Notes from a practitioner's desk.
75 articles across 10 grids. Newest first. Filter by grid via the nav above, or subscribe via RSS.
Why I Built a Dark Web Research Site (and What I Learned)
A year of studying privacy engineering by building one. Lessons on Whonix, Tor hidden services, and operational isolation.
The CISA KEV Catalog as a Prioritized Patch Backlog
Most patch programs drown in CVEs. KEV is the strongest signal most teams aren't using well. Here's how.
AI in IT Operations: A Reality Check
What actually works, what's vendor theater, and where I think the genuine leverage lives over the next two years.
MIT Week 1: Back in a Classroom After 20 Years
A personal reflection on returning to formal study after two decades of practice.
What To Do In The First 24 Hours
The calm-first playbook: isolate, preserve, engage legal, out-of-band comms — and the things you must NOT do.
Home Security Lab: The Minimum Viable Stack
What the lab actually needs: hypervisor, routed VLAN, EDR trials, AD test forest, packet capture.
Zero Trust Is Harder Than Vendors Admit
The concept is sound. Implementations are often theatrical. A pragmatic path through the Zero Trust journey.
Reading the Threat Intelligence Landscape
Threat intel has a tier system nobody writes down. Strategic, operational, tactical, technical.
LLM-Powered Runbooks: Where They Work
LLMs augment runbooks well, but only after you've stopped treating them as answer engines.
The 10-Point Ransomware Readiness Checklist
Most organizations discover their gaps after the encryption starts. The ten things to have in place before.
OSINT for IT Leaders
Free OSINT sources give you 80% of what costs $100k+ in vendor subscriptions.
Kubernetes for Enterprise IT (Not Just Developers)
Kubernetes is infrastructure, not a dev platform. Teams who let it sit with product teams regret it.
Setting Up Whonix: Step by Step
Windows + VirtualBox + Whonix. Install, bootstrap Tor, first onion service, common pitfalls.
US Cyber Authorities: Who to Call
FBI IC3, CISA, Secret Service, state AG, SEC. What each does, when to call, how to report.
Tor for IT Professionals: A Primer
Most IT leaders think Tor = illegal and stop there. It's a critical privacy tool used by journalists and researchers.
MFA Is Necessary. It's Not Sufficient.
MFA is table stakes. Adversaries have moved to MFA fatigue, session hijacking, OAuth abuse.
Prompt Injection: The OWASP of AI
Prompt injection is the SQL injection of 2026. Most teams haven't even mapped their attack surface yet.
Dark Web Intel: What Actually Matters
Most dark-web-monitoring products oversell. Only two classes of findings actually change defender behavior.
The Hidden Cost of Multi-Cloud
Multi-cloud for resilience is often more fragile than single-cloud. Expertise duplication, data gravity, egress fees.
Whonix Architecture Explained
Whonix separates the application from the network at the VM boundary. A beautiful piece of engineering.
Local LLM for SOC Prototyping
Ollama + Llama on a dedicated box. Why local matters for prototyping, what you can't prototype locally.
Tabletop Exercises That Actually Stress Your Plan
Most tabletops are theatre. A good one sends you back to documentation with 3-5 gaps to fix.
Credit Freezes: Step by Step
All three bureaus, walked through. Child credit freezes. When to lift. Fraud alerts vs. freezes.
RAG for Internal Documentation
RAG over internal docs is the most boring, most useful enterprise AI pattern.
Observability vs Monitoring: A Practitioner's Take
Monitoring answers what you thought to ask. Observability answers questions you didn't anticipate.
Building an Intel-Driven Security Program
Most SOCs claim intel-driven but operate alert-driven. What actually changes when intel drives detection.
EDR Alone Isn't Enough
EDR is great at endpoints. Attackers moved up (identity) and out (SaaS, OT). What else you need.
Hidden Service Fundamentals
Hidden services are misunderstood. A powerful primitive for authenticated, end-to-end encrypted services.
Proxmox vs ESXi in 2026
Post-Broadcom ESXi pricing. Proxmox for home + mid-enterprise. Feature parity for 80%, honest gaps.
AI Tier-1 SOC Triage: Six-Month Results
After six months of LLM-assisted tier-1 triage, here's what I'd tell other IT leaders.
Identity Theft Recovery Workflow
IdentityTheft.gov five-step process, police reports, credit bureau disputes, tax-related ID theft.
Data Platform Maturity: From Lake to Lakehouse
The data lake promise failed. Lakehouse (Iceberg, Delta) succeeds where it does.
Vendor Threat Feeds: What You're Paying For
The $500k feed has 85% overlap with the $10k one. The real value is often elsewhere.
