The landing site for Trackr Services
Image-mode RHEL and bootc move /usr to a read-only ostree commit and turn host updates into container pulls. That fixes one class of problem and creates a different one for defenders. Here is what actually changes on disk, what to detect, and where the model breaks.
A defender-oriented look at where HTTP/2-to-HTTP/1.1 request smuggling sits in 2026 — the parser-differential class that keeps finding new homes, what the detection actually looks like in Splunk, and what most teams miss on the first tuning pass.
Chaotic Eclipse dropped two unpatched Windows zero-days on May 13, 2026. YellowKey turns an NTFS transaction log on a USB stick into a BitLocker bypass through WinRE — physical access, no recovery key, no PIN required on TPM-only boxes. GreenPlasma is the companion privilege escalation through CTFMON. No CVEs, no patches, and a researcher who has promised more for June’s Patch Tuesday.
Device Bound Session Credentials are landing in Chrome and Edge, but the gap between the protocol promise and what your SIEM sees is wider than the vendor decks suggest. A defender-oriented look at what detection actually requires right now.
A defender-oriented walkthrough of investigating adversary-in-the-middle token theft against Entra ID now that token protection, CAE, and device-bound sessions are widely on — what the logs actually contain, what the first detection misses, and where the artifacts live outside Entra.
ClickFix initial access has been pasting PowerShell into RunMRU for two years and most detection content still treats it like a primer. Here is what the telemetry actually looks like, what tunes out, and where teams keep getting it wrong.
The uncomfortable part about Mini Shai-Hulud is not the malware itself. Credential stealers are everywhere. Obfuscated JavaScript loaders in npm packages are not exactly new territory either. The problem is that this thing successfully rode through trusted publishing infrastructure and valid provenance paths, which means a lot of the security plumbing people have been congratulating …
Red teams are pivoting through Intune to get fleet-wide SYSTEM execution after a single privileged Entra account. Here’s what the abuse looks like in the audit log, what tuning the first detection needs, and where most SOCs miss it.
A defender-oriented analysis of indirect prompt injection in tool-calling agents: where the signal actually lives in the trace pipeline, what the first week of tuning has to fix, and which 800-53 controls the implementation maps to.
CVE-2026-7482 turns Ollama’s /api/create into a heap-read primitive that exfiltrates prompts, system messages, and process environment variables through a crafted GGUF tensor shape. Patch to 0.17.1; everything else is a stopgap.
