top of page


From Storm Signatures to Attack Signatures
I spent years reading atmospheric data for the anomaly that didn't belong. Finishing TryHackMe's Intro to Log Analysis room, I found the same instinct waiting in an Apache access log, just a different kind of storm. Here's what the room taught me about command-line triage, regex, attack signatures, and reading the story a log is telling.
15 hours ago5 min read
What I Found In A Zeek Dataset (And How I Found It)
Started with a raw Zeek log — no SIEM, no alerts. Uncovered a Mirai botnet within hours.
Found primary attacker via ICMP pings and 500K+ failed Telnet/SSH scans
Traced spread across four subnets
Confirmed second infected host and AWS C2 server
Result: Complete threat profile from raw data alone.
Jun 58 min read
bottom of page