About

I'm boredchilada, an incident responder on Canada's east coast. My work spans DFIR, deception, and detection.

cyfar is a working notebook covering all three: fleet observations, IOC write-ups, post-mortems on specific attacker engagements, and the occasional opinion piece on where the field is going. Most of it is auto-ingested from a sibling tooling project; some of it is hand-written. The line between the two is usually obvious from context.

What I'm actually interested in:

• Weird honeypot data. Services nobody else is emulating, attacker behavior that doesn't match any public taxonomy
• Detection content that survives contact with reality (rules that don't false-positive on the helpdesk's first sneeze)
• The narrative half of CTI, where you have to explain why the IOCs matter rather than just publishing a CSV
• Single-operator deception infrastructure that small orgs can actually run

What the fleet looks like, at a high level: a few dozen sensors across a handful of sectors and clouds, mixed between off-the-shelf honeypot frameworks and custom emulators. Publishing the topology would defeat the purpose, but the engagement reports here give a sense of what the sensors see.

If you want to reach me about a question, a weird capture you want a second pair of eyes on, or a paid engagement, the contact page has a form.