The Case Files of Detective Aems: A Study in Digital Deduction
A Sherlock Holmes-style narrative tracking an email security incident, illustrating how artificial intelligence identifies and mitigates deceptive mail payloads.
Editorial & Strategy
Accuracy without B.S. Your audience deserves it.
I spent five years exposing vulnerabilities as a journalist before moving in-house to lead editorial strategy for Cortex and Unit 42. I don't just write about cybersecurity—I translate complex telemetry and product architecture into accessible narratives that help practitioners execute and CISOs make decisions.
Managing Editor @ Palo Alto Networks
Former Senior Reporter @ TechTarget
Sophos MTR Writer
Career Arc
The Strategic Path
Click on any chapter below to automatically explore works from that era.
Managing Editor, Cortex & Unit 42 @ Palo Alto Networks
2022 – Present
Directing editorial standards and strategy across threat intelligence and security operations portfolios. Co-authoring premium research and whitepapers while crafting narratives that make dry topics like email security and automation engaging and accessible.
View works from this eraEditorial Contractor @ Sophos
2021
Collaborated with the Managed Threat Response (MTR) squad to translate deep threat telemetry and day-to-day forensic incidents into high-pickup casebooks and investigative analyses.
View works from this eraSenior Cybersecurity Reporter @ TechTarget SearchSecurity
2015 – 2020
Exposing vulnerabilities, reporting on election security from DEF CON, covering major keynotes, interviewing security leaders, and producing acclaimed longform features on CISO stress and operational compliance.
View works from this era
Featured Pieces
Selected Highlights
A selection of featured projects spanning creative security narratives, forensic incident analysis, and deep-dive compliance reporting.
Nefilim Ransomware Attack Uses "Ghost" Credentials
Investigates a real-world intrusion where actors leveraged dormant and unmanaged service credentials to establish persistence. Significant press pickup.
How CISOs Deal with Cybersecurity Stress and Burnout
Acclaimed, longform feature detailing corporate security leadership mental health struggles, liability stress, and rapid job turnover.
Editorial Scope
Cortex & Unit 42 Leadership
As Managing Editor at Palo Alto Networks since 2022, I maintain narrative control and editorial quality across all marketing, research, and campaign deliverables.
My oversight spans technical blogs, co-authored research reports, whitepapers, campaign assets, and major keynote deliverables for RSA, Black Hat, and our internal Symphony conference.
Cortex XSIAM
AI-powered security operations platform transforming legacy SIEM infrastructures.
Cortex XDR
Industry-leading network, endpoint, and cloud detection and response ecosystem.
Agentix (XSOAR)
Orchestration, automation, and response models streamlining incident response cycles.
Cortex Xpanse
Attack surface discovery and management, mapping active exposures globally.
Unit 42 Services
Managed threat hunting, incident response, and active global threat intelligence feeds.
Cortex Cloud
Centralized cloud security analytics, asset tracking, and vulnerability compliance.
Get in Touch
Let's Connect
I'm exploring senior roles in content strategy, editorial leadership, and enterprise communications. If something here resonates, let's talk.
Archive Feed
Professional Work
Search and filter the complete archive of 87 threat reports, features, keynotes, and cybersecurity briefings.
Theme:
Publisher:
Articles Feed
Showing 12 of 87 piecesThe Case Files of Detective Aems: A Study in Digital Deduction
A Sherlock Holmes-style narrative tracking an email security incident, illustrating how artificial intelligence identifies and mitigates deceptive mail payloads.
An Ode to SOAR
A narrative limerick written for National Limerick Day that breaks down the concepts and workflows of Security Orchestration, Automation, and Response.
Building Resilient Security with Attack Surface Management
Explores how proactive discovery, detailed inventory, and active testing of internet-facing assets construct structural resilience in enterprise systems.
Tending to Your Attack Surface Garden
Uses a gardening metaphor to explain the dynamic nature of enterprise attack surfaces and the necessity of constant digital pruning.
2023 Unit 42 Attack Surface Threat Report
Co-authored global threat research analyzing scanning speeds and perimeter asset exposure, highlighting the speed at which threat groups target new CVEs.
2024 Unit 42 Incident Response Report
Co-authored major study translating incident response cases into actionable intelligence on credential reuse and rapid boundary scanning.
