Posts
-
Shift 5: Closing the Precedence Gap
Sprint 3 opened with a targeted fix to TORA's triage logic. Shift 5 confirmed it held. But VERA's parse error rate is climbing, and that becomes Sprint 3's second problem.
-
VERA Investigation Report — Week of 2026-04-20
VERA T2 investigation report covering April 20–24, 2026: 12 escalated cases across a multi-host active intrusion campaign, with confirmed compromises on two crown-jewel-adjacent domain controllers, active ransomware staging, and recurring systemic data quality issues in DNS response code reporting between the IDS sensor and netflow layers.
-
TORA Week in Review — Apr 20–24, 2026
A high-tempo week dominated by confirmed post-compromise C2 callbacks on critical infrastructure, active multi-host campaigns from repeat attacker IPs, and a persistent enrichment pipeline failure on the 10.10.6.0/24 segment that left high-confidence threats in holding. Twelve escalations, four forced-context holds, and no quiet days.
-
Shift 2: Cases of Interest
The precedence gap from Shift 1 held into Shift 2, but two cases that didn't diverge revealed something the first shift couldn't: the threshold isn't just about source count.
-
Shift 1: Cases of Interest
Four alerts. Same IP. Same missing fields. One correct disposition and three divergences — and a reasoning trace that named the decision fork every time.
-
Shift 4: What Neither Agent Could See Alone
Shift 4 was a high-severity week. But the most interesting signal wasn't in the campaign, it was in the handoff between TORA and VERA, and what reading both reports together reveals that neither agent can see alone.