Really liked this SpecterOps write-up.
EDR gives defenders visibility and response options you absolutely want.
But no serious attacker treats EDR as the end of the road. They probe, learn, change their approach, and try again.
SOTA LLMs make that process faster.
EDR is critical. It is not magic.
https://t.co/RZyb8297Qh
@MoormannRainer Ich habe mir schon Sorgen gemacht das in Niederaichbach gerade die Leute auf der Straße jämmerlich erfrieren weil die 2,5GW Kühlleistung von Isar 2 fehlen. Was ja so ziemlich 1 Millionen durchschnittlichen Klimaanlagen entspricht. Die haben wir doch jetzt noch gut? 😎
Just noticed this change in the @MITREattack Enterprise Matrix V19. Defense Evasion has been split into the tactics Stealth and Defense Impairment.
https://t.co/o47n7dy6er
Elite host forensics won't save you in the cloud. Most cloud compromises happen at the management plane, leaving zero trace on the host. Ep #103 dives into why traditional IR techniques fail when attackers pivot to APIs. 🎧 https://t.co/0PMazjgHvx #oldies
Stick a fork in it. DNSSEC is done. The largest Internet DNS provider doesn't "temporarily disable" core Internet security functionality. Cloudflare agrees with me: DNSSEC isn't that.
Ich komme mit Sicherheitsmeldungen nicht mehr nach - daher ein Sammelbeitrag. Irrsinn, wir werden gerade sicherheitstechnisch mit der IT sturmreif geschossen:
https://t.co/8xTzyE6sat
#LockedShields2026 has concluded! This year’s exercise brought together more than 4,000 participants from 41 nations. Congratulations to all 16 Blue Teams! Read more: https://t.co/vgpVROxqC7
🧵 The axios @npmjs compromise dropped a @macOS backdoor that closely mirrors North Korea's (@DPRK) recent WAVESHAPER backdoor. Let's take a quick look the full intrusion:
Kubernetes security is not just one feature.
It works in layers.
You can think of it like multiple rings protecting your cluster.
Here is the common mistake:
- 𝐀𝐏𝐈 𝐒𝐞𝐫𝐯𝐞𝐫 𝐀𝐜𝐜𝐞𝐬𝐬: Secure how people access the cluster.
- 𝐖𝐨𝐫𝐤𝐥𝐨𝐚𝐝 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲: Secure your pods and containers.
- 𝐍𝐞𝐭𝐰𝐨𝐫𝐤 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲: Control how pods talk to each other.
- 𝐈𝐦𝐚𝐠𝐞 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲: Make sure only safe images are used.
- 𝐑𝐮𝐧𝐭𝐢𝐦𝐞 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲: Monitor what happens during runtime.
Here is the common mistake.
Many teams focus only on external security but ignore what happens inside the cluster.
If one pod gets compromised and there are no restrictions, it can access other parts of your cluster.
Here is a study guide, that covers all the security aspects of a cluster
𝗖𝗵𝗲𝗰𝗸 𝗶𝘁 𝗵𝗲𝗿𝗲 - https://t.co/2P6OiN5pUc
Which layer is weak in your setup right now?
🔍 What is Observability?
Most people think it’s just monitoring.
It’s not.
Observability = knowing what’s happening inside your system without guessing.
It answers 3 simple questions:
1. What is happening?
2. Why is it happening?
3. How is it happening?
1. Metrics:
→ What’s happening
(CPU, memory, latency, traffic)
2. Logs
→ Why it happened
(Errors, events, debug info)
3. Traces
→ How it happened
(Request flow across services)
Metrics = What
Logs = Why
Traces = How
If you don’t have observability,
you’re just guessing in production.
Back in "SOAR is cool" days, I sometimes saw the convo go like this "Ah, this playbook will do the work of 1 analyst." -- "Sure! Let us try it" -- "Good news/bad news: it does the work of 1 analyst, BUT to keep it up we need 2 engineers" :-( I sense signs of this in AI SOC...
The worst part of rolling out EDR or any security agent on endpoints is the unreasonable amount of pushback and gaslighting by people concerned about performance.
You provide tons of evidence about the performance hit being negligible, but when ANY thing happens, they immediately blame the security tools, and now you’re tech support for tech support.
Interviewer: “Let’s say you wanted to make some changes in Active Directory but you don’t have sufficient privileges, what would you do?”
Me: “Pull up bloodhound?”
Interviewer:
Windows Notepad.exe now has a remote code execution vulnerability.
You read that right.
Notepad.exe, which used to be a simple text editor, has had so many network connect features added (including AI and Microsoft account subscriptions)… that it now has security vulnerabilities.
This CVE is rated as “SEVERE” and given an 8.8 score.
https://t.co/0FMfoho7f9
Remember when Windows added a new “Notepad” app with CoPilot and forced the good old notepad.exe to open the new app instead of itself even if you don’t want it?
Well, a new feature just dropped.