Scott Lynch

eBPF is kinda insane and nobody talks about it enough Netflix uses it to trace flow logs across their whole fleet without tcpdump eating the CPU. Cloudflare drops millions of malicious packets per second with XDP, before the kernel even bothers building an skb. that's the trick btw: XDP runs at the driver layer, so you reject junk traffic before the network stack wastes a single cycle on it. Google GKE dataplane v2 is built on Cilium/eBPF, and Google wrote about pushing it to 65,000-node clusters, which is frankly a stupid-big number. Netflix found a noisy-neighbor disk latency bug in prod that classic tools just couldn't see, because the latency was hiding between syscall and disk. practical tip most people miss: you don't need to write raw BPF bytecode like it's 2016. grab bpftrace, write a one-liner, get histograms of syscall latency in 10 seconds. and boom, you can see your prod read sizes live. no recompiles, no restarts, no downtime. the wild part is it's basically a tiny VM running sandboxed inside the kernel and the verifier won't even let you crash the thing. observability without the observer effect, finally. btw, I am building pktz - https://t.co/nqmL5d7beH - eBPF-powered network traffic monitor, per process, per connection, live. #ebpf #networking #cilium #devops #k8s #kubernetes #sre #cloud

Our printed documentation book has been updated for Security Onion 3.1 and is available from Amazon now! For those who don't know, we offer a softcover copy of our documentation for the current version of Security Onion via Amazon. All proceeds go to the Rural Technology Fund, and the book comes with a 20% off discount code for our on-demand training and the Security Onion Certified Professsional (SOCP) certification exam.

I spent the last weeks building LLM benchmarks for a very specific reason: We want to use AI in RuneAI to help with THOR finding triage, and I needed a better baseline for model selection than generic LLM leaderboards. Security-event triage is its own thing. A model can be great at coding, reasoning or vulnerability writeups and still be a bad fit for deciding whether a messy endpoint finding should be suppressed, reviewed or escalated. In real deployments this will likely happen inside agentic workflows with tools, memory, context handling and feedback loops. But before testing the whole system, I wanted a clean baseline: How does the model behave when it only gets the enriched finding itself? Blog post with the reasoning and methodology: https://t.co/KQPOPDWP1B Interactive benchmark results: https://t.co/pvVhTBJsz0 Repo: https://t.co/Fw3uW9nu2a Maybe useful for others building SOC / security-event triage benchmarks.

A friend told me something in a beer garden in Germany about 12 years ago: “Florian, don’t overthink whether this specific service is exploitable. The stuff is broken. Plan accordingly.” He meant software. Most software looks stable because it runs under normal conditions. Look closer and you find memory leaks, parser bugs, unhandled input, bad defaults, forgotten modules, weird edge cases. Now we have better fuzzing, better automation, AI-assisted auditing, variant hunting, more exploit dev, more eyes on everything. So yes, patching matters. But in a world where every kind of internet-facing software keeps producing fresh RCEs, you also need the boring stuff: 1. Reduce the attack surface - expose fewer services - disable unused modules, plugins and features - don’t publish admin interfaces unless they really need to be reachable 2. Limit the blast radius - run services with least privilege - isolate internet-facing systems - avoid shared accounts and credentials 3. Build visibility and control - collect useful logs - monitor weird errors, crashes and “should never happen” events - keep enough data to investigate later - run regular compromise assessments Assume exposed software is brittle. The stuff is broken. Plan accordingly.