About
I'm boredchilada, an incident responder based in eastern Canada.
cyfar is a place to write down the things I work on after hours. Mostly DFIR, deception, and detection. Sometimes a writeup, sometimes a few notes on something I'm building, sometimes a redacted report on something a sensor caught.
The fleet
The deception side runs out of what I just call "the fleet": honeypots I run across North America, Europe, and other regions. Each node is a persona rather than a bare sensor: a small fabricated business with its own identity, services, and backstory, modeled on real business sectors including but not limited to energy, education, healthcare, and DevOps/cloud.
The composition is deliberately varied and it changes often. Campaigns rotate by geography and by service, personas get retired and new ones stood up in their place. I borrow from red team tactics mostly for OPSEC reasons, to keep the fleet quiet and safe.
Fabricated businesses, each with its own identity.
Capture every session.
Correlated across the fleet.
Activity classified by behavior.
Reports, IOCs, and detections.
Everything the fleet catches lands in a detection and triage platform where each session gets enriched and correlated against activity across the rest of the fleet. Sources are classified into verdicts: credential brute-forcing, RCE exploitation, targeted activity, and so on.
That pipeline is where most of what you read here comes from. On a typical day the fleet sees on the order of millions of sessions, and the engagement reports, the IOC feed, and the detections on this site all trace back to it. Fleet verdicts are also queryable over an API; my own detection stack enriches the IPs it sees with fleet findings automatically.
Background
On the IR side: ransomware engagements (Corona, Play, Qilin, Akira, including the negotiation side of a few), business email compromise, insider threats in the financial sector, and a steady stream of clickfix, phishing chains, vishing, malicious scheduled tasks, and abused remote-management tooling. What you read as a responder shapes the detections and deception you want to build, which is part of why this blog exists.
A chunk of the volume here comes from a CTI pipeline I run on the side, separate from the fleet's verdict platform. It takes threat-intel reports from upstream sources and runs them through a few LLM providers (Google, OpenAI, Anthropic, and so on) to produce summaries, honeypot analyses, and the occasional weekly recap. Those land here automatically, labelled by source and model. The hand-written posts have my name on them.
Engagement reports are the more polished pieces. They only go out once they've been redacted to the point where they can't burn anything sensitive.
I write the way I'd explain something to a coworker. If a post reads like a vendor whitepaper, assume I've failed and let me know.
Certifications & training
If you want to get in touch (questions, a capture worth a second look, paid work) the contact page has a form.

