GUIDE
What a security operations center actually does, what it costs to build versus buy, and how a small business gets 24/7 coverage without a million-dollar team.
GUIDE
Antivirus blocks the malware it recognizes. MDR is people watching your network around the clock. Here's the difference — and which one a small business really needs.
GUIDE
The warning signs of a hacked business email are quiet by design — here's how to spot them in 15 minutes and what to do if you find one.
THREAT INTEL
A fast-moving ransomware crew is breaking into small businesses through unpatched firewall VPNs, stealing data, and encrypting everything. Here's what it is — and what to do this week.
THREAT INTEL
Helldown ransomware — what we're seeing in APAC manufacturing.
A new ransomware family targeting OT-adjacent networks via Zyxel firewall CVEs. We've seen it three times in our fleet this month; all three contained pre-encryption.
ENGINEERING
Why we moved 90 days of telemetry to ClickHouse.
From Elasticsearch to ClickHouse: a four-month migration that cut our query p95 from 11 seconds to 340ms while halving the storage bill. The trade-offs we made and the ones we didn't.
OPINION
SMB security has a noise problem, not a tooling problem.
The average SMB IT lead is drowning in alerts from tools that were sold to them as solutions. A reset on what we should be measuring.
INCIDENT WRITE-UP
BEC against an architectural firm — Sydney, December.
A spoofed director email, a $114,000 wire transfer, and the seven-second window where our detection scored the conversation as anomalous. Containment, recovery, and what changed in the runbook.
CUSTOMER LETTER
What our customers asked us to ship in 2026.
Annual roadmap letter. The five things we're committing to ship publicly, the three we're not, and why.
THREAT INTEL
OAuth grant abuse against Microsoft 365 — December trend.
A 4× increase in malicious OAuth consent grants targeting M365 tenants. The three permissions to watch, the policy switch most tenants haven't enabled, and a one-page response runbook.
ENGINEERING
The case against scoring detections in real time.
Why our detection engine deliberately delays scoring by 30–90 seconds. A short essay on noise budgets, batch correlation, and the engineering value of patience.
RELEASE NOTES
Q4 2025 release notes — 31 detections, 4 integrations, 2 nice things.
Everything we shipped to the platform in October–December, with the rationale and any backtest results worth noting.
OPINION
"Just buy CrowdStrike" — a cautionary tale.
An EDR licence is not a security operations program. A long, friendly argument with a customer who almost left us, and what we both learned.
INCIDENT WRITE-UP
Insider-risk pattern at a Dubai logistics firm.
A departing operations manager, two USB exfil events, and a polite conversation with HR. Sanitised but instructive.
THREAT INTEL
Why "AI phishing" still mostly fails — for now.
A look at LLM-generated phishing in our fleet. Click-rates are up; conversion-to-compromise is flat. The actual rising threat is something else.
CUSTOMER LETTER
On the price-lock — and why we're holding it.
Cloud costs are up 18% this year for us. We're absorbing it. Here's the reasoning and the maths.
ENGINEERING
Building the owner's digest with a 1024-token budget.
How we prompt-engineered the weekly owner digest to stay calm, accurate, and 220-words-or-fewer. With examples and a couple of regrettable failures.
INCIDENT WRITE-UP
Ransomware via a managed-services partner — November.
A customer's MSP got popped. Lateral movement attempted into our customer's environment. Caught in 11 minutes. The trust-boundary lessons.
OPINION
The MSSP industry is broken. We're trying to be different.
A founder essay. The industry's incentive structures, why most managed-security engagements fail SMBs, and the specific bets we made differently.
THREAT INTEL
Q3 fleet trends — the five shifts that matter for SMBs.
Quarterly intel digest. Identity attacks now account for 41% of our fleet's confirmed-malicious incidents. The full breakdown.
INCIDENT WRITE-UP
The phone-call BEC that nearly worked.
A vishing call to a finance team, a near-wire, and the callback policy that saved $230k. With audio waveforms (sanitised).
INCIDENT WRITE-UP
Drive-by JS supply-chain compromise on a regional ad-tech.
A third-party JS pixel got compromised. Our fleet caught the C2 beacon within 4 minutes. The vendor took six days to respond.