Detect
Telemetry architecture, triage logic, hypothesis-driven hunts, and detection-as-code patterns.
NOTES FROM A SECURITY PRACTITIONER
Technical notes, response playbooks, and the things I wish were written down before the incident started.
Where traditional containment breaks when software can reason, delegate, and act.
I keep this site for one reason: useful notes should not stay in private notebooks.
Everything here is written for people who detect, investigate, and contain real attacks. The material is opinionated, openly shared, and revised when experience proves it wrong.
Each collection connects principles to observable signals, concrete decisions, and reusable artifacts.
Telemetry architecture, triage logic, hypothesis-driven hunts, and detection-as-code patterns.
Roles, evidence standards, containment tradeoffs, recovery gates, and communications.
Threat models for agents, RAG, models, data pipelines, tool use, and human approval paths.
Prescriptive starting points with explicit assumptions. Adapt them to your environment, then validate them in tabletop exercises.
A structured practitioner guide to preparation, detection, triage, containment, eradication, recovery, and lessons learned.
Explore the framework ↗Decision points from first signal through recovery, with evidence-preservation gates.
Contain an agent or RAG workflow when untrusted content changes system behavior.
Scope sensitive output, trace retrieval paths, revoke access, and preserve telemetry.
Revoke sessions, validate persistence, and hunt downstream cloud activity.
LATEST · AI SECURITY · 8 MIN READ
Traditional containment assumes a system boundary. Agents blur it. A practical framework for scoping identity, memory, tools, and delegated actions when an AI workflow goes wrong.
Read field note →