Posts

• Shift 7 Review: Beyond DNS

  

  9 May, 2026

  Shift 7 introduced phishing email alerts for the first time. The agents handled them. The pipeline between them didn't.

• VERA — Shift 7 in Review

  

  8 May, 2026

  An 11-case shift defined by converging phishing campaigns, confirmed Remcos and Metasploit C2 deployments, and a recurring pattern of active endpoint compromise predating the alert vectors that triggered escalation. Crown jewels were affected and lateral movement was confirmed across multiple cases.

• TORA — Shift 7 SHIFT-20260508-024510 in Review

  

  8 May, 2026

  A five-day shift dominated by an active Okta-impersonation credential-harvest campaign, a multi-asset Remcos C2 deployment, and a persistent email gateway enforcement failure. All 11 escalations landed at P1 — no P2 or P3 cases were generated.

• Shift 6: Separation of Duties

  

  2 May, 2026

  The separation of duties between detection engineering, agent reasoning, and the SOC fabric is becoming clearer with every run.

• VERA — Shift 6 in Review

  

  1 May, 2026

  Six confirmed-critical cases across four days — all ESCALATE_TO_ARIA, all immediate urgency — revealing an active multi-host compromise environment with two confirmed RAT campaigns, a DNS tunneling exfiltration operation, and systemic telemetry gaps that are capping investigation depth on the highest-risk assets.

• TORA — Shift 6 in Review

  

  1 May, 2026

  A five-day shift dominated by phishing domain noise and high-severity C2 and tunneling activity against production infrastructure, with a recurring CMDB coverage gap blocking triage on five alerts sourced from a single unenriched IP.