Security research, written for defenders.
Threat models. Detection queries. Conditional Access policies. Playbooks. Built by people who study how attackers operate — published for the people defending against them. No paywall, no email gate.
Research bundles
Recently added
AiTM incident response — what to do when the alert fires at 2am
Step-by-step runbook for when an AiTM detection lights up. Revoke, reset, audit, clean persistence, pivot-hunt. Exact PowerShell included.
Conditional Access policies that actually break AiTM
Five Conditional Access policies, deployed in this order, make AiTM economically unviable against your tenant. Plus the rollout …
Sentinel detection — suspicious sign-in plus persistence action
The highest-fidelity detection in this bundle. Catches the chain: dodgy sign-in, then within 2 hours a forwarding rule, …
Sentinel detection — sign-in from a hosting ASN
Real users sign in from residential ISPs and corporate networks. Attackers replaying cookies sign in from rented VPS. …
Sentinel detection — same session, two sources
When an attacker replays a stolen cookie, the same session ID shows up from two different IPs within …
AiTM phishing — what actually happens, and what breaks each step
The attack in plain English, mapped to ATT&CK, and which defensive control kills which step. Read this before …
Why we publish this
We work both sides of security. The same understanding that builds offensive tooling also writes detections that catch it. Closed defensive content gets cited zero times; open content gets adopted, audited, improved.
Everything here is free to read, copy, and adapt. If you need help deploying any of it in your environment — tuning detections, rolling out Conditional Access, designing IR for AiTM — we offer that too.