Claude
Detecting Agentic Threats in Claude: Writing Rules on the Execution Layer
Detections for Claude on the execution layer: Sigma rules and a correlation runner that catch permission bypasses, rogue MCP servers, and more.
Claude
Detections for Claude on the execution layer: Sigma rules and a correlation runner that catch permission bypasses, rogue MCP servers, and more.
Claude
Gain visibility for Claude beyond the Compliance API. Using OpenTelemetry to get logs that include tool calls, MCP activity and file access.
Claude
Detections for Claude Enterprise built on Compliance API content: a prefilter and LLM judge that catch prompt injection, jailbreaks and data exfiltration.
Claude
In this post I show how to use Anthropic's Compliance API to stream Claude Enterprise audit events into your SIEM, and introduce claude-compliance-sdk, a Python SDK I built to make interacting with the API easier. Why bother? You don't need me to tell you
slack
This post builds on my previous article explaining how to export Slack DLP alerts using my export script, and also introduces a Python SDK for interacting with Slack DLP. Using these, I’ll show how we can go further by ingesting DLP logs into a SIEM and, finally, building a
slack
Slack’s audit logs don’t include enough context to investigate DLP detections. In this post, I show how to export the richer DLP details Slack displays in the admin console, and I use my slack-dlp-log-extractor script to do it via the DLP API. What is Slack
slack
In 2023 I wrote a blog post on how you can extract and use cookies from Slack to authenticate to the API, and it has become one of my most commonly viewed articles. Since then, Slack have changed a few things, and I've been doing some deeper digging
Tradecraft
In this post I explain how to use gopass to GPG encrypt and store your secrets locally, then integrate with direnv to decrypt and load your secrets to environment variables in your shell without exposing them in plaintext. In Part 1 of this Secrets Management series I showed you: * How
Slack Watchman
Did you know that Slack provides some surprising information about a workspace to unauthenticated callers? Slack Watchman knows, and in this post I’m going to show you the information you can enumerate from a workspace, and how you can use the ‘unauthenticated probe’ functionality of Slack Watchman to get
Lil Pwny
In this post I show how you can use some of the same tools that attackers use to generate a tailored custom password list to use with Lil Pwny, and find those risky passwords before they do. As the number of data breaches continue to rise, safeguarding your Active Directory
Lil Pwny
I'm excited to announce the release of Lil Pwny 3.2.0, featuring powerful new enhancements to the Active Directory password auditing tool. This update brings significant improvements and new features. Following NIST's recommendation in Section 5.1.1.2 of their Digital Identity Guidelines, Lil
Tradecraft
Many of my tools, such as GitLab Watchman, are designed to find secrets hardcoded or added as files to code repositories. Handling secrets this way is a bad idea for a number of reasons, but the main issue is that it leaves them open to being exposed. In this post,