Kostas
@kostastsale.bsky.social
Running ➡ http://defendpoint.ca | http://edr-telemetry.com | https://edr-comparison.com/ | http://detectionstream.com | 🇬🇷🇨🇦
⊕We’ve added 𝗖𝗶𝘀𝗰𝗼 𝗦𝗲𝗰𝘂𝗿𝗲 𝗘𝗻𝗱𝗽𝗼𝗶𝗻𝘁 to the EDR-Comparison.com platform!!
Cisco shows strength in prevention, indicator alerting, and response automation, with solid investigation visuals and well-documented APIs that integrate easily into broader security stacks. It’s a platform that leans more...
Cisco shows strength in prevention, indicator alerting, and response automation, with solid investigation visuals and well-documented APIs that integrate easily into broader security stacks. It’s a platform that leans more...
December 12, 2025 at 4:26 PM
⊕We’ve added 𝗖𝗶𝘀𝗰𝗼 𝗦𝗲𝗰𝘂𝗿𝗲 𝗘𝗻𝗱𝗽𝗼𝗶𝗻𝘁 to the EDR-Comparison.com platform!!
Cisco shows strength in prevention, indicator alerting, and response automation, with solid investigation visuals and well-documented APIs that integrate easily into broader security stacks. It’s a platform that leans more...
Cisco shows strength in prevention, indicator alerting, and response automation, with solid investigation visuals and well-documented APIs that integrate easily into broader security stacks. It’s a platform that leans more...
This report from Bleeping is crazy, is You can't make this stuff up! 😂
www.bleepingcomputer.com/news/securit...
www.bleepingcomputer.com/news/securit...
December 6, 2025 at 4:27 AM
This report from Bleeping is crazy, is You can't make this stuff up! 😂
www.bleepingcomputer.com/news/securit...
www.bleepingcomputer.com/news/securit...
Heads-up on CVE-2025-55182: a CVSS 10.0 pre-auth RCE affecting React Server Components 19.x. Can be triggered through malicious HTTP payloads, so there will be chaos when a POC comes out.
On that note...there are many fake POCs circulating. Be careful what you run. A POC is not available yet.
On that note...there are many fake POCs circulating. Be careful what you run. A POC is not available yet.
December 4, 2025 at 7:44 AM
Heads-up on CVE-2025-55182: a CVSS 10.0 pre-auth RCE affecting React Server Components 19.x. Can be triggered through malicious HTTP payloads, so there will be chaos when a POC comes out.
On that note...there are many fake POCs circulating. Be careful what you run. A POC is not available yet.
On that note...there are many fake POCs circulating. Be careful what you run. A POC is not available yet.
🚨𝗕𝗶𝗴 𝗱𝗮𝘆 𝗳𝗼𝗿 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻𝗦𝘁𝗿𝗲𝗮𝗺. 𝗢𝗻𝗲 𝗼𝗳 𝗼𝘂𝗿 𝗹𝗮𝗿𝗴𝗲𝘀𝘁 𝗿𝗲𝗹𝗲𝗮𝘀𝗲𝘀 𝘆𝗲𝘁.
The platform now supports official pySigma validation fully in-browser, compiled to WebAssembly. Same validation as sigma-cli. Thanks to @sifex from detection.studio for the inspiration behind the implementation.
Here’s what we added:👇
The platform now supports official pySigma validation fully in-browser, compiled to WebAssembly. Same validation as sigma-cli. Thanks to @sifex from detection.studio for the inspiration behind the implementation.
Here’s what we added:👇
December 2, 2025 at 2:30 PM
🚨𝗕𝗶𝗴 𝗱𝗮𝘆 𝗳𝗼𝗿 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻𝗦𝘁𝗿𝗲𝗮𝗺. 𝗢𝗻𝗲 𝗼𝗳 𝗼𝘂𝗿 𝗹𝗮𝗿𝗴𝗲𝘀𝘁 𝗿𝗲𝗹𝗲𝗮𝘀𝗲𝘀 𝘆𝗲𝘁.
