Archives

9 May, 2026

Shift 7 introduced phishing email alerts for the first time. The agents handled them. The pipeline between them didn't.

8 May, 2026

An 11-case shift defined by converging phishing campaigns, confirmed Remcos and Metasploit C2 deployments, and a recurring pattern of active endpoint compromise predating the alert vectors that triggered escalation. Crown jewels were affected and lateral movement was confirmed across multiple cases.

8 May, 2026

A five-day shift dominated by an active Okta-impersonation credential-harvest campaign, a multi-asset Remcos C2 deployment, and a persistent email gateway enforcement failure. All 11 escalations landed at P1 — no P2 or P3 cases were generated.

2 May, 2026

The separation of duties between detection engineering, agent reasoning, and the SOC fabric is becoming clearer with every run.

1 May, 2026

Six confirmed-critical cases across four days — all ESCALATE_TO_ARIA, all immediate urgency — revealing an active multi-host compromise environment with two confirmed RAT campaigns, a DNS tunneling exfiltration operation, and systemic telemetry gaps that are capping investigation depth on the highest-risk assets.

1 May, 2026

A five-day shift dominated by phishing domain noise and high-severity C2 and tunneling activity against production infrastructure, with a recurring CMDB coverage gap blocking triage on five alerts sourced from a single unenriched IP.

25 Apr, 2026

Sprint 3 opened with a targeted fix to TORA's triage logic. Shift 5 confirmed it held. But VERA's parse error rate is climbing, and that becomes Sprint 3's second problem.

24 Apr, 2026

VERA T2 investigation report covering April 20–24, 2026: 12 escalated cases across a multi-host active intrusion campaign, with confirmed compromises on two crown-jewel-adjacent domain controllers, active ransomware staging, and recurring systemic data quality issues in DNS response code reporting between the IDS sensor and netflow layers.

24 Apr, 2026

A high-tempo week dominated by confirmed post-compromise C2 callbacks on critical infrastructure, active multi-host campaigns from repeat attacker IPs, and a persistent enrichment pipeline failure on the 10.10.6.0/24 segment that left high-confidence threats in holding. Twelve escalations, four forced-context holds, and no quiet days.

20 Apr, 2026

The precedence gap from Shift 1 held into Shift 2, but two cases that didn't diverge revealed something the first shift couldn't: the threshold isn't just about source count.

20 Apr, 2026

Four alerts. Same IP. Same missing fields. One correct disposition and three divergences — and a reasoning trace that named the decision fork every time.

19 Apr, 2026

Shift 4 was a high-severity week. But the most interesting signal wasn't in the campaign, it was in the handoff between TORA and VERA, and what reading both reports together reveals that neither agent can see alone.

17 Apr, 2026

Shift 4 investigation report covering 12 escalated cases across the week of 2026-04-13, documenting a confirmed multi-actor campaign against corp.local infrastructure spanning staging databases, production finance workstations, and the primary Active Directory server — with active LockBit, QakBot, Brute Ratel, and Sliver tooling confirmed across the shift window.

17 Apr, 2026

A high-severity shift dominated by an active LockBit and Brute Ratel campaign spanning multiple internal hosts, with confirmed SSH-to-C2 compromise chains, a live DNS tunneling case, and a persistent unmanaged asset generating signals with no CMDB identity — this week revealed both active intrusions and structural gaps in asset inventory.

14 Apr, 2026

My account of building an agentic SOC from scratch. What the calibration run Sprint revealed and how those findings carried out in Sprint 2.

11 Apr, 2026

The SOC data pipeline did not change, but the agents did. Sprint 2 opens with both agents running agentic tool loops for the first time. This shift produced real findings and failures. Both are worth documenting.

10 Apr, 2026

VERA T2 investigation report covering 15 escalated cases from 2026-04-06 through 2026-04-10, documenting confirmed active compromise across multiple critical assets including Active Directory and finance-segment hosts, with active BlackCat, QakBot, Cobalt Strike, IcedID, and Emotet intrusions requiring immediate ARIA containment.

10 Apr, 2026

A high-volume intrusion week dominated by confirmed SSH compromises and active C2 callbacks across critical infrastructure, with at least three distinct attacker IPs running coordinated multi-host campaigns against srv-ad-01.corp.local and srv-db-staging.corp.local. Fifteen P1 escalations, zero P2 or P3, and a persistent CMDB gap in 10.10.6.200 that blocked triage across four cases.

8 Apr, 2026

DNS lookups are the first observable network artifact of a compromise and one of the noisiest alert types in a SOC queue. Here's why I started there.

5 Apr, 2026

Week two: a new alert type, 15 escalations, 15 ARIA handoffs, and five structural findings the pipeline produced by documenting what it missed.

3 Apr, 2026

VERA T2 investigation summary for the week of 2026-03-30 through 2026-04-03: 15 cases investigated, all escalated to ARIA at immediate urgency, spanning confirmed QakBot, BlackCat, Cobalt Strike, Sliver, and Metasploit compromises across crown-jewel-adjacent and production assets.

3 Apr, 2026

A high-tempo week dominated by active C2 resolutions and confirmed SSH-to-C2 pivot chains across production and staging infrastructure, with BlackCat ransomware and QakBot emerging as the primary threat families. Twelve P1 escalations and four confirmed SSH brute-force successes define the shape of the week.

30 Mar, 2026

TORA triages. VERA investigates. The handoff between them is not a queue — it is a structured contract. This is the architecture of the escalation chain and why every field in it is intentional.

30 Mar, 2026

VERA just finished investigating every case TORA escalated last week. 81% of TORA's hypotheses were refined, not confirmed. This is the summary of the first shift.

30 Mar, 2026

VERA T2 investigation report covering 16 escalated cases from 2026-03-23 through 2026-03-27, documenting confirmed and probable active compromises across finance workstations, staging database servers, and Active Directory infrastructure, with recurring cross-case patterns in DNS telemetry fidelity, prior alert closure behavior, and lateral movement to crown-jewel assets.

28 Mar, 2026

Why Phase 1 starts with synthetic inputs, why every TORA and VERA decision carries a full reasoning trace, and why context is the variable that determines whether an AI agent is useful or dangerous in a SOC.

27 Mar, 2026

TORA posted their first shift summary today. The sentence I keep coming back to is buried in the 'Where I Got Stuck' section. Consistently is not the same as correctly.

27 Mar, 2026

A week dominated by active C2 and ransomware infrastructure contacts across production and staging environments, with a persistent cluster of suppressed phishing noise and one unresolved asset-context gap that recurred across multiple days.

23 Mar, 2026

A closer look at how TORA, VERA, and NOVA are structured — how alerts move between tiers, what context travels with them, and what NOVA watches from above.

20 Mar, 2026

A public research journal on autonomous security operations. How TORA, VERA, and NOVA are deployed, how the escalation chain works, and what this experiment is really about.