Detection Engineering
SSRF Detection Without Exploit Code
SSRF detection without running exploits — metadata-access signatures, Sigma/Suricata/CloudTrail rules, IMDSv2 defense, a CVE-2025-53767 case, and tuning tips.
Colson
Articles by Colson
Detection Engineering
SQL Injection Detection: A Defensive Guide
How to detect SQL injection across web, app, and database telemetry — with Sigma, Suricata, and SPL rules, a CVE-2025-1094 case study, and tuning tips. Lab-only.
Detection Engineering
JWT Misconfiguration: Detection and Defense
JWT misconfiguration detection and defense — alg:none, RS256-to-HS256 confusion, and kid injection, with header-logging detection, Sigma rules, and MITRE mapping.
Defensive Research
Broken Access Control Testing for Defenders
Broken access control testing for defenders — detect IDOR and BOLA from authorization-failure telemetry with Sigma and SPL rules, plus deny-by-default hardening.
Detection Engineering
XSS CSP Hardening for Blue Teams
XSS CSP hardening for blue teams — a strict nonce-based policy, CSP violation reports as a detection feed, Sigma and Suricata rules, tuning, and MITRE mapping.
Defensive Research
Anatomy of a Kerberoasting Attack — and How to Detect It
How Kerberoasting abuses service tickets to crack service-account passwords offline — and the Sigma detection and hardening that shut it down. Lab-only.
Hardware Security
Detecting WPA2 PMKID Capture in Your Wireless Estate
How the clientless PMKID attack pulls a crackable hash from WPA2 APs — and the monitoring, WPA3 migration, and passphrase policy that defend against it.
Detection Engineering
Writing Sigma Rules That Actually Fire (Not Just Compile)
A detection engineer's checklist for Sigma rules that survive contact with production — fidelity over coverage, tested logsources, tuned false positives, and CI.