Determining an Acceptable False Positive Rate for Your SOC
Acceptable FPR isn't a vibes problem, it's a math problem. Plug your environment into the calculator and find the actual number your program can tolerate.
Research & Analysis
Threat intelligence reports, detection engineering guides, and cybersecurity research from the Magonia team.
Why a Decade of Writing Detection Logic Makes the Mythos Exploit Numbers Less Scary
Mythos is finding thousands of vulnerabilities. Defenders aren't doomed. Detection has never been 1:1 with exploits, and why I think the numbers are a little* less scary than being made out to be.
Operationalizing Mandiant's Attack Lifecycle, the Kill Chain, Mitre's ATT&CK, and the Diamond Model with Practical Examples
From individual incident response to tracking adversaries across campaigns. Activity threading, analytic pivoting, and turning your own incidents into detection opportunities and structured threat intelligence.
EDR Telemetry Project: From Misleading to Actively Deceptive?
The EDR Telemetry Project's website tells visitors to "validate detection logic" and endorses its use for guiding procurement decisions. The disclaimers saying it shouldn't be used for that exist only on GitHub. Public feedback suggesting it be clarified it can't be used for detection were ignored.
A.I. Cybersecurity Tool Marketing: Insanity vs Reality
A.I. insanity has reached no heights. As vendors scream about AI super threats while the reality is boring.
"That Can be Evaded" and the Imperfect Detector
Every detection can be evaded. So what's worse: missing an attack or drowning in noise? The Base-Rate Fallacy shows that false positives are the true limiting factor. The goal isn't to be perfect; it's to be a difficult target. Each layer that forces an adversary to adapt is a win.
Fuzzy Hashing Research: A Paper Highlight with Practitioner's Notes
A new paper questions fuzzy hashing, but real-world data tells a different story. I share practical lessons for reducing false positives and argue that the future of TLSH isn't in alerting, it's in enriching events to create high-fidelity detections.
Maximizing the Value of Indicators of Compromise and Reimagining Their Role in Modern Detection
Have we become so focused on TTPs that we've dismissed the value at the bottom of the pyramid? This post explores what role IOC's have in a modern detection program if any, and what the future may look like for them.
What Does "Visibility" Actually Mean When it comes to Cybersecurity?
In cybersecurity, nobody agrees on what "visibility" means. This post cuts through vendor hype with a practical framework, using a Splunk article's model of telemetry, monitoring, and observability to give your entire team a shared language to build better defenses.
EDR Telemetry Project Criticism Author Response
The author of the EDR Telemetry Project responded, accusing me of spreading misinformation by saying his project was for detection, that it's always only ever been about telemetry. The problem is, his own words contradict him.
Why the EDR Telemetry Project is Misleading
The EDR Telemetry Project is misleading. Its scoring only defines if telemetry is collected, not if it's actually useable. This post breaks down why the project is flawed in its current state and how some minor tweaks could make it truly valuable.
Software Development Nuggets for Security Analysts Part 2: The Browser
The response to the first article was really positive, and it highlighted something I've seen a lot: many of us in security come from backgrounds in IT, networking,