I’m Matt Swann, a cyber intelligence analyst and detection engineer working across the Microsoft security stack — Sentinel, Defender XDR, Entra ID, and Intune.
This site is where I turn threat intelligence into detection logic: KQL detections, malware analysis, and detection-as-code. Most posts fall into one of a few running series:
- Detection Deep Dive — one ATT&CK technique at a time: how it’s abused, how to detect it, how to tune it, and what the detection can’t see.
- RaaS Teardown — ransomware-as-a-service groups broken down into TTPs and mapped to detection opportunities.
- Deobfuscation Lab — static analysis walkthroughs: unpacking obfuscation in scripts and binaries.
- Detection-as-Code — building a CI/CD pipeline that makes a Git repo the source of truth for detections.
Everything here is my own work and opinion, not my employer’s.
Find me: GitHub · LinkedIn · [email protected]