When Sentinel cost is a design problem, not a tooling problem
Ingestion discipline, content quality, parser design, and what actually drives value in a Microsoft-native detection program.
Insights
Practical thinking on modern security programs.
Opinionated writing on Microsoft security, detection engineering, MDR operating models, SOC culture, and what good security leadership looks like in practice.
The Shield Is Cracked
11-part series · SOC culture, burnout, and the human cost of cyber defense
Part 01
You Can't Block Every Shot
Security operations is a lot like being a goalie. The Shield Manager concept and where the cracks start showing.
Part 02
CIA Isn't Just for Data
We applied the CIA triad to systems. We never applied it to people. Confidentiality, Integrity, and Availability for your team.
Part 03
You Can't Secure What You Don't Respect
The real breach is internal. What disrespect looks like inside your own battlefield HQ — and why culture is a control surface.
Part 04
The Burnout Is the Breach
63% of SOC professionals report burnout. It's not a personal flaw — it's an operational signal. And it's blinking red.
Part 05
What a Modern, Non-Burnout SOC Looks Like
Mission-driven, not metric-obsessed. Roles that make sense. Psychological safety as table stakes. What we're trying to build.
Part 06
Battle-Tested: What the Military Taught Me About Running a SOC
F3EAD — Find, Fix, Finish, Exploit, Analyze, Disseminate. A military intelligence framework adapted for modern SOC operations.
Part 07
SOC Judgment Day
The attackers evolved. The machines scaled. Your SOC was sent to battle without hope — or a towel. AI-assisted triage done right.
Part 08
The SOC Isn't Special — But It Is Critical
Lessons from the ICU, the fireline, and the flight deck. What other high-stakes professions figured out that SOCs still haven't.
Part 09
Coming Soon
Part 9 is in progress.
Part 10
Fix the Culture Before the Adversary Exploits It
You don't need exploits when morale, burnout, and attrition have already cracked the shield. The data on what actually fixes it.
Part 11 — Finale
The TL;DR: The Shield Was Cracked
The Shield Manager defined. Seven steps to rebuild. And what comes next: The Adversary Within.
Coming Next
The Adversary Within
CTI for toxic cyber leadership. The real zero-day vulnerability isn't malware — it's broken trust.
Detection Engineering
What a fractional CISO should fix in the first 90 days
Governance, reporting, quick wins, stakeholder alignment, and how to avoid performative strategy work.
Why MDR relationships fail even when the tooling is solid
Escalation logic, ownership, tuning, provider accountability, and the operational gaps dashboards usually hide.