What the TeamPCP campaign reveals about the ransomware payment paradox, the insurance industry's role in funding criminal networks, the AI infrastructure single point of failure, and why a financially motivated criminal group is more alarming than a nation-state actor. Part 2 of 3 — continues in The New Recruit.

How criminal and state-sponsored groups use gaming platforms, influencer impersonation, and challenge-based talent scouting as deliberate recruitment infrastructure — and how that pipeline creates a direct attack surface against defense contractor home networks. Part 3 of 3.

A SOC analyst case study mapping 13 years of personal data breach exposure to attacker methodology, threat actor profiles, and cloud identity risk. Covers credential stuffing attack chains, Everest ransomware, infostealer operators, MITRE ATT&CK mapping, and the SSO single-point-of-failure risk that mirrors Azure Entra ID vulnerabilities at enterprise scale. Includes live pwned password checker.

Wake-up call analysis of water infrastructure cybersecurity. Ukraine confirmed attacks, Oldsmar Florida proof of concept, and a full scenario against NYC's 9-million-person unfiltered water supply.

How Russian intelligence bypassed Signal and WhatsApp without breaking encryption — exploiting the human layer instead. CMMC implications for defense contractors using personal messaging apps.

Coordinated infrastructure attack scenario analysis examining how simultaneous failures in communications, power grid, and transportation create cascading societal collapse. Explores the dependency stack that transforms three technical failures into an uncontestable national security crisis.

Analysis of how CMMC compliance gaps in small subcontractors expose entire defense programs. Covers the MORSECORP $4.6M FCA settlement and the case for mandatory structured training.

Deep analysis of China's Volt Typhoon campaign targeting US critical infrastructure using LOTL techniques. Covers audit log deletion and years-long persistence inside defended networks.

Analysis of the Handala threat actor's wiper attack that remotely destroyed 200,000 devices across 79 countries via a single admin credential lacking MFA.

How attackers use visually identical Unicode characters to register spoofed domains and steal millions through fraudulent wire transfers. $55.5 billion lost over the past decade. The one defense that stops it unconditionally costs nothing.

How Glassworm hid malicious payloads in invisible Unicode characters across 151+ GitHub repositories, npm packages, and VS Code extensions — undetectable by human code review. Active campaign as of March 2026.

First-person analysis of how a broken hiring process pushes job seekers — including defense industry professionals — into installing browser extensions with surveillance-level access to their entire digital life. Includes live manifest.json permission scanner.

How LinkedIn's deliberate choice not to verify professional credentials has turned the world's largest professional network into an open-door attack surface — with direct national security implications for defense contractors and cleared personnel.

Analysis of how GitHub's implicit domain trust model enables supply chain attacks through typosquatting, dependency confusion, and spoofed repository signals — and why defenders have been trained to ignore the warnings.

Interactive self-study guide covering CMMC awareness topics for defense supply chain employees. 14 modules, scenario-based quizzes, real case studies. Completion record included.

Upload a .pcap file and get an automated IOC threat report — HTTP, TLS, DHCP, and data-volume analysis with severity scoring. Runs entirely in your browser. No data leaves your machine. Built on the zeek_triage.py workflow from Lab Log 006.

Encrypt and decrypt any file using AES-256-GCM — the same standard used to protect classified government data. Random key generation, integrity verification via GCM authentication tag. Runs entirely in your browser. No file ever leaves your machine.

Calculate the severity of any vulnerability using the industry-standard Common Vulnerability Scoring System. Eight metric questions, live score calculation, plain-language explanations of each factor. Used for every CVE published by NIST.

Scan source code files for invisible Unicode payloads and detect blockchain C2 connections. Identifies Glassworm PUA codepoints that render as blank space in every editor but carry malicious execution payloads. Runs entirely in your browser.

Audit, organize, and sanitize Chrome, Firefox, or Safari bookmark exports. Detects HTTP links, Unicode homoglyph attacks, dead links, and malicious domain signatures. AI-powered categorization with a learning system that adapts to user corrections. Runs entirely in your browser.

AI-powered phishing detection tool for security awareness training. Connects to Gmail via OAuth, analyzes emails for BEC, credential phishing, ransomware delivery, and Glassworm Unicode payloads. Maps findings to MITRE ATT&CK. Includes 6 defense contractor phishing scenarios for live workshops. Built for CMMC AT.2.056 training documentation.

Audit and bulk-manage your YouTube subscriptions via the YouTube Data API. Filter by activity, subscriber count, and upload frequency. Identify dormant channels and unsubscribe in bulk. Reduces your digital footprint and cleans up your recommendation algorithm. Runs in your browser via OAuth.

Nmap SYN scan of a Docker host from Kali Linux. Full port enumeration, service detection, and analysis of two open RPC services mapped to NIST 800-171 controls.

tcpdump packet capture of a live Nmap scan. TCP SYN/RST handshake breakdown, Nmap behavioral fingerprints visible in raw traffic, defender detection methodology.

Real malware pcap analysis using Wireshark. DHCP and Kerberos triage workflow to identify infected machine and user. C2 beaconing pattern detection — 264 POST requests at 60-second intervals confirmed.

Built a purpose-configured SOC analyst Wireshark profile with color rules and one-click filter buttons. Independent analysis of Lumma Stealer — browser fingerprinting, dual Chrome/Edge infection, TLS credential exfiltration to whitepepper.su.

Installed and ran Zeek 8.1.1 against the Lumma Stealer pcap. Five-command triage workflow producing structured logs. ssl.log revealed four additional C2 domains invisible to Wireshark — 1.67MB exfiltration confirmed.

Python script automating the full Zeek triage workflow — DHCP, Kerberos, HTTP, TLS, and data volume analysis in one command. Color-coded output, severity scoring, validated against two real malware families. Zero external dependencies.

Added confirmed malicious domain matching and dynamic DNS detection to the triage script. Corrected severity scoring flaw — a confirmed C2 beacon always scores CRITICAL regardless of data volume. Validated against two malware families.

Analysis of 313,968 packets across seven days of real internet traffic hitting an exposed Apache server. Four attack vectors identified — SYN port scan, backup exfiltration attempt, EICAR web shell upload probe, and RADIUS auth scan. All attacks blocked. Server banner disclosure identified as the critical passive risk.

How I built an AI-powered phishing detection tool, ran it against my real inbox, and discovered that marketing platforms use the same invisible Unicode technique as Glassworm malware. Includes CMMC AT.2.056 mapping and a phishing simulation use case for defense contractors.

How cleaning up 1,900 YouTube subscriptions — accumulated over five years by my twin sons — led to building AlertDesk, an AI-powered SIEM log triage tool. The same pattern of volume, classification, and human judgment applies directly to SOC analyst work.

Why your browser's bookmark bar is a forgotten attack surface — 947 bookmarks audited, 737 unencrypted HTTP links found. Covers domain hijacking, expired domain exploitation, Unicode homoglyph attacks, and how to audit your own collection.

What 23 years of bookmarks, a Wireshark session, and two law enforcement examinations nobody knew about say about a career that was always pointing toward security.