Practical writing from real IR work β proactive hardening, reactive response, and everything in between. No vendor angles, no theoretical frameworks.
Golden Ticket and Silver Ticket attacks are still effective because attackers exploit misconfigurations, not vulnerabilities. Learn how these Kerberos forgeries work and how to detect them.
Pass-the-Hash still works in 2026 because NTLM is still enabled by default. Here's how to disable it and stop lateral movement attacks.
Three tiers, a Control Plane, and real organizational friction. How to implement EAM in an enterprise that wasn't designed for it β the Tier 0 assets people miss, the things that break, and why it's worth doing anyway.
A PowerShell GUI tool for delegating AD helpdesk tasks without granting Domain Admin privileges. Solve password resets and account management securely.
Kerberoasting exploits TGS ticket requests for SPN accounts. Learn how attackers crack service account passwords offline and what you can do to stop it.
How to run BloodHound proactively, write Cypher queries that surface real risk, and turn graph data into a remediation backlog your team can actually work through.
Threat actor eviction from Active Directory is one of the hardest IR problems. The decisions made in the first 48 hours determine whether you succeed β or give the attacker a way back.
AD Connect sync, Pass-Through Authentication, seamless SSO β each one is a bridge that can be crossed the wrong way. Most defenders don't know they exist until an incident reveals them.
Built-in AD mechanisms designed to protect privileged accounts β routinely misconfigured, occasionally abused, and almost always misunderstood.
4624, 4768, 4769, 4771, 4776 β and about a dozen others. A practical guide to the Windows event logs that reveal Kerberoasting, AS-REP roasting, lateral movement, and DCSync in progress.
A walk-through of a real intrusion pattern β credential theft, lateral movement, Kerberoasting, and DCSync. Sanitized, but this is what it actually looks like from the IR side.
Privileged access management without the enterprise price tag. What actually works, in plain terms, with implementation notes from real deployments.
Conditional Access is powerful and frequently misconfigured. The policies worth enabling, the gaps that leave accounts exposed, and how to test without locking yourself out.