I’m Matt Swann, a cyber intelligence analyst and detection engineer working across the Microsoft security stack — Sentinel, Defender XDR, Entra ID, and Intune.

This site is where I turn threat intelligence into detection logic: KQL detections, malware analysis, and detection-as-code. Most posts fall into one of a few running series:

  • Detection Deep Dive — one ATT&CK technique at a time: how it’s abused, how to detect it, how to tune it, and what the detection can’t see.
  • RaaS Teardown — ransomware-as-a-service groups broken down into TTPs and mapped to detection opportunities.
  • Deobfuscation Lab — static analysis walkthroughs: unpacking obfuscation in scripts and binaries.
  • Detection-as-Code — building a CI/CD pipeline that makes a Git repo the source of truth for detections.

Everything here is my own work and opinion, not my employer’s.

Find me: GitHub · LinkedIn · [email protected]