The Attacks You'll Investigate. The Detections You'll Write. The Decisions You'll Defend.

When the Breach-Notification Clock Actually Starts (And Why Teams Miss the Deadline)

GDPR, NIS2, DORA, and the SEC all start the notification clock at awareness, classification, or materiality, not at resolution. Here is when each one triggers, why investigation-first teams blow the window, and how to build the clock into triage.

CMMC Level 1 vs Level 2: Do You Handle FCI or CUI?

The level you need comes down to one question: what kind of information your contracts involve. Here is how to tell whether you are Level 1 or Level 2, and what each one demands.

How Your CMMC SPRS Score Is Calculated (and What a Low One Costs You)

Your SPRS score is a number prime contractors check before they award you work. Here is how the NIST 800-171 scoring actually works, why it goes negative, and how to raise it.

Data Privacy Is a Governance Program, Not a Cookie Banner

A privacy notice and a cookie banner are the visible 10%. Here is the governance program underneath that GDPR, CCPA, and your enterprise customers actually check, and the documentation that proves it.

The Security Policies Every Organization Needs (and Why Templates Alone Fail)

A security program rests on its policy set. Here is the documentation hierarchy, the policy domains every organization needs, and why a folder of generic templates does not survive an audit.

Implementing the NIST CSF: From Six Functions to an Operating Program

The NIST Cybersecurity Framework is a framework, not a checklist. Here is how you turn the six functions into a current profile, a target profile, and a roadmap your leadership can fund.

CMMC Level 2: The Documentation That Actually Gets Assessed

CMMC Level 2 is won or lost on documentation, not tooling. Here is what an assessor actually checks: the SSP, the POA&M, the 110 controls, and your SPRS score.

Catch C2 Beaconing by Its Cadence in Sentinel and Splunk

IP and domain indicators expire within days. The interval a beacon sleeps on does not. Here is how to score connection cadence to surface C2 in Sentinel and Splunk, with the coefficient-of-variation thresholds that separate a beacon from your patch agent.

The EC2 Credential-Theft Detection Most Teams Ship Wrong

Alerting on AssumedRole from outside AWS buries you in SSO and automation noise. Here is the marker that isolates a stolen EC2 instance credential, and the read it gives you for free on IMDSv1 exposure.

Your Noisy Rule Has 200 False Positives a Day. Don't Suppress the Field That's Making Noise.

The fastest way to quiet a noisy detection rule is to exclude the field generating the noise. It's also the fastest way to cut a hole the attacker walks through. Here's how to tune by scoping to attacker behaviour instead.

KQL SigninLogs — The 10 Queries Every SOC Analyst Runs First

Ten KQL queries against SigninLogs that answer the questions SOC analysts actually ask during investigations. Copy-paste-ready with annotated output. The first 30 minutes of every identity investigation start here.

You Deployed 350 Detection Rules. Only 50 Fire Regularly. Are the Other 300 Working?

Most detection libraries are full of rules that have never fired. Silent rules aren't coverage. They're assumptions. Here's how to find your silent rules, triage them, and validate the ones that matter.

Vulnerability Exploitation Just Overtook Credential Theft as the #1 Breach Vector. But Is It Really This Bad?

DBIR 2026: 31% of breaches start with exploitation, credentials dropped to 13%. What this means for your detection priorities.

Credential Access Detection Beyond LSASS — The Five Techniques Your Rules Are Missing

LSASS dump detection is table stakes. Kerberoasting, DCSync, DPAPI abuse, SAM extraction, and token theft each need different KQL.

Is Your Detection Program Effective? And How Would You Know?

Most organizations can't prove their detection program works. Here's what effective looks like and the four numbers that prove it.

KQL Sign-In Log Analysis — What ResultType != 0 Actually Tells You

KQL sign-in log analysis: what ResultType values mean, how to detect password spray, MFA fatigue, and CA blocks in Sentinel.

Native Windows Forensic Commands for Incident Response — When You Have Nothing but the OS

Service Principal Ownership Is the Attack Path Nobody Governs

Owning a service principal means owning its permissions. Most tenants don't monitor SP ownership changes. Here's the detection gap.

You Can't Prove Your Security Program Exists. Here's How to Fix That This Month.

Most small companies have a security program in their heads but not on paper. RidgeGuard puts it on paper in a format auditors accept.

SOC 2 Readiness Without a $30K GRC Platform

You don't need Vanta or Drata to pass SOC 2. Here's the documentation-first approach that works without a $30K GRC platform.

Your Customer Just Asked About Your Security Program. Here's What to Send Them.

When a customer or auditor asks about your security program, you need five documents ready within 24 hours. Here's the list.

We Open-Sourced Our Incident Response Toolkit: 28 Use Cases, One Binary, Zero Install

VanGuard: open-source DFIR toolkit that replaces the 45-minute tooling scramble at incident start. 28 use cases, cross-platform.

How to Investigate an M365 Identity Compromise from Sign-in Logs to Containment

The sign-in log tells you how they got in. The audit log tells you what they did. Here's the sequence that turns both into a containment decision.

Five KQL Threat Hunts Every M365 SOC Should Run This Month

Your detection rules cover known patterns. These five KQL hunts find the attacker activity that bypasses every analytics rule in your library.

Your Security Questionnaire Process Is Losing You Deals

Most companies lose 2-3 weeks per questionnaire because documentation isn't ready. Here's how to turn response into a same-day operation.

The First 15 Minutes of a BEC Investigation Determine Everything That Follows

BEC investigation: the queries and evidence sources you check in the first 15 minutes determine whether you catch the attacker mid-operation.

Registered Isn't Compliant: The Conditional Access Gap Attackers Use After Token Theft

After an AiTM token theft, the attacker's next move is often to register their own device to your tenant. Here is how to detect the pivot in Entra ID.

Is Your Security Operation Just Merely a Compliance Operation?

Most security programs are compliance programs in disguise. Here's how to tell the difference and why it matters for your actual risk.

AI Won't Take Your Security Job. But Someone Who Uses AI Will.

Will AI replace SOC analysts? The answer is more uncomfortable than either side admits. Here's what actually changes and what doesn't.

How Attackers Pivot Through SSH Agent Forwarding — and How to Detect It

SSH agent forwarding becomes a lateral movement highway when a bastion host is compromised. Detection rules for auditd and Syslog.

The M365 Detections Microsoft Doesn't Give You

Microsoft ships 200+ Sentinel rule templates but leaves gaps in mailbox abuse, consent grants, and privilege escalation. Five rules to build.

Are Current SOCs Adequate for the Threats They Face?

Most SOCs were built for threats that no longer exist. Here's what a modern SOC capability looks like and the gaps most teams carry.

Five auditd Rules That Catch Kernel Module Rootkits Before They Load

Most Linux rootkits load as kernel modules. Five auditd rules that detect module loading, modification, and persistence techniques.

Is M365 Security All It's Hyped Up to Be?

An E5 license is not a security strategy. What M365 security actually delivers, what it doesn't, and the gaps you need to fill.