Olivia
Online
Bhavin Patel
@hackpsy
Joined April 2015
862 Following
374 Followers
508 Posts
Is this the end of Security Detections MCP?
No.
But it is the point where it stops being "just a tool" and becomes something bigger.
With v3.2.2:
You now have a hosted detection intelligence system your AI can use instantly.
What changed:
• 🌐 Website is LIVE → https://t.co/z3NVBAqz9q
• ⚡ Hosted MCP → no setup, just a token + URL
• 🧠 8,200+ detections across 6 platforms
• 🎯 Coverage vs 172 ATT&CK threat actors
You can now ask:
👉 "What’s our ransomware coverage?"
…and your AI can answer across:
Sigma
Splunk
Elastic
KQL
Sublime
CrowdStrike
Two modes now:
Local (full power)
→ 81 tools
→ your own detection repos
→ full pipelines
Hosted (NEW)
→ zero setup
→ ~25 tools
→ always synced
→ 200 free calls/day
This is still fully open source:
https://t.co/hF5mrvTJkT
npm
https://t.co/ai3fqSmnri
Pulse MCP
https://t.co/gEy3m5aUP1
If MCP 3.0 was about:
"we can automate detection engineering"
This is:
"we can make it accessible to anyone with AI"
https://t.co/VMlp87WZBl
📦 I just released Security-Detections MCP
- a way to let LLMs reason over real detection content, not just the internet.
This isn’t "AI writes detections for you."
It’s:
• Threat report in
• Coverage + gaps out
• Grounded in actual rules (KQL, SPL, Sigma, internal content)
The MCP indexes your detection corpus and exposes it in a way LLMs can query, compare, validate, and explain.
What this enables:
• Faster detection validation
• Identifying blind spots before adversaries do
• Structured markdown reports you can actually act on
• Humans stay in control — AI becomes the force multiplier
Repo ➡️ https://t.co/hF5mrvTJkT
👇Video walkthrough 👇 https://t.co/lp5MW3r6ur
If you’re doing detection engineering, threat hunting, or maintaining a large rule set - this changes how fast you can move.
More coming. This is just the start.
⚡The team killed it on this end of the year release of ESCU 5.19!
I'm so grateful to work with such talented and passionate people. @nas_bench, @raven_tait, @bareiss_patrick, @hackpsy, @rodsoto, @tccontre18, Lou Stella
Release: https://t.co/EC5snvvCrr
Key highlights:
🐚 React2Shell (CVE-2025-55182)
👾 Tuoni C2 Framework
🔐 Kerberos Coercion with DNS (CVE-2025-33073)
📦 NPM Supply Chain Compromise (Shai-Hulud)
🖥️ NetSupport RMM Abuse
🤖 Suspicious Local LLM Frameworks (Shadow AI)
🔥 Cisco ASA Activity
Plus: New macros, lookups, and shoutouts to external contributors jakeenea51 & DipsyTipsy for their search logic enhancements!
More sysadmins need to know this…
User logon restrictions are free.
Create a GPO and call it “DC Logon Restrictions - Domain Admins Only”
Configure User Rights Assignment for DA accounts to log on locally on domain controllers and deny log on locally on end-user workstations.
Who to follow
Olaf Hartong
@olafhartong
@FalconForceTeam | researcher with a camera | Microsoft MVP | Snow man role model
Jose Enrique Hernandez 
@_josehelps
⚔️Prevention Engineering @MagicSwordIO | Ex-@Splunk Threat Research Dir. | Co-creator #LOLDrivers #LOLRMM | Maintainer #AtomicRedTeam #LOLBAS 🤿
Justin Ibarra
@br0k3ns0und
detection engineering | security research | agent shepherding | meta-engineering | @sentinelone, former @elastic/@elasticseclabs @endgameinc etc.
Never underestimate a properly caffeinated user and a little PowerShell knowledge ☕🔑😆
Your Fall Reminder to always Hunt Naked.
https://t.co/Xx79eeLBCM
Lua day. Someone has to be the reminder lol
@madhuakula @ciliumproject @kubernetesio @CloudNativeFdn @madhuakula - this is an awesome resource! Thanks for putting this out there!
🥳 Woah! we got a new #Kubernetes Goat 🐐 scenario on @ciliumproject Tetragon for eBPF-based runtime #security monitoring, detection & enforcement 🚀
🔥Try it out yourself at https://t.co/eAYy6XFenu
🌟 Give a start if you like https://t.co/7omjqBTYLr
#CNCF #Hacking #Community
Isn’t it amazing that some of the best research and tools, is literally free because of some passionate skilled people devote their time to sharing?! 🙏🙌💪
[New Blog 📚] The Fragile Balance: Assumptions, Tuning, and Telemetry Limits In Detection Engineering
If you ever struggle with false positives and the idea of tuning detections. This is for you.
Read More - https://t.co/3m2NfpjHqf
![nas_bench's tweet photo. [New Blog 📚] The Fragile Balance: Assumptions, Tuning, and Telemetry Limits In Detection Engineering
If you ever struggle with false positives and the idea of tuning detections. This is for you.
