odiesec.io

Adaptive Deception: Establishing a Baseline

Thu, 07 May 2026 00:00:00 +0000

The previous post laid out the premise: if adaptive deception works, it should make an autonomous attacker slower, noisier, more expensive to run, or easier to detect. Before I can test that, I need a defensible baseline.

The first baseline window closed on 2026-05-06: 50 autonomous attacker runs against the same GOAD Active Directory lab, before any deception conditions were introduced.

This is the measurement shakedown: enough successful attacker behavior to show the harness can support a locked baseline, and enough failure detail to know what has to be separated from the deception signal. A later post will compare that locked baseline against a deception condition.

Adaptive Deception: Raising the Cost of AI Intrusion

Tue, 28 Apr 2026 00:00:00 +0000

Between late December 2025 and mid-February 2026, a single threat actor used Claude Code and OpenAI’s GPT-4.1 to breach nine Mexican government agencies. Claude Code generated and executed about 75% of the remote commands across the intrusion. The attacker exfiltrated 150 gigabytes of taxpayer, civil registry, electoral, and health data, including 195 million taxpayer records.¹

The breach matters because of leverage. One operator used an agent to compress reconnaissance, command generation, error recovery, and iteration into a continuous loop. If autonomous tooling makes intrusion that cheap to run, defenders need ways to slow it down and raise its cost.

Dissection of a BEC: The Entry

Fri, 10 Apr 2026 00:00:00 +0000

In the previous post, we pulled the UAL for schen@meridianadvisory.com, ingested it into ADX, and oriented ourselves. The data showed a 2,733-event spike on November 19, three inbox rules created from an unfamiliar IP, and a two-day gap between the first rule and the mass phishing event. We knew what the threat actor (TA) did. We didn’t yet know when they got in or how.

The UAL records authentication as UserLoggedIn and UserLoginFailed operations, but those events don’t have all of the information. The Entra ID sign-in logs give you what the UAL doesn’t: device information, geolocation, conditional access evaluation, session identifiers, and authentication method detail as structured fields. For authentication events, the sign-in logs are the primary source.

Dissection of a BEC: The Catalyst

Thu, 26 Mar 2026 00:00:00 +0000

This series walks through a Business Email Compromise (BEC) investigation we worked in November 2025. A single user account at an accounting firm was compromised for just over two days before detection. The Threat Actor (TA) attempted a payment diversion, got caught, and pivoted to a mass credential harvesting campaign. We reconstructed the full attack timeline from the Microsoft 365 Unified Audit Log (UAL), Entra ID sign-in logs, and Message Trace logs.

Training Review: GIAC Certified Forensic Analyst (GCFA)

Thu, 19 Mar 2026 00:00:00 +0000

I’ve taken training across offensive, defensive, cloud, and forensics. These reviews cover what each course delivered and whether it was worth the cost.

I started out in digital forensics and later transitioned into offensive security. Over the last few years, my interest in the defensive side picked back up, and I’ve been shifting more towards purple teaming. My employer offers a tuition assistance benefit, so I used it to take SANS’s Advanced Incident Response, Threat Hunting (FOR508) course via OnDemand in June 2025. The FOR508 material overlaps with earlier DFIR work, so I came to it with more context than a first-time practitioner would.

Training Review: Offensive Security Certified Professional (OSCP)

Thu, 12 Mar 2026 00:00:00 +0000

I’ve taken training across offensive, defensive, cloud, and forensics. These reviews cover what each course delivered and whether it was worth the cost.

I took OffSec’s PEN-200 (Penetration Testing with Kali Linux) course and passed the OSCP (Offensive Security Certified Professional) exam with 75 points in August 2020. At the time, I was working in digital forensics on the defensive side. I had taken eLearnSecurity’s eJPT and PTP beforehand, and used the PTP exam as preparation the week before OSCP. PTP gives you about a week to complete the hands-on portion, so it served as a practice run for a longer proctored exam. My company organized a cohort where a group of us studied together and sat for the exam on the same timeline. That cohort format helped with accountability and gave us people to troubleshoot with when we got stuck on lab machines.

About

Mon, 01 Jan 0001 00:00:00 +0000

I’m Ryan, a cybersecurity researcher, penetration tester, and cloud security consultant. I’ve spent the last 13+ years doing penetration tests, red team assessments, and incident response investigations. Most of my current work is in Microsoft 365 and Azure environments focused on offensive testing, IR, and building detection capabilities.

I have a Masters in Cybersecurity and hold OSCP, OSEP, GCFA, and GREM certifications.

I speak at security conferences including Wild West Hackin’ Fest, SAINTCON, Hack Space Con, Hack Red Con, BSides Las Vegas, BSides NoVa, BSides Roanoke, and DEF CON Cloud Village. Topics I’m currently focused on: adversary deception, M365 canary tokens, device code phishing, cloud IR methodology, and anything where offense informs defense.

Presentations

Mon, 01 Jan 0001 00:00:00 +0000