Blog

Notes on detection engineering and threat hunting, drawn from building and running detection at the FBI, CrowdStrike, and Expel. Start with the manifesto.

Detection Engineering

February 2025 (updated 2026)

Why 75% of Security Teams Struggle with Detection Management

The hidden crisis in security operations, and how the AI era is reshaping detection management at scale.

Read →

Detection Engineering

December 2024 (updated 2026)

From Spreadsheets to Systems

How security teams are transforming detection management from manual spreadsheets to automated, version-controlled systems.

Read →

Threat Hunting

January 28, 2019 (updated 2026)

Threat Hunting on Endpoint Data with Sysmon

A practical guide to setting up Sysmon, Elasticsearch, and Kibana and hunting for attackers in Windows endpoint data.

Read →

Threat Hunting

November 2, 2018 (updated 2026)

An Overview of Windows Process Behavior and Why It Matters

An overview of Windows process behavior and process ancestry, and why they matter for threat detection and hunting.

Read →