The platform now supports official pySigma validation fully in-browser, compiled to WebAssembly. Same validation as sigma-cli. Thanks to @sifex from detection.studio for the inspiration behind the implementation.
Here’s what we added:👇
The platform now supports official pySigma validation fully in-browser, compiled to WebAssembly. Same validation as sigma-cli. Thanks to @sifex from detection.studio for the inspiration behind the implementation.
Here’s what we added:👇
𝗥𝗼𝗮𝗱𝗺𝗮𝗽 𝘂𝗽𝗱𝗮𝘁𝗲: the first milestone is done. The Interactive Comparison Interface now has its core engine in place. Good progress for week one, and more updates are coming along with more EDR vendors!
November 26, 2025 at 3:25 PM
𝗥𝗼𝗮𝗱𝗺𝗮𝗽 𝘂𝗽𝗱𝗮𝘁𝗲: the first milestone is done. The Interactive Comparison Interface now has its core engine in place. Good progress for week one, and more updates are coming along with more EDR vendors!
I'm reviving Teletracker. Missed working on it and it deserved a second life.
I'm rt is way more useful for investigations. Drop in a bot token from malware and see threat actor comms directly from a clean web interface.
Demo video attached. Let me know your thoughts!
I'm rt is way more useful for investigations. Drop in a bot token from malware and see threat actor comms directly from a clean web interface.
Demo video attached. Let me know your thoughts!
November 20, 2025 at 9:14 PM
I'm reviving Teletracker. Missed working on it and it deserved a second life.
I'm rt is way more useful for investigations. Drop in a bot token from malware and see threat actor comms directly from a clean web interface.
Demo video attached. Let me know your thoughts!
I'm rt is way more useful for investigations. Drop in a bot token from malware and see threat actor comms directly from a clean web interface.
Demo video attached. Let me know your thoughts!
As I was looking for malware (like you do on a quiet Friday afternoon 😂) I found a classic fake “your system is infected” page. After the fake scan, the Renew Now button goes straight to Avast through an affiliate link🤣🤣
TAs doing a 180, selling AV to get their commission LOL
TAs doing a 180, selling AV to get their commission LOL
November 14, 2025 at 8:40 PM
As I was looking for malware (like you do on a quiet Friday afternoon 😂) I found a classic fake “your system is infected” page. After the fake scan, the Renew Now button goes straight to Avast through an affiliate link🤣🤣
TAs doing a 180, selling AV to get their commission LOL
TAs doing a 180, selling AV to get their commission LOL
Just in: DoorDash breached…
“unauthorized third party gaining access to and taking certain user contact information…but may have included first and last name, phone number, email address and physical address”
Next paragraph:
“No sensitive information was accessed”
🤦♂️
“unauthorized third party gaining access to and taking certain user contact information…but may have included first and last name, phone number, email address and physical address”
Next paragraph:
“No sensitive information was accessed”
🤦♂️
November 13, 2025 at 9:22 PM
Just in: DoorDash breached…
“unauthorized third party gaining access to and taking certain user contact information…but may have included first and last name, phone number, email address and physical address”
Next paragraph:
“No sensitive information was accessed”
🤦♂️
“unauthorized third party gaining access to and taking certain user contact information…but may have included first and last name, phone number, email address and physical address”
Next paragraph:
“No sensitive information was accessed”
🤦♂️
This was us today, this is what I'm talking about. He always has to stop and wait for me to catchup 😂
November 10, 2025 at 12:09 AM
This was us today, this is what I'm talking about. He always has to stop and wait for me to catchup 😂
🍁🍂 Winter rides are 🔥
November 9, 2025 at 12:31 AM
🍁🍂 Winter rides are 🔥
It’s been just 1 week since launch and 150+ people have registered, shared feedback & competed on the leaderboard! Huge motivation to keep building 💪
More challenges next week and with a FREE training module coming up!!
Appreciate the support!!🙏
🔗detectionstream.com/sigma/training/gamified
More challenges next week and with a FREE training module coming up!!