Read More - https://t.co/3m2NfpjHqf https://t.co/KXRhMXunEf](https://pbs.twimg.com/media/GyRUjGIXcAUxKst.jpg)
https://t.co/MJdSoDuCRO now tracks over 290 RMMs, with new ones being added regularly. These tools provide legitimate functionality but are frequently repurposed by attackers. Read here: https://t.co/GES3R2ESsT
If you're not using them in your setup, why allow them to run?
Block them with https://t.co/qwXEmRpgK2 and prevent abuse before it starts.
#CyberSecurity #LOLRMM #MagicSword #RMM #ThreatHunting #DefendForward
So I was deep in my webshell era this week 🧙♂️🕸️💻 and—plot twist—I totally got owned... by myself 😂
Naturally, I pulled the classic move:
Did I read the source?
Nope.
Did I run it anyway?
YOLO 🪂💥
Next thing I know, it casually goes full ninja mode and drops:
cmd.exe ➡️ c:\windows\temp\kiss.exe 💋
👀 I’m staring at logs thinking, “I’VE BEEN HACKED.”
Cue full-on investigator mode 🕵️♂️🔍
BUT WAIT—my security group is locked down tighter than my childhood trauma 😅🚪🔐
So... WHO DID THIS?!
/🫨 PANIC 🫨
Spoiler: it was me. It was always me.
👈😔
Moral of the story:
When playing with random malware/webshells/etc., maybe—just maybe—read the source first?
📜👓➡️🧠
Before it turns into 🪦💀💻
🚨 NEW BLOG DROP 🚨
A little late to the CitrixBleed party…
But still REALLY worth your time 🧠💥
💻 CitrixBleed (CVE‑2025‑5777)
🩸 Memory exposure ➡️ token hijacking
🛡️ Detection + mitigation tips inside!
👉 Read it now: https://t.co/28t6oP8N1S
⸻
🔍 What you’ll learn:
•🚔 Detection tactics: from NetScaler logs to anomaly patterns 👀
•🛠️ Mitigation moves: patches, session resets, and layered defenses 🧱
Give it a read!
🚀 Happy to share my latest blog on @splunk:
"Unlocking Endpoint Network Security Insights with Cisco Network Visibility Module (NVM) and Splunk"
🔗 Check it out here - https://t.co/XPBUFoU1TL
In this post, I walk through how Cisco Network Visibility Module (NVM) works, the type of telemetry it generates and how to bring endpoint network telemetry to Splunk via the CESA TA.
You can think of Cisco NVM as a Sysmon Event ID 3 on steroids, adding an insane amount of context to flow packets (child and parent process info, http method, loaded modules, etc.), It also provides process hierarchy logs allowing us to build process trees from processes that generate network traffic, as well as Osquery data on installed browser extensions, interfaces and OS information
We leveraged this telemetry to build 14 new detections that surface suspicious activity directly from the endpoint’s network layer as well as mapped 16 previously written CIM detections to NVM data.
🔍Check out the "Cisco Network Visibility Module Analytics" Analytic Story here - https://t.co/JdC9GY26yA
Huge thanks to the Cisco NVM team for the help to bring this project to life.
If you're using Cisco and Splunk, this is a great way to get more value from both.
#Cisco #Splunk #NVM #ThreatDetection
Stoked to present the research #STRT did with our Talos friends alongside @nas_bench and John Levy! And it includes a sweet demo at the end. Come say Hi :)
Let's supercharge your SOC. 🔋
Join the Splunk Threat Research Team alongside @TalosSecurity on July 23 to learn how to seamlessly integrate @Cisco Secure Firewall with #SplunkSecurity to up-level your response strategies.
@M_haggis gotta say https://t.co/sC0y5cFXXJ has been more than a Guru to me. It has shown me schedules that I never thought of LOL
Come see me at RSAC! I'll be speaking about common threat actor techniques seen in AWS intrusions, and why they're terrible! It'll be a Gordon Ramsey-style critique of cloud threat actors. In addition, we'll talk about how you can attack AWS environments better!
Introducing 🚀Eventlog Compendium 🚀
A new Streamlit app, that aims to be the go-to resource for understanding and playing with Windows Event Logs.
Explore it 👉 https://t.co/M8bHXpg8aL
Includes the following utilities and docs
⚙️ Build your own Advanced Audit Policy based on different data points making your policy data driven.
🧭EventID to Audit Policy mapping as well MITRE ATT&CK to Event ID explorer
📊Leveraging the EVTX-ETW-Resources project, you can explore the different ETW providers by build, version and filter down on key message strings.
📄 EVTX Baseline Search & Match - Explore the evtx-baseline project in a visual way. Where you can paste logs and check if they match in real time
🧮Event Field Decoder - Decode common Windows Security Event fields such as Logon Types, Access Masks, Active Directory GUIDs and SIDs
🔒Built-in SACL Explorer - leveraging SACL Scanner from Alexander DeMine, you can explore the built-in SACLs on a windows system.
And much more to come. Stay tuned
Last Seen Users on Sotwe
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers