Welcome to Issue #4 of the Security Engineering Newsletter.

Want to sponsor this newsletter? Hit me up!

SecOps Alert Enrichment: Part 2 - Tor Exit Nodes

The second post in my SecOps Alert Enrichment series is about correlating source IPs in alerts with Tor exit nodes. The premise of this series is that, although many SecOps teams have implemented basic alert enrichment, I submit that there are a lot of other niche, high-value enrichment use cases that teams out there may have not considered yet.

Methods for Finding Threat Signals - Greg Lesnewich @ NetNoiseCon

Greg Lesnewich gave a talk about the different ways to find anomalies within your data that indicate maliciousness. I felt like I took a lot away from it and highly recommend checking it out. Here is a brief overview of the methods described in Greg's talk:

  • Amplification – take a distinct example of malicious activity and try to create a more broad detection from it
  • Filtering – filter down benign/irrelevant signals to create a distinct detection (opposite of amplification)
  • Layering – layer multiple weak signals on top of each other
  • Hashing – hash some parts of a file/artifact together and then search for it at scale


pyinfra automates infrastructure using Python. It’s fast and scales from one server to thousands. Great for ad-hoc command execution, service deployment, configuration management and more.

Remind you of Ansible? Here is a talk that I found by Daryl Tester from PyCon AU 2023 that goes over how pyinfra differs from Ansible. Although the project is not new, it is the first I am hearing of it and will definitely be trying this out at some point.

bruno - Opensource IDE For Exploring and Testing APIs

It's been my experience that the prevailing desktop API platforms out there have way too many features and suffer from heavy enshittification and price gouging. If that has been your experience too, you should check this out.

Bruno is an open-source desktop/CLI/IDE API platform available on Mac, Windows, and Linux. You can use git or any version control of your choice to collaborate with your team over your API collections.

The DFIR Report: From IcedID to Dagon Locker Ransomware in 29 Days

A new DFIR report dropped! The DFIR Report will always be one of my top information security resources. Reading their reports provide so much perspective on where to place coverage and craft detection rules, whether you are a Windows shop or not.

Software Supply Chain Threats

A primer on software supply chain threats put together by SLSA ("supply chain levels for software artifacts" or just "salsa"). The page includes real-world examples of threats and how the SLSA framework helps against those threats.

‎The Cybersecurity Defenders Podcast: #121 - Intel Chat: Albatross leak, Cerber ransomware, UAT4356 & MITRE compromised on Apple Podcasts
‎Show The Cybersecurity Defenders Podcast, Ep #121 - Intel Chat: Albatross leak, Cerber ransomware, UAT4356 & MITRE compromised - May 1, 2024
‎Risky Business: Risky Business #746 – Microsoft takes your security seriously* on Apple Podcasts
‎Show Risky Business, Ep Risky Business #746 – Microsoft takes your security seriously* - Apr 30, 2024
‎The Future of Security Operations: Afni’s Brent Deterding on deploying MFA for 10,000 employees and becoming “the Happy CISO” on Apple Podcasts
‎Show The Future of Security Operations, Ep Afni’s Brent Deterding on deploying MFA for 10,000 employees and becoming “the Happy CISO” - Apr 30, 2024
‎Soft Skills Engineering: Episode 406: Acquired taste and limited mentorship on Apple Podcasts
‎Show Soft Skills Engineering, Ep Episode 406: Acquired taste and limited mentorship - Apr 29, 2024

Rumor that OpenAI is stealth-testing GPT-4.5 or GPT-5 on LMSYS

Earlier this week, a model called gpt2-chatbot became available on AI user-benchmarking site LMSYS. The author asserts that the performance of gpt2-chatbot and the lack of general information about it may be a cover for OpenAI stealth-testing one of its new models on the site. I did a few tests on Monday with the model and was thoroughly impressed in line with the author. However, I wasn't able to test as much as I would like since it quickly became rate-limited as the news proliferated.

Hacking Detergent DRM - Bob Cassette Rewinder

This guy who reverse engineered his tiny dishwasher is my hero. Put this on my list of a million other things that I want to try.


Security Operations Engineer 1 @ Jamf

Senior Security Operations Engineer (Azure) @ Jamf

Security Engineer, Threat Detection @ Stripe

Senior Security Engineer, Corporate Security @ Gitlab


Thank you for reading this week's issue, and see you next week! If you have any feedback, hit me up!