Some articles I worked on elsewhere, mostly from my time at Palantir. I am keeping these together here rather than publishing each as a tiny link-only post.

Windows privilege abuse

Windows Privilege Abuse: Auditing, Detection, and Defense

This post was written with help from friends at SpecterOps and focuses on high-impact Windows privilege abuse paths that are easy to miss in enterprise environments. The useful bit is the defensive framing: audit the privileges that matter, collect telemetry that can show abuse early, and reduce blast radius before full remediation is complete.

Restricting SMB-based lateral movement

Restricting SMB-based Lateral Movement in a Windows Environment

This one maps common SMB-driven lateral movement paths from adversary simulation work and turns them into practical restrictions. The operational lesson is that lateral-movement controls need phased rollout, good exception handling, and a clear understanding of what business workflows depend on SMB.

Microsoft Defender Attack Surface Reduction

Microsoft Defender Attack Surface Reduction Recommendations

This post covers a staged ASR rollout model: audit first, tune noisy rules, then enforce the controls that provide the best return. The main idea is to treat ASR as an operational program, not a one-time policy toggle.

Managing browser extensions at scale

Managing and Automating Browser Extensions at Scale

This post describes a policy-as-code workflow for browser extension decisions. Browser extensions are a surprisingly meaningful enterprise risk surface, and the useful pattern here is giving teams a review and approval path that is fast enough to use but structured enough to govern.