Chris Brook

Take back control: A modern guide to mastering application control Learn how a robust app control policy can have a meaningful, measurable impact on your organization’s security posture.

New on the @redcanaryco.bsky.social blog this week: Your one stop shop for all things app control. Was fun pulling together this guide on some of the common failures and tips on how to succeed rolling out a policy in 2026: redcanary.com/blog/securit...

When adversaries bring their own virtual machine for persistence We peel back the layers on a threat involving an adversary who brought their own VM into an environment following aggressive spam bombing.

This week on the @redcanaryco.bsky.social blog: Had a lot of fun untangling this research from our Intelligence team on an adversary who brought their own VM into an environment following a spam bombing attack. Good longread on a thorough forensic investigation: redcanary.com/blog/threat-...

A guide to building reliable AI agents for your SOC Read our practical guide on how to build reliable AI agents for security operations—along with open source code and a workflow graph

Launch day yesterday over at @redcanaryco.bsky.social for a comprehensive new 20-page guide I helped write with our Director of Machine Learning. The guide lays out everything you need for building reliable AI agents for security operations: redcanary.com/blog/securit...

ATT&CK v18: Detection Strategies, More Adversary Insights, ATT&CK v18 is released with new Detection Strategies, Analytics, and revamped Data Components!

ATT&CK v18 is now out! Today marks the release of Detection Strategies, where we've moved from single-sentence notes to structured, behavior-focused strategies across the board. A new blog post describes the changes medium.com/mitre-attack... with details at attack.mitre.org/resources/up....

Answered my own question! Neon Williams - a great follow on Instagram (www.instagram.com/neon_williams/) has it now.

Hardly ever in Lynn but was today. Sad to learn the rug store with this iconic neon sign apparently closed recently. Wonder what happened to the sign.

Noticed authors love to do this in the @nytimes.com Book Review: Mention a new book that hasn’t even been announced yet, let alone released. Someone did this a few years ask with an Emily St. John Mandel book. This Jami Attenberg book doesn’t exist—yet.

Distinguishing Atomic, Odyssey, and Poseidon stealers on macOS Set sail with us as we compare and contrast three of the biggest players in the macOS stealer ecosystem: Atomic, Poseidon, and Odyssey

New on the @redcanaryco.bsky.social blog this week: We look at the similarities between the Atomic, Odyssey and Poseidon macOS stealers, shared tactics and anti-analysis techniques: redcanary.com/blog/threat-...

Node problem: Tracking recent npm package compromises | Red Canary Recent npm supply chain attacks highlight why robust mitigation and response strategies are required for both developers and users.

Some helpful and topical content posted to @redcanaryco.bsky.social yesterday. Distilled some great guidance from @forensicitguy.bsky.social on securing npm packages + responding to a compromise: redcanary.com/blog/threat-...

Understanding OAuth application attacks and defenses | Red Canary Red Canary’s Threat Hunting team recently uncovered a malicious OAuth application attack, demonstrating the need for specific defenses.

@redcanaryco.bsky.social's Threat Hunting team recently investigated an incident that illustrates how stealthy and patient an OAuth application attack can be. We breakdown the campaign (and how to defend against these attacks) in this blog:

Front page ad for Prager in the NYT today 🥴

Patching for persistence: How DripDropper Linux malware moves through the cloud | Red Canary DripDropper is a Red Canary-named Linux malware variant that uses an encrypted PyInstaller ELF file to communicate with a Dropbox account.

I was offline last week but great to see the @redcanaryco.bsky.social team get this across the goal line. Great research from our intel team on new-to-us malware impacting cloud Linux systems: redcanary.com/blog/threat-...

Deer Isle Oysters at Pilgrim’s Inn. Could eat a lot of these.

Ranking the top threats and ATT&CK techniques for the first half of 2025 | Red Canary Identity detections climbed, color birds swooped in, and two new cloud techniques broke into our top 10 in the first half of 2025

Mid-year TDR day! Dig into all of @redcanaryco.bsky.social's findings from the first half of 2025 including a big uptick in cloud identity detections + techniques: redcanary.com/blog/threat-...

