Practical writing from real IR work โ proactive hardening, reactive response, and everything in between. No vendor angles, no theoretical frameworks.
Three tiers, a Control Plane, and real organizational friction. How to implement EAM in an enterprise that wasn't designed for it โ the Tier 0 assets people miss, the things that break, and why it's worth doing anyway.
Read article โHow to run BloodHound proactively, write Cypher queries that surface real exposure, and translate graph data into a prioritized remediation backlog.
The first 48 hours of AD eviction. Decisions that determine whether you succeed or give the attacker a persistent foothold โ what the documentation leaves out.
AD Connect sync, Pass-Through Authentication, seamless SSO โ each one is a bridge. Most defenders don't understand the risk until an incident makes it obvious.
Built-in AD mechanisms designed to protect privileged accounts โ routinely misconfigured, occasionally abused, and almost always misunderstood.
4624, 4768, 4769, 4771, 4776 โ and about a dozen others. A practical guide to the Windows event logs that reveal Kerberoasting, AS-REP roasting, lateral movement, and DCSync in progress.
A walk-through of a real intrusion pattern โ credential theft, lateral movement, Kerberoasting, and DCSync. Sanitized, but this is what it actually looks like from the IR side.
Privileged access management without the enterprise price tag. What actually works, in plain terms, with implementation notes from real deployments.
Conditional Access is powerful and frequently misconfigured. The policies worth enabling, the gaps that leave accounts exposed, and how to test without locking yourself out.