Appreciate the support!!🙏
🔗detectionstream.com/sigma/training/gamified
November 8, 2025 at 6:50 PM
It’s been just 1 week since launch and 150+ people have registered, shared feedback & competed on the leaderboard! Huge motivation to keep building 💪
More challenges next week and with a FREE training module coming up!!
Appreciate the support!!🙏
🔗detectionstream.com/sigma/training/gamified
More challenges next week and with a FREE training module coming up!!
Appreciate the support!!🙏
🔗detectionstream.com/sigma/training/gamified
Linux is finally getting some love 🐧
CrowdStrike now covers service + driver + user events, a big win for investigators tracking system-level activity.
In our testing, we only use system-level operations and ignore indirect events.
Details edr-telemetry.com/linux
CrowdStrike now covers service + driver + user events, a big win for investigators tracking system-level activity.
In our testing, we only use system-level operations and ignore indirect events.
Details edr-telemetry.com/linux
November 6, 2025 at 10:18 PM
Linux is finally getting some love 🐧
CrowdStrike now covers service + driver + user events, a big win for investigators tracking system-level activity.
In our testing, we only use system-level operations and ignore indirect events.
Details edr-telemetry.com/linux
CrowdStrike now covers service + driver + user events, a big win for investigators tracking system-level activity.
In our testing, we only use system-level operations and ignore indirect events.
Details edr-telemetry.com/linux
This is the coolest coin I’ve ever received. Huge props to @Defcon604 for everything they do for the Vancouver community. Was awesome presenting to a packed room of 50+ folks, great energy and engagement all around. 🔥
November 4, 2025 at 7:43 PM
This is the coolest coin I’ve ever received. Huge props to @Defcon604 for everything they do for the Vancouver community. Was awesome presenting to a packed room of 50+ folks, great energy and engagement all around. 🔥
📢DetectionStream quick update.
The 𝗦𝗶𝗴𝗺𝗮 𝗧𝗿𝗮𝗶𝗻𝗶𝗻𝗴 𝗣𝗹𝗮𝘁𝗳𝗼𝗿𝗺 is almost ready. I’m planning to launch it next week with 𝟭𝟬+ 𝗰𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗲𝘀 you can dive into right away.
Each challenge is designed to help you:
➡️ Practice Sigma rule creation
➡️ Understand detection logic fundamentals...👇
The 𝗦𝗶𝗴𝗺𝗮 𝗧𝗿𝗮𝗶𝗻𝗶𝗻𝗴 𝗣𝗹𝗮𝘁𝗳𝗼𝗿𝗺 is almost ready. I’m planning to launch it next week with 𝟭𝟬+ 𝗰𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗲𝘀 you can dive into right away.
Each challenge is designed to help you:
➡️ Practice Sigma rule creation
➡️ Understand detection logic fundamentals...👇
November 1, 2025 at 12:32 AM
📢DetectionStream quick update.
The 𝗦𝗶𝗴𝗺𝗮 𝗧𝗿𝗮𝗶𝗻𝗶𝗻𝗴 𝗣𝗹𝗮𝘁𝗳𝗼𝗿𝗺 is almost ready. I’m planning to launch it next week with 𝟭𝟬+ 𝗰𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗲𝘀 you can dive into right away.
Each challenge is designed to help you:
➡️ Practice Sigma rule creation
➡️ Understand detection logic fundamentals...👇
The 𝗦𝗶𝗴𝗺𝗮 𝗧𝗿𝗮𝗶𝗻𝗶𝗻𝗴 𝗣𝗹𝗮𝘁𝗳𝗼𝗿𝗺 is almost ready. I’m planning to launch it next week with 𝟭𝟬+ 𝗰𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗲𝘀 you can dive into right away.