Insider Threat: The Uncomfortable Conversation
Most insider threats aren't malicious. They're privilege sprawl, bad offboarding, and ego.
Ethics of Dark Web Research
Doing security research on Tor requires a code. Legal research vs. crossing lines.
Hardening Your Home Network
Separate IoT VLAN, DNS filtering, WPA3, guest network, Wireguard. Practical list.
Executive Breach Response Playbook
Board notification, crisis comms, counsel, insurance, regulators. The 48-72h window.
Why Your SRE Team Isn't Scaling
SRE doesn't scale by hiring more SREs. It scales by reducing toil and raising abstraction.
Model Selection for Enterprise IT
The LLM you pick for enterprise IT isn't the one on the ChatGPT homepage.
The Five Sources I Read Every Morning
A 20-minute curated read-in beats a 2-hour dashboard crawl.
Vulnerability Management That Isn't a CSV Dump
You don't need to patch everything. You need to patch what adversaries are exploiting.
Identity Separation in Security Work
If you do research under a pseudonym, your clearnet and shadow identities need actual separation.
Bitwarden Enterprise: 18-Month Review
What works, what's rough. SSO + team shares (good). SCIM nuances + mobile UX (uneven).
Endpoint Management: Zero Trust for Devices
Your endpoint is the new perimeter segment. Managing it like it's 2015 is why you're breached.
GDPR Breach Notification Requirements
72-hour clock, DPA notification, when "high risk" triggers data subject notification.
Data Leakage in AI Workflows
Every AI workflow is a new data egress vector. Most orgs don't think about it until the lawyers find out.
Attribution: When It Matters
Attribution is overrated for defenders and underrated for response.
Breach Notification in the US: State-by-State Reality
There's no federal breach notification law. Every state has its own.
1Password vs KeePassXC vs Bitwarden
Honest comparison. 1Password UX best. KeePassXC best for sovereignty. Bitwarden best value.
Network Architecture for Hybrid Work
The VPN-everywhere model broke during COVID. What modern hybrid-work architecture looks like.
PGP for Technical Leaders
PGP has a bad UX reputation. For technical leaders it's a useful credential beyond encryption.
Ransomware Negotiation: When NOT to Pay
OFAC sanctions lists, decryptor existence, insurance position.
The Economics of GenAI in the Enterprise
The ROI on GenAI isn't where the vendor deck says it is.
Signal vs Noise: The Security News Firehose
There's too much security news. 95% doesn't change what you do tomorrow.
Cloud Cost Optimization: The Framework
FinOps isn't a team. It's a practice. The biggest wins are in design, not dashboards.
Personal OSINT Workstation Build
Compartmentalized browsers, VPN stack, Maltego free tier, SpiderFoot, case file workflow.
SOC Maturity: The Plateaus Nobody Warns You About
Most SOCs plateau at proactive hunt and detection engineering.
Business Email Compromise Recovery
Wire fraud specifics, IC3 within 72h, the Financial Fraud Kill Chain.
Running a Warrant Canary
A canary is a signaling mechanism, not a legal defense.
Shadow AI: What IT Doesn't Know
If you haven't counted Shadow AI usage, it's higher than you think.
Threat Landscape Q1 2026: Patterns
A quarterly practitioner's read on what actually changed.
Identity as the New Perimeter
Network perimeter is dead. Identity is the new perimeter.
The Home Lab Threat Model
The lab IS internet-exposed whether you mean it to be or not.
Breach Disclosure Letter Templates
Consumer, employee, regulatory templates. Real language.
Privacy-Respecting Logging Patterns
You can run a useful service without logging things that would identify your users.
A Practitioner's Patching Priority Framework
CVSS alone won't cut it. A four-factor model.
Agentic AI: Hype vs. Production Reality
Agentic AI is real but fragile. What works, what breaks.
MITRE ATT&CK for Defenders
ATT&CK is a framework, not a checklist.
The Case for Boring Technology
Novel tech is expensive in ways that don't show up in a POC.
From Home Lab to Production: Lessons
What translates, what doesn't.
Reading the Dark Web: Intel Sources
What a practitioner actually reads and how they use it.
Supply Chain Breach: Your Responsibilities
When your vendor gets breached. Contract review, shared-responsibility, customer notification.
Supply Chain Security: Five Years After SolarWinds
SolarWinds shifted the conversation. Five years later, most orgs still don't have real supply chain controls.
Evaluating AI Vendors: The Practitioner's Checklist
Every AI vendor deck looks the same. The ten questions that separate real from fake.
Onion Services v3: An Operator's Notes
Running a v3 onion service isn't hard technically. The operational discipline is where people fail.