The landing site for Trackr Services
Keyless OIDC federation killed long-lived AWS keys in CI, but it moved the trust boundary into a JSON condition block most teams wrote once and never reread. Here is where the sub-claim hole lives, what CloudTrail can and can’t tell you, and why this is a configuration audit before it is ever a detection.
The June 2026 Atomic Arch campaign weaponized abandoned AUR packages with a Rust infostealer and an eBPF rootkit. The mechanism wasn’t an exploit — it was the orphan-adoption process working exactly as designed.
CVE-2025-32463 lets any local user reach root through sudo’s chroot option, and it patches in an afternoon. The detection most teams wrote for it alerts on the wrong binary — here’s the field to key on and the false positives that flood you first.
Ubuntu 24.04 enabled AppArmor mediation of unprivileged user namespaces by default, then Qualys published three ways around it. Here’s what the control actually stops, the audit chain that proves it fired, and how to detect abuse without flooding the SOC.
An out-of-bounds read in Ollama’s model quantization path leaks process heap, and the data leaves through Ollama’s own /api/push. The detection problem isn’t the read, it’s that the box almost certainly isn’t logging anything.
An attacker with app-management rights doesn’t need another password. They add their own secret to a trusted service principal and authenticate as the app, outside MFA and outside Conditional Access. Here is what the audit event looks like, what the first round of tuning has to fix, and where the cleanest preventive control hides behind a SKU you probably didn’t buy.
On ESXi the logs that explain how an intruder got root are written to a ramdisk that a reboot erases. Here is where the evidence actually lives, what to detect before it’s gone, and how it maps to the audit-storage controls the architecture violates by default.
Device code phishing produces a clean, MFA-satisfied sign-in on Microsoft’s own infrastructure — and most of the telemetry that betrays it sits in the Entra non-interactive log table teams drop to save money. Here’s where the detection actually lives, how the threshold flips between a Windows shop and a dev-heavy tenant, and the persistence artifacts the closeout always skips.
GTG-1002 showed an AI agent running recon through exfiltration at machine speed across roughly 30 targets. A blue-team analysis of the behavioral tells, the identity and SIEM signals that expose autonomous operations, how to break the adversary’s loop, and where defensive AI agents help versus where the human-in-the-loop line stays.
Encryption-type detancy deton Kerberos TGS requests still catches lazy roasting, but as RC4 gets disabled the durable signal moves to behavior. What to grep for, why the AES downgrade tell degrades, and how to kill service-account false positives before they bury the SOC.