Each challenge is designed to help you:
➡️ Practice Sigma rule creation
➡️ Understand detection logic fundamentals...👇
A normal InfoSec Friday be like... 😂
November 1, 2025 at 12:01 AM
A normal InfoSec Friday be like... 😂
𝗣𝗮𝗱𝘃𝗶𝘀𝗵 𝗘𝗗𝗥 𝗯𝗲𝗰𝗼𝗺𝗲𝘀 𝘁𝗵𝗲 21𝘀𝘁 𝗮𝗱𝗱𝗶𝘁𝗶𝗼𝗻 𝘁𝗼 𝘁𝗵𝗲 𝗘𝗗𝗥 𝗧𝗲𝗹𝗲𝗺𝗲𝘁𝗿𝘆 𝗖𝗼𝗺𝗽𝗮𝗿𝗶𝘀𝗼𝗻 🔥
Love seeing emerging vendors push this level of real-time telemetry, solid visibility through ETW, AMSI, and mini-filters.
𝗧𝗿𝗮𝗻𝘀𝗽𝗮𝗿𝗲𝗻𝗰𝘆 like this helps move the whole industry forward.
Results: www.edr-telemetry.com/windows
Love seeing emerging vendors push this level of real-time telemetry, solid visibility through ETW, AMSI, and mini-filters.
𝗧𝗿𝗮𝗻𝘀𝗽𝗮𝗿𝗲𝗻𝗰𝘆 like this helps move the whole industry forward.
Results: www.edr-telemetry.com/windows
October 15, 2025 at 2:31 PM
𝗣𝗮𝗱𝘃𝗶𝘀𝗵 𝗘𝗗𝗥 𝗯𝗲𝗰𝗼𝗺𝗲𝘀 𝘁𝗵𝗲 21𝘀𝘁 𝗮𝗱𝗱𝗶𝘁𝗶𝗼𝗻 𝘁𝗼 𝘁𝗵𝗲 𝗘𝗗𝗥 𝗧𝗲𝗹𝗲𝗺𝗲𝘁𝗿𝘆 𝗖𝗼𝗺𝗽𝗮𝗿𝗶𝘀𝗼𝗻 🔥
Love seeing emerging vendors push this level of real-time telemetry, solid visibility through ETW, AMSI, and mini-filters.
𝗧𝗿𝗮𝗻𝘀𝗽𝗮𝗿𝗲𝗻𝗰𝘆 like this helps move the whole industry forward.
Results: www.edr-telemetry.com/windows
Love seeing emerging vendors push this level of real-time telemetry, solid visibility through ETW, AMSI, and mini-filters.
𝗧𝗿𝗮𝗻𝘀𝗽𝗮𝗿𝗲𝗻𝗰𝘆 like this helps move the whole industry forward.
Results: www.edr-telemetry.com/windows
𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝗦𝘁𝗿𝗲𝗮𝗺 𝗨𝗽𝗱𝗮𝘁𝗲: Two highly requested features just went live 🚀
1. 𝗗𝗲𝗲𝗽 𝗟𝗶𝗻𝗸𝘀: share specific rules via hashtag#rule_id or full YAML
2. 𝗗𝗼𝘄𝗻𝗹𝗼𝗮𝗱 𝗥𝘂𝗹𝗲𝘀: export all rules matching your filters (gzip)
3. 𝗔𝗱𝗱𝗲𝗱 "𝘊𝘳𝘦𝘢𝘵𝘦 𝘳𝘶𝘭𝘦𝘴 𝘸𝘪𝘵𝘩 𝘈𝘐" functionality for both 𝗬𝗮𝗿𝗮 and 𝗡𝗼𝘃𝗮 frameworks ... continue👇
1. 𝗗𝗲𝗲𝗽 𝗟𝗶𝗻𝗸𝘀: share specific rules via hashtag#rule_id or full YAML
2. 𝗗𝗼𝘄𝗻𝗹𝗼𝗮𝗱 𝗥𝘂𝗹𝗲𝘀: export all rules matching your filters (gzip)
3. 𝗔𝗱𝗱𝗲𝗱 "𝘊𝘳𝘦𝘢𝘵𝘦 𝘳𝘶𝘭𝘦𝘴 𝘸𝘪𝘵𝘩 𝘈𝘐" functionality for both 𝗬𝗮𝗿𝗮 and 𝗡𝗼𝘃𝗮 frameworks ... continue👇
October 14, 2025 at 6:54 PM
𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝗦𝘁𝗿𝗲𝗮𝗺 𝗨𝗽𝗱𝗮𝘁𝗲: Two highly requested features just went live 🚀
1. 𝗗𝗲𝗲𝗽 𝗟𝗶𝗻𝗸𝘀: share specific rules via hashtag#rule_id or full YAML
2. 𝗗𝗼𝘄𝗻𝗹𝗼𝗮𝗱 𝗥𝘂𝗹𝗲𝘀: export all rules matching your filters (gzip)
3. 𝗔𝗱𝗱𝗲𝗱 "𝘊𝘳𝘦𝘢𝘵𝘦 𝘳𝘶𝘭𝘦𝘴 𝘸𝘪𝘵𝘩 𝘈𝘐" functionality for both 𝗬𝗮𝗿𝗮 and 𝗡𝗼𝘃𝗮 frameworks ... continue👇
1. 𝗗𝗲𝗲𝗽 𝗟𝗶𝗻𝗸𝘀: share specific rules via hashtag#rule_id or full YAML
2. 𝗗𝗼𝘄𝗻𝗹𝗼𝗮𝗱 𝗥𝘂𝗹𝗲𝘀: export all rules matching your filters (gzip)