2022 Cortex Xpanse Attack Surface Threat Report
Detailing global corporate perimeter structures and exposures, charting the speed differences between malicious port scans and internal remediation efforts.
Your Security Future Demands a Fundamental Rethink
Strategic guide for enterprise architects detailing the structural bottlenecks of legacy SIEM setups and arguing for AI-driven data normalization.
What an Autonomous SOC Means for Security Analysts
Explores how automated alert ingestion and automated threat stitching reshape the career trajectories and operational workflows of security analysts.
The CXO Guide to Attack Surface Management
High-level roadmap showing corporate leaders how to discover, evaluate, and mitigate edge asset exposures across globally distributed entities.
Building Your Investment Thesis as CISO
A strategic framework helping security leaders justify security operations infrastructure upgrades to boardrooms and financial officers.
Executive Advisory: Agentic AI in Cybersecurity
A technical and operational guide breaking down how autonomous AI agents execute defense workflows and protect complex network layers.
SOC Analyst Career Guide
Provides analysts with a structured skill-mapping path to shift from manual alert triaging to automated engineering roles.
Upgrade Your SIEM Guide
A tactical migration blueprint mapping the operational steps required to transition security event logging to automated lakes.
Unifying Reactive and Proactive Cybersecurity
Details how merging threat hunting telemetry with external attack surface maps builds an integrated security perimeter.
Cortex Extended Data Lake Architecture
Breaks down the storage structure, ingestion pipelines, and search optimization of extended security data repositories.
AI Attacks Demand Better Vulnerability Management
Details the need for continuous exposure scans as attackers utilize AI tooling to identify and exploit software vulnerabilities.
Nefilim Ransomware Attack Uses "Ghost" Credentials
Investigates a real-world intrusion where actors leveraged dormant and unmanaged service credentials to establish persistence. Significant press pickup.
A Conti Ransomware Attack Day-by-Day
Broke down forensic telemetry into a detailed, chronological diary of a high-speed Conti infection, mapping actions from entry to encryption.
Installing MTR on the Run to Keep Up with Netwalker
A case study on deploying security telemetry mid-compromise to isolate system boundaries and arrest active Netwalker payloads.
MTR in Real-Time: Exchange ProxyLogon Edition
Tracks the live response operations of analysts intercepting active exploits targeting the ProxyLogon vulnerabilities in Microsoft Exchange.
Sophos MTR in Real Time: What is Astro Locker Team?
Identifies and details the tools, infrastructure, and double-extortion strategies of the Astro Locker ransomware group.
MTR Casebook: SolarWinds Orion Backdoor
Details the forensics behind a backdoor implant in a SolarWinds Orion server, using a hardboiled detective-style narrative framing.
Rachel Tobac: Social Engineering & Real-World 2FA
Explores how modern social engineering threat groups bypass static 2FA policies and why physical security keys are required.
Amanda Rousseau on Becoming a Security Researcher
Q&A regarding malware reverse-engineering careers, establishing technical niches, and presenting telemetry findings at major conferences.
Amanda Rousseau: Computer Forensics Realities
Discusses technical roadblocks in hardware and registry forensic analysis when actors employ anti-analysis techniques.
Philip Tully: The AI Cyberattack Arms Race
Predictive 2018 interview exploring the timeline for actors employing machine learning algorithms in automated attacks.
Philip Tully: Hardware Limits on Security AI
Details the financial and server overhead constraints preventing enterprises from building specialized local machine learning security models.
Mark Risher: Next-Gen 2FA as Game Changers
Google product lead details the transition of authentication structures from static SMS codes to hardware token integrations.
Mark Risher: Friction in Authentication Strategy
Explores user pushback, friction management, and corporate-wide enforcement strategies when rolling out robust MFA.
Jake Braun: Policy Aims of the Voting Village
Discusses the strategic policy targets and security disclosures coming out of DEF CON's voting machine hacking village.
Laura Noren: Data Science Ethics & HR Analytics
Ethicist discusses the boundaries of employee telemetry tracking, privacy frameworks, and algorithmic profiling in internal networks.
Chris Wysopal: Blockchain Marketing vs. Security Realities
Veracode co-founder cuts through blockchain marketing hype to analyze concrete, realistic use cases in software supply chain integrity.