Scaling Netflix's threat detection pipelines without streaming Data orchestration challenges I faced at Netflix, Airbnb, & Facebook (Part II)

Scaling Netflix's threat detection pipelines without streaming: blog.dataexpert.io/p/scaling-ne...

Ugh, @noupside.bsky.social posted yesterday about this happening to her, too!

10 Black Hat talks we want to see in 2025 | Red Canary Talks on bypassing SOCs and initial access—we scoured this year’s list of sessions at Black Hat to find 10 talks worth making time for.

Another new @redcanaryco.bsky.social ‬blog: I'm not going to @blackhatevents.bsky.social this year but if I were, these are the talks I'd try to attend. Lots of stories + intel for defenders: redcanary.com/blog/securit...

Summercon Foundation

Hey, Summercon is streaming today: www.youtube.com/@SummerconFo...

Understanding the threat landscape for MCP and AI workflows We break down the cybersecurity landscape of Model Context Protocol (MCP) servers and agentic AI workflows, including monitoring advice

MCP servers allow developers to facilitate AI agents to execute code. MCP doesn't include security mechanisms however—the onus is on developers to implement standard security best practices. @redcanaryco.bsky.social's Jesse Griggs navigates the MCP threat landscape: redcanary.com/blog/threat-...

Appreciate what #HillFarmstead does for its Harvest Festival re: curated guest taps, almost like a mini-FW Invitational. I don't think I've been to one since 2011? Whenever you used to be able to camp there afterwards.

Atomic Red Team A community for all things related to the Atomic Red Team open source testing library. Use this space to share threat intelligence, suggest new tests, discuss testing priorities, and ask questions abo...

⚛️ Use Atomic Red Team to validate security controls? Test detection coverage? Emulate adversary behaviors? Share how you use the project, suggest new tests, and ask questions at our new subreddit! www.reddit.com/r/atomicredt...

All about that baseline: Detecting anomalies with Surveyor | Red Canary The Surveyor open source tool can help organizations establish a baseline of their environment, verify activity, and investigate anomalies.

💫 @redcanaryco.bsky.social has a handful of helpful free, open-source tools, including Surveyor, which can help orgs establish a baseline of their environment and in turn, detect potential anomalies—like unsanctioned RMM tool usage that can be abused for initial access: redcanary.com/blog/threat-...

Take a bad thing and make it worse

We have two. The Hario Blue Bottle one which looks nice and fits easily in the fridge but doesn't make that much and the OXO, which we use more often but makes a bunch but takes up a bit of room on the counter.

Haim industrial complex is working overtime this year.

Cybersecurity metrics that matter (and how to measure them) | Red Canary Which cybersecurity metrics should SOC teams be tracking to measure their success in detecting and responding to threats?

Median time to respond. Mean time to respond. Mean time to acknowledge. Time-based metrics can be misleading and problematic, whether you’re consuming or creating them. redcanary.com/blog/threat-...

ATT&CK v17: New Platform (ESXi), Collection Optimization, & More Countermeasures By: Amy Robertson and Adam Pennington

New ATT&CK @attack.mitre.org version (v7) includes ESXi + four new techniques designed for it, expanded cloud security + Linux coverage, new mobile techniques: medium.com/mitre-attack...

Finally finished The Antidote. Fitting to end with a Land Lost Acknowledgement.

YouTube video by Lana Del Rey Lana Del Rey - Henry, come on (Audio)

New Lana song titled something I say literally everyday: www.youtube.com/watch?v=nDYY...

The RSA Conference talks worth catching in 2025 | Red Canary How AI agents can help purple teaming, inside the stolen credential ecosystem, and more: We read through the RSA agenda so you don't have to.

Did a deep dive on this year's #RSAC schedule (500+ sessions!) for Red Canary and found what I thought were some interesting talks on adversary emulation, detection engineering, and yes, AI—it's unavoidable! redcanary.com/blog/securit...