Deep dives into machine learning, security analytics, AI, and cybersecurity.
In 2015, I uploaded the BASHLITE botnet source code to GitHub for research purposes while working at Splunk. A decade later, that archive has been cited in peer-reviewed IoT security research and used as a primary source for malware analysis and detection engineering.
How RAG for security has evolved from research to practice. Building on SuriCon 2024 work, this post explores modern approaches with Claude, a 2,400-document knowledge base spanning MITRE ATT&CK, CISA KEV, and Suricata, and an interactive browser-based demo.
Why I rewrote a real-time moderation and TTS service from Python to Go, what the memory and startup time differences actually looked like, and how the concurrent pipeline architecture changed what the service could do.
How to serve curated public data from a private analytics app by building a completely separate API layer on Cloudflare Workers with Hono, D1, and Chanfana.
Validating a quantitative team allocation strategy for a mobile game cooperative mode against six seasons of historical data, and what the numbers reveal about what algorithms can and cannot predict.
How I built a Python MCP server that brings CISA KEV lookups, CSAF advisory parsing, IOC extraction, and KQL/SPL query generation directly into Claude Code, and the filtering and caching decisions that made it practical.
When building MCP integrations for credit-metered APIs, the interesting design decisions are not about the protocol. They are about cache consistency, rate limiting, and how narrow tool scope changes what an AI assistant can do autonomously.
The site you are reading runs on a design system I extracted into a standalone npm package. Here is how I built it, how the modular export architecture works, and what shipping CSS as a library actually costs.
A specific data engineering pitfall where summing a pre-aggregated metadata field inflates totals by the group size, hiding in plain sight because every individual value is correct.
How I used Google Cloud Vision to read damage numbers from battle screenshots, replacing tedious 10-digit manual entry with a single file upload.
What I learned building a full agentic loop in Go from scratch: the tool executor, context window management, voice pipeline, and the problems frameworks solve that you rediscover when you do not use them.
How I applied document similarity techniques to mobile game team compositions, using TF-IDF vectorization and UMAP clustering to identify meta strategies across multiple seasons of Union Raid data.
How I built a clean Go interface abstraction supporting nine LLM providers, what the streaming problem taught me about real-world API behavior, and where leaky abstraction is acceptable.
How I built a three-mode content recommendation API using FAISS, sentence-transformers, and TF-IDF over a large media catalog, including what deploying 300MB of ML models to production actually looks like.
How we explored using Retrieval-Augmented Generation and Graphistry to transform Suricata rule management, presented at SuriCon 2024 in Madrid with Leo Meyerovich.
A field perspective on cloud security posture management tools after running competitive bake-offs against Wiz, Lacework, and Sysdig across Fortune 500 environments. What the demos don't show you.
Comprehensive guide to building ML capabilities at BlockFi from scratch, covering team structure, executive buy-in, blockchain analytics, and operational ML for crypto security.
A technical look at the security gaps in standard ERC-721 and ERC-1155 tokens, what attack vectors they leave open, and the architectural approaches a 2022 provisional patent addresses for financial-grade digital asset security.
How we built a crypto-specific graph analytics framework at BlockFi using Nvidia Rapids, Apache Arrow, Graphistry, and Neo4j to trace and flag hundreds of millions in suspicious blockchain transactions.
Showcasing BlockFi's use of Splunk and machine learning for cryptocurrency security, including anomaly detection, fraud identification, and graph analytics for blockchain analysis.
How we built machine learning models to classify malicious domains at Splunk scale, covering the feature engineering, model architecture tradeoffs, production challenges, and what made the approach novel enough to patent.
Step-by-step guide to building custom Docker containers for Splunk DLTK, including creating a Nvidia Rapids container for GPU-accelerated machine learning.
Overview of ML & AI concepts for security analysts, with practical walkthroughs of ransomware and botnet detection using machine learning.
Complete guide to integrating Jupyter Notebook with Splunk Enterprise using Docker, enabling data science workflows directly with Splunk data and the ML Toolkit.
Complete guide to setting up Splunk ML Toolkit development environments using Docker, including automated app installation and configuration.
Exploring the journey from reactive to prescriptive analytics in security operations, covering the advanced analytics maturity model and ML-driven incident response automation.
Deep dive on SPL patterns for security use cases, covering tstats command optimization, data model acceleration, and tried-and-tested query patterns for threat detection.
Webinar defining AI and machine learning in cybersecurity context, with practical applications for speeding incident response and optimizing security staff resources.
A framework using Suricata and Splunk with public malware PCAPs to iteratively analyze network behavior and develop better IDS/IPS detection rules.
Practical machine learning techniques for botnet detection using Suricata data, covering data exfiltration, traffic analysis, and advanced threat detection workflows.
Hands-on workshop teaching security practitioners how to build operational Splunk apps, covering methodology, data enrichment, visualization, and machine learning techniques.
Step-by-step guide to integrating Mapbox API with Splunk for enhanced geographical visualizations, including custom tiles and the Missile Map visualization.
Security analysis of the Shadow Brokers NSA tool leak and its impact on enterprise security, with Splunk-based detection strategies.
How to use Splunk and a Cloudflare domain lookup to identify users exposed to the Cloudbleed memory leak vulnerability and prioritize credential rotation.
Step-by-step guide to integrating abuse.ch's ransomware intelligence feed into Splunk Enterprise Security for enhanced threat detection and response.
How to use NGINX and Let's Encrypt to put a secure SSL reverse proxy in front of a Splunk Search Head running on an unprivileged port.
Using Splunk's Machine Learning Toolkit and Suricata data to analyze and predict Mirai botnet activity through K-means clustering and Random Forest classification.
Keynote presentation on applying machine learning toolkits to Suricata data for threat detection, covering data exfiltration, port analysis, and advanced threat use cases.
Conference presentation on machine learning toolkits in Splunk for security practitioners, covering anomaly detection, data exfiltration, and advanced threat use cases.
A hands-on exercise using Splunk to evaluate the DHS and DNI GRIZZLY STEPPE indicators of compromise and assess whether they overlap with known Tor exit nodes.