Dave Kennedy: DerbyCon Growth and Administrative Stress
DerbyCon founder details the security community behavioral challenges and structural scale that led to ending the beloved conference.
Jules Okafor: Recruiting Gaps and Security Diversity
Details how structural hiring demands, degree requirements, and credentials reinforce the cybersecurity talent shortage.
Tim Mackey: Untangling Regulatory GDPR Fines
Explores compliance mechanics, developer requirements, and data storage liabilities under GDPR regulatory enforcement actions.
Kara Nance: Deep-Dive Into NSA's Ghidra Tool
Interview with the co-author of The Ghidra Book, discussing reverse-engineering methodologies using the NSA's open-source tool.
How CISOs Deal with Cybersecurity Stress and Burnout
Acclaimed, longform feature detailing corporate security leadership mental health struggles, liability stress, and rapid job turnover.
Cybersecurity Communication Key to Addressing Risk
Investigates the communication alignment gap between corporate boards and technical engineering teams.
Cybersecurity Budget Relies on Planning & Negotiation
Details the metrics and arguments security leaders must prepare to secure funding during flat enterprise cycles.
Inclusive Job Descriptions Key for Infosec Hiring
Examines how eliminating legacy credential constraints in HR postings helps solve recruiting bottlenecks.
Inclusivity: A Crucial Step Beyond Diversity in Infosec
Explores retaining talent from nontraditional backgrounds by building supportive internal engineering cultures.
Cybersecurity New Normal Needs Process Changes, CISOs Say
Broke down security posture transformations required as corporate boundaries dissolved during the sudden remote shift.
Security Team Analyzes Data Breach Costs for Better Metrics
Details how incident teams trace operational downtime, response overhead, and compliance liabilities to model breach exposure costs.
SASE Adoption Accelerating as Workforce Goes Remote
Details the structural transition from legacy VPN concentrates to Secure Access Service Edge perimeter models.
One Security Framework Key to Effectiveness
Examines how unifying corporate security under a single structural framework (NIST, ISO) reduces reporting conflicts.
Coronavirus Phishing Threats Force Heightened Awareness
Analyzes the flood of socially engineered pandemic lures targeting remote workers and strategies for user awareness.
4 Essential AI Security Concerns for Buyers and Vendors
Identifies key exposure vectors, model poisoning risks, data leakage issues, and compliance gaps when adopting ML tooling.
AI Security Alliance Urges Clarity for Tool Buyers
Explores industry initiatives to create clear benchmark metrics for buyers evaluating security tools featuring machine learning.
Experts Say CIA Triad Needs a DIE Model Upgrade
Argues that cloud-native structures require shifting focus from legacy confidentiality to Distributed, Immutable, Ephemeral (DIE) models.
Fighting PCI Non-Compliance with Zero Trust
Examines how microsegmentation and strict zero-trust boundary verification reduce PCI auditing scope and compliance liabilities.
Site-to-Site VPN Security Benefits & Risks
Breaks down security benefits, split-tunnel exposures, and routing risks in site-to-site VPN topology.
Troubleshooting VPN Session Timeout Issues
A diagnostic map helping administrators isolate routing timeouts, keep-alive failures, and server authentication drops.
Technical Controls to Prevent Spyware
Details endpoint configurations, privilege management, and user indicators required to block stealthy spyware payload executions.
The Operational Effects and Risks of Spyware
Explores system performance costs, credential extraction vectors, and data exfiltration patterns associated with spyware.
Security Differences: LAN vs. WAN Boundaries
Breaks down localized control structures, encryption demands, and trust levels separating LAN assets from WAN segments.
How to Send Secure Email Attachments
Evaluates encryption limitations, PDF password weaknesses, and modern transport-level security options for attachments.
Critical Infrastructure Interconnection Risks
Examines how merging legacy operational technology (OT) networks with corporate IT channels opens industrial controls to remote exploits.
Google Steering vs. Righting the Android Ship
Critical analysis of Google's security update strategies, arguing that platform feature shifts take priority over resolving fragmenting system code bases.
Are U.S. Hacker Indictments "Justice Theater"?
Argues that high-profile Department of Justice indictments of foreign state threat actors function primarily as diplomatic posturing rather than deterrents.
The Android Security Transparency Report
Evaluates Google's initial attempt to publish ecosystem patch ratios, calling it a tentative first step to address carrier-update latency.
