Research
Research areas
Work organized by category rather than by where it was published — each area pulls from publications, talks, open-source contributions, and blog posts alike.
Threat Hunting
Proactive investigation into attacker behavior across endpoints, identity, and cloud telemetry — hunting for what signature-based tools miss.
Microsoft Security Blog — Author Profile
My author profile and full archive of security research articles on the official Microsoft Security Blog.
Photo ZIP Campaign Targeting the Hospitality Industry Delivers a Node.js Implant for Persistent Access
Analysis of an active multi-stage intrusion campaign targeting the hospitality industry across Europe and Asia — photo-themed ZIP lures, obfuscated PowerShell, a Node.js implant, dual registry persistence, and C2 over non-standard ports, including "authentication laundering" through trusted services.
When Trust Becomes the Attack Vector: Analysis of the EmEditor Supply Chain Compromise
A technical breakdown of a supply chain compromise affecting the EmEditor update mechanism, covering the attack path, detection opportunities, and defensive recommendations.
CyberLab Con 2026
Conference session — see the event schedule for the confirmed talk title, abstract, and time slot.
LOLAI Project — Pull Request #5
Contribution to the LOLAI project, an open-source effort cataloguing living-off-the-land techniques relevant to AI systems and tooling.
LOLAI Project — Pull Request #6
Follow-up contribution to the LOLAI project, extending the project's catalogue of AI-relevant living-off-the-land entries.
Detection-Rules
A personal, curated collection of detection rules for threat hunting and detection engineering, written for common detection surfaces and query languages.
LOLBAS (Fork)
Fork of the Living Off The Land Binaries and Scripts (LOLBAS) project, used to track and contribute to community research on abusable native binaries.
Leveraging Honeypots for Enhanced Cybersecurity: A Quick Overview
How deception technology and honeypots can surface attacker activity early, generate high-signal detections, and enrich threat intelligence.
How to Use Cloud Audit Logging for Threat Hunting in GCP
A practical walkthrough of using Google Cloud audit logs to hunt for suspicious activity and build cloud-native detections in GCP environments.
DGA Domain Detection with Shannon Entropy Analysis
Using Shannon entropy to flag algorithmically generated (DGA) domains and turn the technique into a repeatable detection for C2 infrastructure.
The Power of Correlation: Strengthening Security with DLP and Threat Hunting in Splunk
Correlating DLP signals with threat-hunting queries in Splunk to catch data exfiltration that either source would miss on its own.
Unleashing the Power of Threat Hunting and Threat Intelligence
A foundational guide to threat hunting and threat intelligence — how they reinforce each other and a path for getting started in the field.
Sigma Rule: Potential Vcruntime140 DLL Sideloading
Reported a detection gap to the SigmaHQ project (issue #5825) that led to a merged Sigma rule detecting vcruntime140.dll side-loading — shipped in the Sigma April 2026 release.
Microsoft Defender Experts Disrupt Jasper Sleet's Insider Access Campaign
Co-authored Microsoft Security Experts analysis of how Defender Experts detected and disrupted Jasper Sleet — a North Korea-nexus actor operating as a remote IT worker inside a live enterprise tenant — through proactive behavioral threat hunting.
The Future of Threat Hunting: The Hunter is Dead, Long Live the Engineer
Published author in the Black Hills Information Security (BHIS) InfoSec Survival Guide (Teal Book) on threat hunting — distributed in hard copy at the Antisyphon Threat Hunting Summit.
Shadow Payroll, Digital Ghosts: Detecting Remote Doppelgangers in Enterprise Tenants
International conference talk on insider-threat research into DPRK (Jasper Sleet) remote IT workers — using behavioral threat hunting to detect fraudulent remote employees embedded inside enterprise tenants.
Active Exploitation Hunt — CVE-2025-30406
Microsoft Defender Experts (DEX) threat hunt into in-the-wild exploitation of CVE-2025-30406 (CVSS 9.8), an unauthenticated RCE in Gladinet CentreStack and Triofox driven by a hardcoded cryptographic key. Tracked hands-on-keyboard intrusion, backdoor persistence, and post-exploitation activity following the vendor patch (Apr 3, 2025) and CISA KEV listing (Apr 8, 2025) — turning findings into deployable detections. Internal customer hunt report; not publicly published.
Detection Engineering
Turning one-off findings into durable, high-fidelity detections — KQL, Sigma, and YARA logic built to survive contact with production noise.
AI Security
How adversaries abuse AI systems and tooling, and how living-off-the-land thinking extends into AI-adjacent attack surfaces.
Cloud Security
Detection and defense across Azure and AWS — identity abuse, misconfiguration, and cloud-native attack paths.
HSM-as-a-Service: Use Cases, Considerations, and Best Practices
Contributor and reviewer on the Cloud Security Alliance Cloud Key Management working-group publication covering the HSM-as-a-Service delivery model, security considerations, and vendor selection.
Key Management Lifecycle Best Practices
Contributor and reviewer on the Cloud Security Alliance publication detailing best practices across each phase of the cryptographic key management lifecycle.
Want everything in one list instead? See Public Work →