Why indirect syscalls slip past some EDR hooks
A conceptual look at why user-mode hooking is a leaky abstraction — and what that means for defenders who rely on it.
Security research & writeups
Notes from the offensive and defensive edges of security.
Red-team tradecraft, detection engineering, threat intelligence, and the occasional project — written in the open by Cameron Cottam.
Latest
All posts →From one noisy alert to a portable Sigma rule
A single EDR detection is a starting point, not an answer. Here's how to turn it into a tuned, vendor-neutral Sigma rule without drowning in false positives.