Google's Android Security Rules: Unclear Enforcement
Examines Google's mandates forcing device manufacturers to deliver patches within fixed windows, detailing the absence of audit controls.
DHS Rhetoric Contradictions at DEF CON
Exposes conflicts between Department of Homeland Security public calls for election hacking help and their policy actions restricting vulnerabilities discovery.
Google I/O: Day One Security & Privacy Gaps
Highlights how initial developer keynotes glossed over platform security architectures in favor of machine learning models features.
Cybersecurity Pervasiveness Subsumes All Concerns
Discusses how security considerations have expanded beyond discrete IT parameters to govern overall corporate operational policies.
DerbyCon Conference: Unique and Troubling
Critical column examining the cultural and behavioral conflicts in mid-sized information security conferences.
Fearmongering Around Apple Face ID Launch
Cuts through initial alarmist media reactions to Face ID to detail actual mathematical security and biometric hashing models.
Project Treble: Faster Android Updates?
Evaluates the modular architecture of Project Treble, assessing if separating vendor implementation code speeds up OEM patch cycles.
Verizon DBIR 2017 Loses Global Contributors
Examines how political and data-sharing constraints reduced the geographical breadth of incident metrics in the 2017 DBIR.
Gathering Cybercrime Evidence is Difficult, DA Says
Analyzes jurisdictional boundaries, chain-of-custody gaps, and encryption hurdles law enforcement faces when prosecuting cybercriminals.
How FBI Investigations Handle Obfuscation Techniques
Examines how federal forensic squads intercept and decrypt actor communications, tracing server paths across international jurisdictions.
FBI: Cyber Investigations Match Physical Case Work
Outlines how investigators leverage traditional interviewing techniques, human assets, and patterns of life to unmask actors behind online handles.
Black Hat 2019: Software Teams Must Own Security
Detailed coverage of Dino Dai Zovi's call to integrate security controls directly into automated software development pipelines.
DerbyCon Closure: Attendees and Co-Founder Reflect
A retrospective exploring how host compliance liabilities, scale, and harassment reports forced the closure of DerbyCon.
DerbyCon: Cyber Attribution & False Flag Tactics
Covers technical discussions on how threat syndicates transplant metadata indicators to mislead forensics analysts.
Supply Chain Security Focus Hits RSAC 2019
Reports on rising industry alarm over third-party dependencies, open-source library integrity, and vendor access controls at RSAC.
Black Hat 2018: Parisa Tabriz Keynote Challenges Status Quo
Covers Google's "Security Princess" detailing the failure of reactive patching and arguing for structural fixes in memory-unsafe languages.
Infosec Mental Health Awareness Hits Black Hat 2018
Reports on industry initiatives addressing clinical depression, operational stress, and suicide rates among defensive security practitioners.
DEF CON: Election Systems Plague by 10-Year-Old Flaws
Covers critical hardware findings exposing how active US voting machines run outdated systems vulnerable to ancient privilege escalations.
Cybersecurity AI Hype Matures at RSAC 2018
Examines the shift from generic "machine learning" branding to practical, targeted anomaly detection models on the RSAC show floor.
RSAC Keynotes Push Teamwork, Incremental Fixes
Covers main-stage calls for collaborative intelligence sharing and building measurable, incremental hygiene habits rather than chasing magic tools.
Stamos Preaches Defensive Focus at Black Hat
Broke down Facebook CISO Alex Stamos' landmark address urging research circles to prioritize defensive engineering over zero-day glory.
Hacking Voting Machines Takes Center Stage at DEF CON
Covered the inaugural Voting Village where researchers compromised state-level election machines within hours of physical access.
DEF CON Hopes Hacking Disclosures Secure Elections
Examines if exposing physical voting hardware flaws prompts manufacturers and federal policy to mandate paper-audit backups.
RSAC 2017: Experts Debate National Policy Suggestions
Details policy conflicts regarding encryption backdoors, federal breach reporting, and international ransomware containment strategies.
Exec Order Plans Leave RSAC Experts Optimistic
Analyzes early optimism regarding executive orders mandating federal agencies adopt consolidated framework models.
2020 Election Security Faces 2016 Vulnerabilities
A deep look at structural election vulnerabilities, illustrating how delayed state funding and legacy OS architectures persist.