Intune Compliance Policies: Enforcing Standards Post-Deployment
The 9 AM Call That Started the Audit It is 9 AM on a Monday and the client’s CISO is on the bridge. Their Defender dashboard shows 1,847 enrolled Windows…
Multipartite Virus: Hunting Multi-Vector Malware in Production
A manufacturing client called us on a Tuesday morning with a problem that didn’t add up. Their endpoint agent had flagged and quarantined a suspicious executable on three workstations. Good.…
MITRE ATT&CK Mapping in Sentinel Detection Rules
Two Alerts, Forty-Five Noise Events, and a Missed Lateral Move It is 2 AM and your SIEM fires 47 alerts in three minutes. Forty-five are false positives. The other two…
MITRE ATT&CK Integration in Tabletop Exercises: A Checklist
Last quarter, we facilitated a tabletop exercise for a financial services client. Their CISO was confident the IR team could handle a ransomware scenario. Forty-five minutes in, three participants couldn’t…
Internal vs External IP Analysis in Threat Hunting
Two Addresses, Two Investigations Your SIEM fires a high-severity alert at 3 AM. A workstation on the finance VLAN just made an outbound connection to an IP address flagged in…
Azure Security Center: A Checklist for Unified Security
During an incident response engagement last month, we traced a lateral movement chain (MITRE ATT&CK T1021.001) across a client’s hybrid environment—Azure VMs, on-prem file servers, and a forgotten AWS instance.…
PowerShell JEA: Restricting Remote Admin Access
The Night a DNS Admin Became a Domain Admin It was 11 PM on a Tuesday when the SIEM flagged a credential harvesting alert on a domain controller. Someone had…
Configuring AD Audit Policies with PowerShell and GPO
A Missed Event Log Cost a Client Their Domain Admin Last year, a mid-size logistics company we manage came to us after discovering that a domain admin account had been…
Windows USB Forensics: Tracking External Device Connections
Forty-Seven USB Drives Walk Into a Network A financial services client called us on a Friday afternoon. Their DLP solution flagged 14 GB of data copied to a removable device,…
Kubernetes Secrets Management: Encryption at Rest Audit
A Base64 String Is Not a Security Strategy Last year we were brought in to assess a mid-sized fintech company’s Kubernetes environment after a failed compliance audit. Their security team…