#DFIR
#Tech_book
#Blue_Team_Techniques
"SIEM Use Case Engineering Playbook:
100 Detailed Use Cases for Rule Creation, Alert Design, Incident Grouping and SOC Response", 2026.
// A 2026 SIEM use case must be more than a single event trigger. It should describe a realistic threat scenario, identify the logs required, define the building blocks, state the rule logic, generate a useful alert, create an incident when evidence is strong and guide the analyst towards containment or closure
#MLSecOps
#Offensive_security
"DarkLLM: Learning Language-Driven Adversarial Attacks with Large Language Models", May 2026.
// DarkLLM not only unifies targeted, untargeted, segmentation, and multi-model attacks within a single framework, but also achieves flexible and controllable adversarial generation, enabling each instruction to produce a perturbation that induces desired behaviors across heterogeneous models
#tools
#exploit
#Kernel_Security
Linux Integrity Drift (LID):
Bypassing AppArmor via eBPF pathname rewriting. Pre-LSM syscall argument manipulation with zero audit footprint
https://github.com/azqzazq1/LID
// LID finds kernel code paths that bypass LSM hooks entirely - subsystems that perform security-sensitive operations without consulting the LSM framework. The security check is correct. The problem is that the kernel never asks
Disclaimer
#Malware_analysis
1⃣ CrystalX: unpacking a Go RAT through three encrypted layers
https://www.derp.ca/research/crystalx-go-rat
2⃣ SHub Reaper (macOS Stealer)
https://www.sentinelone.com/blog/shub-reaper-macos-stealer-spoofs-apple-google-and-microsoft-in-a-single-attack-chain
3⃣ Benchmarking LLMs for malware triage and static unpacking with Malcat
https://malcat.fr/blog/benchmarking-llms-for-malware-triage-and-static-unpacking-with-malcat
#AIOps
#Research
#MLSecOps
"Hidden in Memory: Sleeper Memory Poisoning in LLMAgents", May 2026.
// LLMs are increasingly augmented with persistent memory, allowing assistants to store user-specific information across sessions for personalization and continuity. This statefulness introduces a new security risk: adversarial content can corrupt what an assistant remembers and thereby influence future interactions. We propose and study sleeper memory poisoning, a delayed attack in which an adversary manipulates external context, such as a document, webpage, or repository, to cause the assistant to store a fabricated memory about the user. Unlike conventional prompt injection, the attack can remain dormant and re-emerge across multiple later conversations
#Whitepaper
#Cloud_Security
"Identifying Security Vulnerabilities in Kubernetes Environments, Jan. 2026.
// This research aims to develop a practical methodology for identifying security misconfigurations in Kubernetes environments, across both Infrastructure-as-Code and live cluster states