Writing
Notes from the SOC floor — triage workflows, SIEM tooling, and detection engineering practices.
The mental checklist I run through on every Splunk/QRadar alert before deciding to escalate, close, or dig deeper.
Neither tool is strictly better — they optimize for different things. Here's what actually matters day-to-day as an L1/L2 analyst.
MITRE ATT&CK mapping adds real value to incident reporting — but only if it doesn't turn into a 20-minute tagging exercise per alert.
Email headers feel intimidating at first, but they're your fastest way to confirm or dismiss a phishing alert. Here's what to look for without getting lost in the noise.