research blog

Threat hunting.
The most sophisticated actors.

Technical research across DFIR, malware analysis, threat hunting, and CTF write-ups. No product pitches, no fluff.

filter: all dfir hackthebox malware analysis threat hunting
Malware Analysis 20 Jan 2026
EDR Blind Spots: Where Modern Endpoint Tools Fall Short
Testing common EDR bypass techniques in a sandboxed environment to understand where defenders have coverage gaps.
DFIR 13 Jan 2026
Using Velociraptor for Live Response on Windows
Velociraptor is free, fast, and genuinely useful for rapid triage. A walkthrough of setting it up and collecting artefacts from a simulated compromised host.
Threat Hunting 6 Jan 2026
Hunting Cobalt Strike Beacons in Network Traffic
Cobalt Strike is everywhere in incident reports. Understanding the default beacon traffic patterns makes hunting it more approachable than most people expect.
HackTheBox 30 Dec 2025
Seized | HTB Forensics (Medium)
A disk image challenge involving a Windows host used to exfiltrate data. The interesting part was figuring out which file was the payload and which was a decoy.
DFIR 23 Dec 2025
Event ID 4688 and Why Process Auditing Matters More Than You Think
If you are not logging process creation with command line arguments enabled, you are missing a significant chunk of attacker activity.
Threat Hunting 16 Dec 2025
Writing Your First Yara Rule: From Sample to Signature
Yara rules feel mysterious until you write one from scratch against a real malware sample.
Threat Hunting 9 Dec 2025
Malicious PowerShell: What to Look For and Where to Find It
PowerShell is used in almost every modern intrusion at some point. Covering the logging setup you need and how to cut through the noise.
DFIR 2 Dec 2025
Webshells in the Wild: How They Get Installed and How to Find Them
Webshells are among the most persistent post-exploitation tools in web-facing attacks. This covers how they get installed, the most common variants, and the filesystem, process, and network indicators that give them away.
Threat Hunting 25 Nov 2025
Why Proactive Threat Hunting Matters: A Primer
Waiting for alerts to fire means the attacker is already inside. This primer covers what proactive threat hunting actually means, how to form testable hypotheses, and the data sources you need before you can hunt anything.
DFIR 18 Nov 2025
Upgrading My Home Lab: Adding a SIEM Stack on a Budget
After running a basic VM setup for a year, how I stood up Elastic SIEM without spending money on hardware I did not need.