3. 𝗔𝗱𝗱𝗲𝗱 "𝘊𝘳𝘦𝘢𝘵𝘦 𝘳𝘶𝘭𝘦𝘴 𝘸𝘪𝘵𝘩 𝘈𝘐" functionality for both 𝗬𝗮𝗿𝗮 and 𝗡𝗼𝘃𝗮 frameworks ... continue👇
I built this tool for myself. Shared a preview here a few days ago… and wow. Didn’t expect such a strong response. Thanks everyone who reached out 🙏
Because of that energy, I pushed harder and:
➡️ Polished the Sigma experience, now with Nova integrated
➡️ Built two playgrounds for hands-on learning
Because of that energy, I pushed harder and:
➡️ Polished the Sigma experience, now with Nova integrated
➡️ Built two playgrounds for hands-on learning
September 30, 2025 at 2:31 PM
I built this tool for myself. Shared a preview here a few days ago… and wow. Didn’t expect such a strong response. Thanks everyone who reached out 🙏
Because of that energy, I pushed harder and:
➡️ Polished the Sigma experience, now with Nova integrated
➡️ Built two playgrounds for hands-on learning
Because of that energy, I pushed harder and:
➡️ Polished the Sigma experience, now with Nova integrated
➡️ Built two playgrounds for hands-on learning
I've built this platform for myself to quickly search and create detection rules. Considering that we(the DE community) have amazing platforms like Sigconverter (sigconverter.io ) and (detection fyi) detection.fyi, would anyone find value in having FREE access to this all-in-one platform?
September 27, 2025 at 12:55 AM
I've built this platform for myself to quickly search and create detection rules. Considering that we(the DE community) have amazing platforms like Sigconverter (sigconverter.io ) and (detection fyi) detection.fyi, would anyone find value in having FREE access to this all-in-one platform?
The EDR Telemetry Project revealed what EDRs can see.
➛ Now, we show how they compare.
Coming soon!
➛ Now, we show how they compare.
Coming soon!
September 25, 2025 at 5:17 PM
The EDR Telemetry Project revealed what EDRs can see.
➛ Now, we show how they compare.
Coming soon!
➛ Now, we show how they compare.
Coming soon!
There is still time to register: dfirlabs.thedfirreport.com/dfirchallenge
September 23, 2025 at 6:23 PM
There is still time to register: dfirlabs.thedfirreport.com/dfirchallenge
🆕 𝐄𝐃𝐑-𝐭𝐞𝐥𝐞𝐦𝐞𝐭𝐫𝐲 𝐏𝐫𝐨𝐣𝐞𝐜𝐭 𝐔𝐩𝐝𝐚𝐭𝐞 - 𝐖𝐢𝐧𝐝𝐨𝐰𝐬
The Windows table just got an update with 3 new sub-categories:
➡️ VSS Deletion
➡️ Win32 API Telemetry
➡️ JA3/JA3s
Coverage isn’t uniform, and some are pending response from the vendors. That’s fine. I’d rather show the uncertainty than pretend otherwise.
