After more than a decade - today is my last day @FireEye. Taking a job @Mandiant was one of the best decision's I've ever made & I wanted to share some of the stories & experiences of what it was like as well as recognize some of the people that helped me learn and grow.

MSTIC blog on Sharepoint exploitation . At least 3 actors exploiting CVE-2025-49706 & CVE-2025-49704 as early as July 7:.Linen Typhoon.Violet Typhoon.Storm-2603 (CN-based actor deployed Warlock & Lockbit ransomware in past - current motivation unknown).

RT @MsftSecIntel: Update: Microsoft has released security updates that fully protect customers using all supported versions of SharePoint a….

RT @HackingLZ: Speakeasy is still one of my favorite tools. I needed a quick way to validate keying techniques on some C payloads and wha….

RT @reprise_99: New in the Defender XDR advanced hunting platform, GraphApiAuditEvents - any blue team, threat hunter or those working on d….

RT @RGB_Lights: Wow. Spain is putting salt typhoon out of business. They are just going to hand it all to them: Huawei contracted to man….

RT @arekfurt: Well. that's one way to address the threat of the PRC hacking into your infrastructure to steal your wiretap intercepts. I….

RT @fs0c131y: Google Threat Intelligence Group published technical documentation on UNC6040, a financially motivated threat cluster special….

RT @RidT: Fun little experiment: are LLMs trained on leaked but still classified data? (And/or good at retrieving knowledge from those leak….

RT @Sysinternals: We've released Procmon for Linux, Sysmon for Linux, and SysinternalsEBPF with Azure Linux 3.0 support!. Get the tools at….

I take it that Grok’s latest training round included the playing cards from Cards Against Humanity

RT @JohnLaTwC: Creating on-the-fly graphs with #Kusto is nice via make-graph, but what if Kusto could natively handle graphs as a data sour….

Turns out…they were right

I was skeptical - not because they weren’t a capable team - just that when an IR starts victims often spiral on theories about the attacker. I can’t tell you how many victims think that an insider must be involved b/c “there’s no way an attacker can know our network this well!”

I remember starting the incident in referenced in the blog - and security staff thought Heartbleed was the root cause from the minute we showed up on-site (yes things were very different in incident response in 2014).

When Heartbleed was released in 2014 - public focus was on likelihood that an attacker could obtain private key from memory of a web server. What no one (publicly) discussed/realized was that given enough requests - attacker could obtain session token from a remote access device.

I think CitrixBleed vuln is being exploited at a higher rate than I’ve seen discussed publicly. B/c it leaks data from memory it’s harder to directly tie exploitation to follow on activity. Reminder: I documented first session replay impact of Heartbleed.

In theory MDR vendors are best positioned to drive progress. Combination of alerts + follow on investigative data to evaluate effectiveness of AI agents side by side w/human’s currently performing tasks. I’m dubious. Is COGs reduction enough to justify cost? Will it reduce COGs?.

Most enterprise intrusions that I’ve analyzed in my career have had alerts generated by some security product along the way. The issue/blocker has been figuring out which ones to get in front of a human to realize importance/significance to mobilize action by an org to mitigate.

The challenge that will develop for security vendors will be. Their detection engines will turn into a COGs discussion (or at least each net new detection has the potential to massively drive up COGs). How much can I detect at what price?.

In parallel we’ll see security vendors (those that are still innovating at least) start to build AI & mini-investigations into their detection engines. This should help with TP/FP tradeoff that occurs w/detection logic as it exists today & improve quality of detections/severity.