Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

From days of training to three better rules in a minute

A few years ago, I was part of a team responding to a high-profile security incident. After the incident was resolved, I was given a list of NDR rules to add to my firewalls. The issue was that the rules were not made for Suricata, the IDS I was using in this position at that time, so they generated false positives. With all that extra noise, I made it my goal to eliminate that excess noise.

What the Black Hat NOC taught me about MCP & agentic SOCs (Chapter 2 of 4)

The first time an MCP (Model Context Protocol) server felt real to me, it wasn't because of a clean demo. It was because of the noise. TL;DR: The harness matters more than the protocol, and the evidence matters more than both. MCP earns its keep when it shortens the path from a good security question to trustworthy evidence, and almost everything interesting about making that work happens in the harness wrapped around the model. In this series, I will cover how to build an MCP for an AI SOC.

Identifying and detecting ScoutC2 malware

At Corelight Labs, our mission is to help organizations stay a step ahead of evolving threats. When our researchers came across Censys' detailed write-up on ScoutC2, a rapidly growing open-source command-and-control (C2) framework favored by threat actors, we knew we needed to bolster community defenses quickly.

Stop Chasing Alerts, Start Hunting Adversaries: The New NDR Essentials

It was time to write another book. That’s what I thought when I heard that Corelight wanted to update its 2021 book on network detection and response (NDR). Tamara Crawford, who owned the project, scheduled a meeting with me and asked if I might be interested in helping, depending on who might write the text.

Episode 18 - Live Fire Defense at Locked Shields

In this episode, host Richard Bejtlich sits down with Corelight Senior Sales Engineers Adam Donadeo and Nico Roosenboom to unpack their firsthand experiences at Locked Shields, the world’s largest international live-fire cyber defense exercise. The conversation dives deep into the chaotic, real-world friction of defending a massive virtualized network alongside 4,000 global experts against aggressive red team waves.