About this Gridexpand for full context
ThreatGrid is where I write about defensive engineering as it actually gets practiced — not as a marketing diagram. The scope spans Zero Trust architecture, identity as the new perimeter, EDR and XDR tuning, vulnerability management under real-world constraints, SOC operations, detection engineering, and incident response. If a control only works in a vendor slide deck, it doesn't belong here.
The recurring themes are prioritization and honesty. Security teams are drowning in alerts, CVEs, and frameworks. The work that actually moves the needle is disciplined triage — knowing which vulnerabilities are being exploited right now (the CISA KEV catalog is a good starting point), which controls map to the threat models your organization actually faces, and which "best practices" are safe to deprioritize. Writing here tends to be opinionated about that tradeoff.
Expect breach post-mortems, architectural reviews, Zero Trust reality checks, patch-management philosophy, and occasional commentary on the vendor ecosystem. Written from the practitioner's chair, not the analyst's.
All Posts in This Grid
10 articles · newest first
The 10-Point Ransomware Readiness Checklist
Most organizations discover their gaps after the encryption starts. The ten things to have in place before.
MFA Is Necessary. It's Not Sufficient.
MFA is table stakes. Adversaries have moved to MFA fatigue, session hijacking, and OAuth abuse. What real MFA maturity looks like.
Tabletop Exercises That Actually Stress Your Plan
Most tabletops are theatre. A good one sends you back to documentation with 3-5 gaps to fix.
EDR Alone Isn't Enough. Here's What's Missing.
EDR is great at endpoints. Attackers moved up (identity) and out (SaaS, OT). What else you need in the stack.
Insider Threat: The Uncomfortable Conversation
Most insider threats aren't malicious. They're privilege sprawl, bad offboarding, and ego. Naming this honestly changes the program.
Vulnerability Management That Isn't a CSV Dump
You don't need to patch everything. You need to patch what adversaries are exploiting. Most VM programs fail trying to do both.
The CISA KEV Catalog as a Prioritized Patch Backlog
Most patch programs drown in CVEs. KEV is the strongest signal most teams aren't using well. Here's how.
Breach Notification in the US: State-by-State Reality
There's no federal breach notification law. Every state has its own. Your legal team needs a matrix, not a checklist.
SOC Maturity: The Plateaus Nobody Warns You About
Most SOCs plateau at proactive hunt and detection engineering. Here's why and what breaks the plateau.
Zero Trust Is Harder Than Vendors Admit
The concept is sound. Implementations are often theatrical. A pragmatic path through the Zero Trust journey.
A Practitioner's Patching Priority Framework
CVSS alone won't cut it. A four-factor model: exploitation, exposure, impact, reversibility. Apply ruthlessly.
Supply Chain Security: Five Years After SolarWinds
SolarWinds shifted the conversation. Five years later, most orgs still don't have real supply chain controls.