SecOps Archives - CardinalOps

The Detection Engineering Breaking Point

For years, security operations leaders have been pushing a simple but powerful idea: shift detection engineering left. Treat detections as code, manage them through lifecycle processes, map to adversary behaviors, then continuously tune, validate, and

Beyond SIEM: Building a Detection-First Security Data Architecture

Traditional SIEM architectures are under increasing strain as modern environments generate massive volumes of security telemetry from cloud, SaaS, containerized workloads, and identity systems. As data volumes grow, organizations face rising SIEM costs and operational

How to Prevent and Fix SIEM Rule Failures

Our blog recently outlined the top 10 reasons why rules silently fail, drawing on extensive analysis of SIEM rules in diverse enterprise environments. Check out five of the top 10 causes in part one, and

Bash and Switch: Hijacking via Windows Subsystem for Linux

Windows Subsystem for Linux (WSL) is a feature in Windows that allows users to run a real Linux user space directly inside Windows, without needing a virtual machine or dual-boot setup. This feature is commonly

MCP Defaults Will Betray You: The Hidden Dangers of Remote Deployment

The Model Context Protocol (MCP) enables seamless integration between large language models (LLMs) and external tools. It powers agent-driven workflows in platforms like Claude Desktop and GitHub Copilot. Typically, developers use MCP servers to expose

Polymorphic AI Malware: A Real-World POC and Detection Walkthrough

What Is Polymorphic AI Malware? Polymorphic AI malware refers to a new class of malicious software. It leverages artificial intelligence models, such as GPT-based language models, to dynamically generate, obfuscate, or modify its own code

The Analyst Who Cried Malware: Rethinking False Positives and Alert Fatigue

False positives aren’t just annoying. They’re corrosive. Every unnecessary alert chips away at the analyst’s attention span. Every poorly designed rule teaches the SOC to distrust its own tools. Every noisy detection makes it harder

Closing the Gaps in Linux Auditing & Detection Strategies

Linux systems are often overlooked when setting up security auditing and threat detection strategies. The main reason is that Linux auditing is far less explored by the security community than Windows auditing. A survey done

CardinalOps Solution Brief: Detection Posture Management

CardinalOps Detection Posture Management automates detection engineering processes and continuously expands your MITRE ATT&CK coverage, ensuring you detect the threats that matter most.

SANS Webinar Highlights — Detection, Meet Prevention: Enriching Defenses with MITRE Mitigations

During the SANS Spring Cyber Solutions Fest’s Detection & Response track, Jay Lillie, CardinalOps VP of Customer Success, and Dr. Anton Chuvakin, Advisor to the Google Office of the CISO, discussed ways to improve SOC

Detection, Evasion, and the Pursuit of Immutable Artifacts

You’re probably familiar with the classic thought experiment: If a tree falls in a forest and no one is around to hear it, does it make a sound? In cybersecurity, we can ask a similar

Monitoring Granular SOC Metrics: Peak Network Traffic and Initial User Logins

When considering KPIs for your SOC, mean time to detect, contain, and remediate (MTTR, MTTC, and MTTR); incident and alert volumes; and false positive rates get most of the attention. Regularly monitoring these higher-level metrics