The Windows table just got an update with 3 new sub-categories:
➡️ VSS Deletion
➡️ Win32 API Telemetry
➡️ JA3/JA3s
Coverage isn’t uniform, and some are pending response from the vendors. That’s fine. I’d rather show the uncertainty than pretend otherwise.
September 17, 2025 at 2:31 PM
🆕 𝐄𝐃𝐑-𝐭𝐞𝐥𝐞𝐦𝐞𝐭𝐫𝐲 𝐏𝐫𝐨𝐣𝐞𝐜𝐭 𝐔𝐩𝐝𝐚𝐭𝐞 - 𝐖𝐢𝐧𝐝𝐨𝐰𝐬
The Windows table just got an update with 3 new sub-categories:
➡️ VSS Deletion
➡️ Win32 API Telemetry
➡️ JA3/JA3s
Coverage isn’t uniform, and some are pending response from the vendors. That’s fine. I’d rather show the uncertainty than pretend otherwise.
The Windows table just got an update with 3 new sub-categories:
➡️ VSS Deletion
➡️ Win32 API Telemetry
➡️ JA3/JA3s
Coverage isn’t uniform, and some are pending response from the vendors. That’s fine. I’d rather show the uncertainty than pretend otherwise.
Every pixel of this graphic is a lie. It insults the people actually fighting threats daily and rewards the companies that can’t even catch a cold. Absolute cancer for the industry… Pay up or get shoved in the ‘loser’ box. Embarrassing trash.
September 5, 2025 at 3:24 PM
Every pixel of this graphic is a lie. It insults the people actually fighting threats daily and rewards the companies that can’t even catch a cold. Absolute cancer for the industry… Pay up or get shoved in the ‘loser’ box. Embarrassing trash.
Creating Images for our next DFIR Labs has never been easier thanks to Google Gemini 😂
New Lab is dropping 🔜
New Lab is dropping 🔜
August 29, 2025 at 10:45 PM
Creating Images for our next DFIR Labs has never been easier thanks to Google Gemini 😂
New Lab is dropping 🔜
New Lab is dropping 🔜
Here is a cool Linux technique: www.trellix.com/blogs/resear...
Execution isn’t coming from a binary or a script. It’s coming from the filename itself.
𝗛𝗲𝗿𝗲’𝘀 𝗵𝗼𝘄 𝗶𝘁 𝘄𝗼𝗿𝗸𝘀:
➡️ Attacker crafts a malicious filename with embedded logic.
➡️ Normal system enumeration commands (ls, cat, find) interact
Execution isn’t coming from a binary or a script. It’s coming from the filename itself.
𝗛𝗲𝗿𝗲’𝘀 𝗵𝗼𝘄 𝗶𝘁 𝘄𝗼𝗿𝗸𝘀:
➡️ Attacker crafts a malicious filename with embedded logic.
➡️ Normal system enumeration commands (ls, cat, find) interact
August 26, 2025 at 2:31 PM
Here is a cool Linux technique: www.trellix.com/blogs/resear...
Execution isn’t coming from a binary or a script. It’s coming from the filename itself.
𝗛𝗲𝗿𝗲’𝘀 𝗵𝗼𝘄 𝗶𝘁 𝘄𝗼𝗿𝗸𝘀:
➡️ Attacker crafts a malicious filename with embedded logic.
➡️ Normal system enumeration commands (ls, cat, find) interact
Execution isn’t coming from a binary or a script. It’s coming from the filename itself.
𝗛𝗲𝗿𝗲’𝘀 𝗵𝗼𝘄 𝗶𝘁 𝘄𝗼𝗿𝗸𝘀:
➡️ Attacker crafts a malicious filename with embedded logic.
➡️ Normal system enumeration commands (ls, cat, find) interact