Blog
Cybersecurity Insights, Incident Write-ups, Tooling Deep-Dives und Erfahrungen aus dem operativen Betrieb.
RoguePlanet: The Fourth Defender Zero-Day, and Why the Patch Is Not the End of It
CVE-2026-50656 is patched, but the fix ships as an engine update, not a Patch Tuesday KB. What RoguePlanet does, how it rhymes with BlueHammer, and the retrospective hunt and patch validation blue teams still owe themselves.
The Classic-Agent Blind Spot: Detecting Non-Human Identities in Microsoft Sentinel
Microsoft Entra Agent ID secures the agents you build tomorrow. The service principals and managed identities you already run - the classic agents - are a different story. Two KQL detections, the diagnostic switch nobody flips, and what to do this week.
Wiring Microsoft Security Exposure Management Into Sentinel - Triage with Asset Criticality and Attack-Path Context
MSEM gives Sentinel something it never had: asset criticality and attack-path context per entity. Architecture, KQL patterns for incident enrichment, and the entity-matching pitfalls that quietly break them.
BlueHammer: A Defender's Perspective on the Unpatched Windows LPE
What we know about the BlueHammer zero-day, where the public exploit chain is fragile, and what blue teams can actually do today.
From Azure Sentinel Log Analytics Workspace to Data Lake - Why Now Is the Right Time
The Sentinel Data Lake Tier changes the cost equation for high-volume security logging. Architecture, migration playbook, KQL examples, and the pitfalls nobody warns you about.
LLM Hardening in Practice - What Actually Secures Agent Deployments
A technical deep-dive into securing LLM-based agent deployments against prompt injection, data exfiltration, and tool abuse. Based on real-world hardening of OpenClaw-based systems.
Building Heimdall - A Threat Intelligence MCP Server From Scratch
How I built a FastMCP-based threat intelligence toolset that integrates VirusTotal, AbuseIPDB, Shodan, and MITRE ATT&CK mapping. The messy reality of building security tools, including the bugs.