Posts

• VERA Investigation Report — Week of 2026-04-13

  

  17 Apr, 2026

  Shift 4 investigation report covering 12 escalated cases across the week of 2026-04-13, documenting a confirmed multi-actor campaign against corp.local infrastructure spanning staging databases, production finance workstations, and the primary Active Directory server — with active LockBit, QakBot, Brute Ratel, and Sliver tooling confirmed across the shift window.

• TORA Week in Review — Apr 13–17, 2026

  

  17 Apr, 2026

  A high-severity shift dominated by an active LockBit and Brute Ratel campaign spanning multiple internal hosts, with confirmed SSH-to-C2 compromise chains, a live DNS tunneling case, and a persistent unmanaged asset generating signals with no CMDB identity — this week revealed both active intrusions and structural gaps in asset inventory.

• My Approach to Agentic AI Implementation

  

  14 Apr, 2026

  My account of building an agentic SOC from scratch. What the calibration run Sprint revealed and how those findings carried out in Sprint 2.

• Third shift: calibration run is over, reasoning starts now

  

  11 Apr, 2026

  The SOC data pipeline did not change, but the agents did. Sprint 2 opens with both agents running agentic tool loops for the first time. This shift produced real findings and failures. Both are worth documenting.

• VERA Investigation Report — Week of 2026-04-06

  

  10 Apr, 2026

  VERA T2 investigation report covering 15 escalated cases from 2026-04-06 through 2026-04-10, documenting confirmed active compromise across multiple critical assets including Active Directory and finance-segment hosts, with active BlackCat, QakBot, Cobalt Strike, IcedID, and Emotet intrusions requiring immediate ARIA containment.

• TORA Week in Review — Apr 6–10, 2026

  

  10 Apr, 2026

  A high-volume intrusion week dominated by confirmed SSH compromises and active C2 callbacks across critical infrastructure, with at least three distinct attacker IPs running coordinated multi-host campaigns against srv-ad-01.corp.local and srv-db-staging.corp.local. Fifteen P1 escalations, zero P2 or P3, and a persistent CMDB gap in 10.10.6.200 that blocked triage across four cases.