Applied Interpretability: Foundation-Sec-Instruct Goes Under the Microscope
Exploring mechanistic interpretability methods for understanding internal behavior of security-focused language models.
Research
Publications
LUCID (LLM-driven Understanding, Classification & Insight for Detections)
A framework for transforming traditional detection engineering logic into LLM-driven reasoning systems.
Toward Quantitative Modeling of Cybersecurity Risks due to AI Misuse
A framework for estimating cyber risk introduced by malicious and unintended AI use patterns.
The Threat Hunter's Cookbook
Hands-on guide for modern threat hunting workflows with practical methods and queries.
The PEAK Threat Hunting Framework
A structured framework for model-assisted and evidence-driven threat hunting workflows.
Talks & Appearances
CERT-EU: Defending at Machine Speed Talk
Presentation materials for Defending at Machine Speed, focused on practical use of security context to improve AI-assisted detection and response workflows.
The TTP Ep15: The Threat Hunter's Cookbook Video
YouTube appearance focused on methods and use cases from The Threat Hunter's Cookbook.
AI attackers on adoption curve with first report of a novel malware strain Video
Video appearance covering AI-enabled adversary trends and emerging malware behavior.
The TTP Episode 7: Explore this year's Macro-ATT&CK findings Video
YouTube discussion of annual Macro-ATT&CK findings and defender takeaways.
Threat Informed Planning with Macro-level ATT&CK Trending Video
YouTube appearance discussing threat-informed planning and macro-level ATT&CK trend analysis.
Splunk Blog Work
Predicting Cyber Fraud Through Real-World Events: Insights from Domain Registration Trends
By analyzing new domain registrations around major real-world events, researchers show how fraud campaigns take shape early, helping defenders spot threats before scams surface.
Introducing… The Threat Hunter’s Cookbook!
The security experts on the SURGe team have released The Threat Hunter’s Cookbook, a hands-on guide for security practitioners that features actionable insights into threat hunting methods, ready-to-use queries, and more.
Defending at Machine Speed: Guiding LLMs with Security Context
Enhance LLM performance for cybersecurity tasks with few-shot learning, RAG, & fine-tuning guide models for accurate PowerShell classification.
Defending at Machine-Speed: Accelerated Threat Hunting with Open Weight LLM Models
Splunker Ryan Fetterman explains how Splunk DSDL 5.2 enhances cybersecurity operations, streamlining PowerShell script classification and reducing analyst workload by 250x.
Autonomous Adversaries: Are Blue Teams Ready for Cyberattacks To Go Agentic?
Explore the impact of autonomous adversaries on cybersecurity as AI and LLMs evolve.
Macro ATT&CK for a TTP Snack
Splunk's Mick Baccio and Ryan Fetterman explore 2024's macro-level cyber incident trends through the lens of the MITRE ATT&CK framework.
Macro-ATT&CK 2024: A Five-Year Perspective
Splunk’s Ryan Fetterman and Tamara Chacon dive into attacker techniques, trends, and blue team tips for analyzing and visualizing data from the past year.
Add To Chrome? - Part 4: Threat Hunting in 3-Dimensions: M-ATH in the Chrome Web Store
SURGe experiments with a method to find masquerading using M-ATH with Splunk and the DSDL App.
Revisiting the Big Picture: Macro-level ATT&CK Updates for 2023
SURGe reviews the latest attacker trends and behaviors with this look at four years of ATT&CK data from some of the largest and most trusted threat reporting sources.
Threat Hunting for Dictionary-DGA with PEAK
Explore applied model-assisted threat hunting for dictionary-based domain generation algorithms using the SURGe Security Research Team's PEAK Threat Hunting Framework.
Model-Assisted Threat Hunting (M-ATH) with the PEAK Framework
Welcome to the third entry in our introduction to the PEAK Threat Hunting Framework! Taking our detective theme to the next level, imagine a tough case where you need to call in a specialized investigator. For these unique cases, we can use algorithmically-driven approaches called Model-Assisted Threat Hunting (M-ATH).
Paws in the Pickle Jar: Risk & Vulnerability in the Model-sharing Ecosystem
As AI / Machine Learning (ML) systems now support millions of daily users, has our understanding of the relevant security risks kept pace with this wild rate of adoption?
Zoom. Enhance!: Finding Value in Macro-level ATT&CK Reporting
Aggregated analysis of global ATT&CK-mapped threat reporting