Month: November 2025

There are a number of reasons that organizations and networks may have no meaningful EDR or endpoint instrumentation. With or without EDR tooling, something has to be placed to the left of the equals sign when we have indicators of compromise from a compute instance. In such cases, when there is threat hunting to be done, we have to use what is at hand, or worse, attempt to talk someone through live response who is not experienced or prepared. This video gives a quick overview of the openDR project which, given Python 3, can be running in a matter of minutes with zero security knowledge. The tool currently works under Windows, Linux and MacOS. Over the summer we added network event enrichment and Sigma rule support, both covered in the video:

Expanding on this latest post (https://www.linkedin.com/posts/activity-7389333041816481792-LdEb)

How was the prediction made? How did we predict that CVE-2025-33073, published in June, would eventually be added to a known exploited vulnerability (KEV) watch-list? How can we audit that the prediction was made forward in time? This show and tell video gives an explanation of the CAUSALITY project which has generated 132 provable CVE predictions since January with a mean early warning time of 124.5 days.

The difference between exploitation detection and exploitation prediction is akin to the difference between detecting a missile launch and detecting a missile detonation – two very different outcomes. Every exploitation cycle we can avoid gives time back to dev and business teams in addition to security.