I am Mike (Rem). This is where I publish field notes, technical write-ups, and lessons learned from hands-on security work.
Case-driven write-ups from incident response and malware triage work.
Practical detection content across YARA, Sigma, and telemetry-first workflows.
Supply-chain abuse, protocol behavior, and CTF-style problem solving.
February 18, 2026
Building an entity-centric ES|QL hunting model for SSLVPN abuse by prioritizing topology over raw alert volume. We explore how infrastructure reuse, cross-organization overlap, and short authentication time deltas can separate adversarial activity from benign noise at scale.
September 6, 2025
Examining patterns observed in operating and collecting data from an SSLVPN honeypot sitting behind a Finch proxy.
May 17, 2025
Ransomware affiliates have long since abused Cloudflared tunnels to maintain persistent access to compromised environments. These tunnels can be utilized as a strong indicator of compromise when examined at-scale.
October 5, 2024
A continually evolving knowledgebase of things I've found pertinent as a threat and security operations analyst, specifically focusing on malware analysis.