Real-world security work: incident response, detection engineering, threat intelligence, and the tools that make it all possible.
How I cut false positives 25% and per-incident analysis time 35% across a 250+ incident year, without buying anything new.
How we moved a 1,300-domain portfolio to 98%+ authentication alignment, dropped spoofing incidents 60%, and what almost broke the plan.
What got automated, what didn't, and why the decision boundary mattered more than the code.
Domain purchase, DNS, Workspace provisioning, warmup, monitoring. Six disconnected workflows collapsed into one platform.
Building 60+ analyst tools on Cloudflare Workers, deciding which tools earn the front door, and why most of them are wrappers around the same triage workflow.
How /threatintel publishes case studies without a human in the loop, and the two layers of IOC validation that make that safe.
Live CTI surface at /threatintel. It correlates indicators across 18 free IOC feeds so I can tell whether a flagged IP is consensus-malicious or one source crying wolf. The live stream gives each indicator a reporter handle and a freshness badge, so I know which feeds are actually publishing today. There's a Gantt of which ransomware groups are posting right now, with MITRE Group profiles linked inline. Victim re-leak detection catches the cases where one company shows up under two different groups in the same year, which usually means a failed double-extortion or an affiliate moving shop. Everything that can be exported is exported as STIX 2.1 so it drops straight into MISP or a SIEM.
The interactive side of the same site, at /dfir. The piece I use the most is the IOC checker. Paste anything (IP, domain, URL, hash, CVE), and it fans out to about two dozen providers over SSE so the verdicts stream back as they arrive. VirusTotal, AbuseIPDB, OTX, GreyNoise, the abuse.ch trio, and a long tail of free reputation lists. Around that sits a Diamond Model builder that auto-fills its corners from whatever indicator you hand it, a STIX 2.1 viewer with an interactive relationship graph, subdomain-takeover fingerprinting, JWT inspection, IDN homograph detection, the MITRE ATT&CK matrix, and a small knowledge base I write to whenever I learn something the hard way. Edge-hosted, free, no signup.
An autonomous investigator agent at /dfir/agent. Describe what to investigate in natural language — the agent classifies the query type, plans which of 30+ intelligence tools to call, executes them in parallel, observes results, and repeats for up to 8 reasoning steps before synthesizing a structured intelligence report. Built on a Cloudflare Durable Object for stateful multi-step execution with alarm-driven scheduling, the same pattern used by the report builder. LLM planning via Groq (primary) with Workers AI fallback. Real-time progress streamed to the frontend via SSE.
A small Python CLI that takes the messy stuff (JSON campaign blobs, CSV IOC dumps from wherever) and emits a clean STIX 2.1 bundle on the other side. Containerized, runs as non-root (UID 1000), strict-mode entrypoint, 38 pytest tests because I got bitten once by a silent parse failure that made it through review. Plugs into this site at /threatintel/actors and /api/v1/cti/parse.
MCP server exposing 20 DFIR and threat intelligence tools for AI agents — IOC checking, CVE lookup, threat actor enrichment, phishing analysis, and more. Built on Cloudflare Workers with streaming SSE support. Works with Claude Desktop, Cursor, and any MCP-compatible client.
AI coding assistant skills for Digital Forensics and Incident Response — investigation workflows, threat report generation, detection rule authoring. Compatible with Claude Code, Cursor, and GitHub Copilot/Codex. Source lives locally at /agent/dfir-ai-skills.