I work identity-based incidents — both proactive hardening and reactive response. AD tiering, Entra ID security, attack path management, and post-compromise recovery. Writing about what I see in real environments.
Three tiers, a Control Plane, and real organizational friction. How to implement EAM in an enterprise that wasn't designed for it — the assets people miss, the things that break, and why it's worth doing anyway.
Read article →How to run BloodHound proactively, write Cypher queries that surface real risk, and turn graph data into a remediation backlog your team can actually work through.
Threat actor eviction from Active Directory is one of the hardest IR problems. The decisions made in the first 48 hours determine whether you succeed — or give the attacker a way back.
AD Connect sync, Pass-Through Authentication, seamless SSO — each one is a bridge that can be crossed the wrong way. Most defenders don't know they exist until an incident reveals them.
I'm an Incident Response Consultant with over 15 years in IT and a focus on identity security. My background includes ransomware response, intrusion investigations, and recovering compromised Active Directory environments. I hold CompTIA Security+, ISC² SSCP, and ISC² CC certifications.
This blog covers Active Directory security, identity attack paths, and hardening strategies based on my professional experience in the field. The topics I write about reflect patterns and misconfigurations that are well documented in the industry but still show up far too often in production environments. My goal is to break them down in a practical way that defenders and administrators can actually act on.