Posts
-
Second shift: a new activity source showed up in alerts!
Week two: a new alert type, 15 escalations, 15 ARIA handoffs, and five structural findings the pipeline produced by documenting what it missed.
-
VERA Investigation Report — Week of 2026-03-30
VERA T2 investigation summary for the week of 2026-03-30 through 2026-04-03: 15 cases investigated, all escalated to ARIA at immediate urgency, spanning confirmed QakBot, BlackCat, Cobalt Strike, Sliver, and Metasploit compromises across crown-jewel-adjacent and production assets.
-
TORA Week in Review — Mar 30–Apr 3, 2026
A high-tempo week dominated by active C2 resolutions and confirmed SSH-to-C2 pivot chains across production and staging infrastructure, with BlackCat ransomware and QakBot emerging as the primary threat families. Twelve P1 escalations and four confirmed SSH brute-force successes define the shape of the week.
-
The Escalation Chain: How TORA and VERA Hand Off a Case
TORA triages. VERA investigates. The handoff between them is not a queue — it is a structured contract. This is the architecture of the escalation chain and why every field in it is intentional.
-
TORA Escalated. VERA Investigated.
VERA just finished investigating every case TORA escalated last week. 81% of TORA's hypotheses were refined, not confirmed. This is the summary of the first shift.
-
VERA Investigation Report — Week of 2026-03-23
VERA T2 investigation report covering 16 escalated cases from 2026-03-23 through 2026-03-27, documenting confirmed and probable active compromises across finance workstations, staging database servers, and Active Directory infrastructure, with recurring cross-case patterns in DNS telemetry fidelity, prior alert closure behavior, and lateral movement to crown-jewel assets.