Notes & long-form

Writing on detection,
response, and
the hunt.

Shorter posts and field notes live here. Deeper write-ups — full DFIR walk-throughs, hunt case studies — go on InsightLayer.

2026 · May

Detecting Defender AV passive mode at scale

A real compliance gap on a Windows Server estate, the KQL that closed it, and the in~ trap that nearly hid the problem. With a Logic App at the end so the detection actually does something.

Detection Eng

2026 · Apr

Threat hunting beyond IOCs

"Go look for evil" doesn't scale. Here is the hypothesis-driven loop I've been running since eCTHPv2, what makes a hypothesis worth chasing, and how to know when you're done.

Threat Hunting

Writing on detection,response, andthe hunt.

Detecting Defender AV passive mode at scale

Threat hunting beyond IOCs

Writing on detection,
response, and
the hunt.