Claude
Detecting Agentic Threats in Claude: Writing Rules on the Execution Layer
Detections for Claude on the execution layer: Sigma rules and a correlation runner that catch permission bypasses, rogue MCP servers, and more.
Claude
Detections for Claude on the execution layer: Sigma rules and a correlation runner that catch permission bypasses, rogue MCP servers, and more.
Claude
Gain visibility for Claude beyond the Compliance API. Using OpenTelemetry to get logs that include tool calls, MCP activity and file access.
Claude
Detections for Claude Enterprise built on Compliance API content: a prefilter and LLM judge that catch prompt injection, jailbreaks and data exfiltration.
slack
Slack’s audit logs don’t include enough context to investigate DLP detections. In this post, I show how to export the richer DLP details Slack displays in the admin console, and I use my slack-dlp-log-extractor script to do it via the DLP API. What is Slack
Tradecraft
In this post I explain how to use gopass to GPG encrypt and store your secrets locally, then integrate with direnv to decrypt and load your secrets to environment variables in your shell without exposing them in plaintext. In Part 1 of this Secrets Management series I showed you: * How
Slack Watchman
Did you know that Slack provides some surprising information about a workspace to unauthenticated callers? Slack Watchman knows, and in this post I’m going to show you the information you can enumerate from a workspace, and how you can use the ‘unauthenticated probe’ functionality of Slack Watchman to get
Lil Pwny
In this post I show how you can use some of the same tools that attackers use to generate a tailored custom password list to use with Lil Pwny, and find those risky passwords before they do. As the number of data breaches continue to rise, safeguarding your Active Directory
Tradecraft
Many of my tools, such as GitLab Watchman, are designed to find secrets hardcoded or added as files to code repositories. Handling secrets this way is a bad idea for a number of reasons, but the main issue is that it leaves them open to being exposed. In this post,
Tradecraft
This post has been updated in December 2025 to account for changes to Slack authentication since it was originally written. Slack, like many other services, uses cookies to store authentication and session information. What is interesting with Slack, however, is that one particular cookie can be used to generate a
Tradecraft
It seems strange to talk about normal right now considering that, at the time of writing, a lot of the world is under quarantine. Yet in security, normal is something that is important to know. When creating alerts or analysing logs, you want to be notified when something is not