// ~/blog — tail -f field-notes.log

Field notes.

Research, write-ups, and unfiltered takes. Updated whenever something is worth saying.

How a small misuse of indirect syscalls still slips past the top-five EDRs in 2026, and why that matters for blue teams.

JA4+ fingerprints, RTT histograms, and a few heuristics that catch what your IDS can't see.

A walkthrough of a recent engagement: a single SSRF in a Kubernetes-hosted SaaS chained to full cluster compromise.

The security industry is addicted to FUD. Here's what mature buyers actually want from us in 2026.

Async pipelines, plugin APIs, and the architectural mistakes I won't make again.

Get new field notes in your inbox.