Bhavin Patel @hackpsy

Is this the end of Security Detections MCP? No. But it is the point where it stops being "just a tool" and becomes something bigger. With v3.2.2: You now have a hosted detection intelligence system your AI can use instantly. What changed: • 🌐 Website is LIVE → detect.michaelhaag.org • ⚡ Hosted MCP → no setup, just a token + URL • 🧠 8,200+ detections across 6 platforms • 🎯 Coverage vs 172 ATT&CK threat actors You can now ask: 👉 "What’s our ransomware coverage?" …and your AI can answer across: Sigma Splunk Elastic KQL Sublime CrowdStrike Two modes now: Local (full power) → 81 tools → your own detection repos → full pipelines Hosted (NEW) → zero setup → ~25 tools → always synced → 200 free calls/day This is still fully open source: github.com/MHaggis/Securi… npm npmjs.com/package/securi… Pulse MCP pulsemcp.com/servers/mhaggi… If MCP 3.0 was about: "we can automate detection engineering" This is: "we can make it accessible to anyone with AI" youtu.be/QjtVY7nGslc

📦 I just released Security-Detections MCP - a way to let LLMs reason over real detection content, not just the internet. This isn’t "AI writes detections for you." It’s: • Threat report in • Coverage + gaps out • Grounded in actual rules (KQL, SPL, Sigma, internal content) The MCP indexes your detection corpus and exposes it in a way LLMs can query, compare, validate, and explain. What this enables: • Faster detection validation • Identifying blind spots before adversaries do • Structured markdown reports you can actually act on • Humans stay in control — AI becomes the force multiplier Repo ➡️ github.com/MHaggis/Securi… 👇Video walkthrough 👇 youtu.be/i9_sZAp8qfI If you’re doing detection engineering, threat hunting, or maintaining a large rule set - this changes how fast you can move. More coming. This is just the start.

⚡The team killed it on this end of the year release of ESCU 5.19! I'm so grateful to work with such talented and passionate people. @nas_bench, @raven_tait, @bareiss_patrick, @hackpsy, @rodsoto, @tccontre18, Lou Stella Release: github.com/splunk/securit… Key highlights: 🐚 React2Shell (CVE-2025-55182) 👾 Tuoni C2 Framework 🔐 Kerberos Coercion with DNS (CVE-2025-33073) 📦 NPM Supply Chain Compromise (Shai-Hulud) 🖥️ NetSupport RMM Abuse 🤖 Suspicious Local LLM Frameworks (Shadow AI) 🔥 Cisco ASA Activity Plus: New macros, lookups, and shoutouts to external contributors jakeenea51 & DipsyTipsy for their search logic enhancements!

More sysadmins need to know this… User logon restrictions are free. Create a GPO and call it “DC Logon Restrictions - Domain Admins Only” Configure User Rights Assignment for DA accounts to log on locally on domain controllers and deny log on locally on end-user workstations.

Never underestimate a properly caffeinated user and a little PowerShell knowledge ☕🔑😆

Your Fall Reminder to always Hunt Naked. gist.github.com/MHaggis/66dd0b…

Lua day. Someone has to be the reminder lol

@madhuakula @ciliumproject @kubernetesio @CloudNativeFdn @madhuakula - this is an awesome resource! Thanks for putting this out there!

🥳 Woah! we got a new #Kubernetes Goat 🐐 scenario on @ciliumproject Tetragon for eBPF-based runtime #security monitoring, detection & enforcement 🚀 🔥Try it out yourself at madhuakula.com/kubernetes-goa… 🌟 Give a start if you like github.com/madhuakula/kub… #CNCF #Hacking #Community

Isn’t it amazing that some of the best research and tools, is literally free because of some passionate skilled people devote their time to sharing?! 🙏🙌💪

The Haag™ @M_haggis

10 months ago

🔥💻 New tool drop! Meet MSIXBuilder 🎁 — the ultimate MSIX package creator for security testing, red team ops, and detection engineering! ✨ Features that slap: ⚡ One-click package builds (C# or PowerShell) 🔐 Auto cert creation + signing 🖥️ Sleek GUI w/ progress tracking &

keyboard_arrow_left Previous keyboard_arrow_right Next

5 37 170 21K 143

[New Blog 📚] The Fragile Balance: Assumptions, Tuning, and Telemetry Limits In Detection Engineering If you ever struggle with false positives and the idea of tuning detections. This is for you. Read More - nasbench.medium.com/the-fragile-ba…

Picture Paints a Thousand "Codes": STRT analyzed a Quasar RAT campaign using image steganography to hide payloads inside harmless-looking images. 🔍 In our latest blog: How it works Key TTPs Detection for #Splunk & #Cisco NTDR Read: splunk.com/en_us/blog/sec… #int3 Demo tool:

