Field notes
Runtime verification, in the open.
Accurate, concise, and cited — on why detection guesses, how verification doesn’t, and what it takes to catch and stop real attacks on Linux infrastructure.
-
Why EDR false positives happen — and how to eliminate them
What Oxford, IDC, and IBM actually found about the false-positive problem — and why rule-based verification reaches a 0% rate by construction, not by tuning.
-
eBPF for security monitoring: a practical primer
What eBPF is, why it lets a <10 MB agent see every kernel event, and how it compares to kernel modules and userland hooks.
-
Detection, prevention, verification: a field guide
Three different questions about the same event — what each one can and cannot promise, and where they belong in a defense.
-
Containing ransomware in microseconds
Why detection-then-page loses the race, and how an on-host response terminates a mass-encryption process before it finishes the first file.