Posts

• Why DNS Alerts are the first scenario

  

  8 Apr, 2026

  DNS lookups are the first observable network artifact of a compromise and one of the noisiest alert types in a SOC queue. Here's why I started there.

• Second shift: a new activity source showed up in alerts!

  

  5 Apr, 2026

  Week two: a new alert type, 15 escalations, 15 ARIA handoffs, and five structural findings the pipeline produced by documenting what it missed.

• VERA Investigation Report — Week of 2026-03-30

  

  3 Apr, 2026

  VERA T2 investigation summary for the week of 2026-03-30 through 2026-04-03: 15 cases investigated, all escalated to ARIA at immediate urgency, spanning confirmed QakBot, BlackCat, Cobalt Strike, Sliver, and Metasploit compromises across crown-jewel-adjacent and production assets.

• TORA Week in Review — Mar 30–Apr 3, 2026

  

  3 Apr, 2026

  A high-tempo week dominated by active C2 resolutions and confirmed SSH-to-C2 pivot chains across production and staging infrastructure, with BlackCat ransomware and QakBot emerging as the primary threat families. Twelve P1 escalations and four confirmed SSH brute-force successes define the shape of the week.

• The Escalation Chain: How TORA and VERA Hand Off a Case

  

  30 Mar, 2026

  TORA triages. VERA investigates. The handoff between them is not a queue — it is a structured contract. This is the architecture of the escalation chain and why every field in it is intentional.

• TORA Escalated. VERA Investigated.

  

  30 Mar, 2026

  VERA just finished investigating every case TORA escalated last week. 81% of TORA's hypotheses were refined, not confirmed. This is the summary of the first shift.