 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻𝗦𝘁𝗿𝗲𝗮𝗺! I’ve just rolled out authentication, unlocking new personalization features while keeping the core experience open to everyone. • 𝗦𝗶𝗴𝗻-𝗶𝗻 𝗼𝗽𝘁𝗶𝗼𝗻𝗮𝗹: You can still explore, test, and learn without an account. • 𝗦𝗶𝗴𝗻-𝗶𝗻 𝗲𝗻𝗵𝗮𝗻𝗰𝗲𝗱: If you do log in, you can now sa...