LOLRMM.io now tracks over 290 RMMs, with new ones being added regularly. These tools provide legitimate functionality but are frequently repurposed by attackers. Read here: buff.ly/oNbWfa6 If you're not using them in your setup, why allow them to run? Block them with MagicSword.io and prevent abuse before it starts. #CyberSecurity #LOLRMM #MagicSword #RMM #ThreatHunting #DefendForward

So I was deep in my webshell era this week 🧙‍♂️🕸️💻 and—plot twist—I totally got owned... by myself 😂 Naturally, I pulled the classic move: Did I read the source? Nope. Did I run it anyway? YOLO 🪂💥 Next thing I know, it casually goes full ninja mode and drops: cmd.exe ➡️ c:\windows\temp\kiss.exe 💋 👀 I’m staring at logs thinking, “I’VE BEEN HACKED.” Cue full-on investigator mode 🕵️‍♂️🔍 BUT WAIT—my security group is locked down tighter than my childhood trauma 😅🚪🔐 So... WHO DID THIS?! /🫨 PANIC 🫨 Spoiler: it was me. It was always me. 👈😔 Moral of the story: When playing with random malware/webshells/etc., maybe—just maybe—read the source first? 📜👓➡️🧠 Before it turns into 🪦💀💻

🚨 NEW BLOG DROP 🚨 A little late to the CitrixBleed party… But still REALLY worth your time 🧠💥 💻 CitrixBleed (CVE‑2025‑5777) 🩸 Memory exposure ➡️ token hijacking 🛡️ Detection + mitigation tips inside! 👉 Read it now: splunk.com/en_us/blog/sec… ⸻ 🔍 What you’ll learn: •🚔 Detection tactics: from NetScaler logs to anomaly patterns 👀 •🛠️ Mitigation moves: patches, session resets, and layered defenses 🧱 Give it a read!

🚀 Happy to share my latest blog on @splunk: "Unlocking Endpoint Network Security Insights with Cisco Network Visibility Module (NVM) and Splunk" 🔗 Check it out here - splunk.com/en_us/blog/sec… In this post, I walk through how Cisco Network Visibility Module (NVM) works, the type of telemetry it generates and how to bring endpoint network telemetry to Splunk via the CESA TA. You can think of Cisco NVM as a Sysmon Event ID 3 on steroids, adding an insane amount of context to flow packets (child and parent process info, http method, loaded modules, etc.), It also provides process hierarchy logs allowing us to build process trees from processes that generate network traffic, as well as Osquery data on installed browser extensions, interfaces and OS information We leveraged this telemetry to build 14 new detections that surface suspicious activity directly from the endpoint’s network layer as well as mapped 16 previously written CIM detections to NVM data. 🔍Check out the "Cisco Network Visibility Module Analytics" Analytic Story here - research.splunk.com/stories/cisco_… Huge thanks to the Cisco NVM team for the help to bring this project to life. If you're using Cisco and Splunk, this is a great way to get more value from both. #Cisco #Splunk #NVM #ThreatDetection

keyboard_arrow_left Previous keyboard_arrow_right Next

Stoked to present the research #STRT did with our Talos friends alongside @nas_bench and John Levy! And it includes a sweet demo at the end. Come say Hi :)

Splunk @splunk

11 months ago

Let's supercharge your SOC. 🔋 Join the Splunk Threat Research Team alongside @TalosSecurity on July 23 to learn how to seamlessly integrate @Cisco Secure Firewall with #SplunkSecurity to up-level your response strategies.

1 4 13 4K 3

@M_haggis gotta say Crontab.guru has been more than a Guru to me. It has shown me schedules that I never thought of LOL

Come see me at RSAC! I'll be speaking about common threat actor techniques seen in AWS intrusions, and why they're terrible! It'll be a Gordon Ramsey-style critique of cloud threat actors. In addition, we'll talk about how you can attack AWS environments better!

Introducing 🚀Eventlog Compendium 🚀 A new Streamlit app, that aims to be the go-to resource for understanding and playing with Windows Event Logs. Explore it 👉 eventlog-compendium.streamlit.app Includes the following utilities and docs ⚙️ Build your own Advanced Audit Policy based on different data points making your policy data driven. 🧭EventID to Audit Policy mapping as well MITRE ATT&CK to Event ID explorer 📊Leveraging the EVTX-ETW-Resources project, you can explore the different ETW providers by build, version and filter down on key message strings. 📄 EVTX Baseline Search & Match - Explore the evtx-baseline project in a visual way. Where you can paste logs and check if they match in real time 🧮Event Field Decoder - Decode common Windows Security Event fields such as Logon Types, Access Masks, Active Directory GUIDs and SIDs 🔒Built-in SACL Explorer - leveraging SACL Scanner from Alexander DeMine, you can explore the built-in SACLs on a windows system. And much more to come. Stay tuned