Security notes, write-ups and methodology published as they get written (or refactored). If you’re into cybersecurity, cloud or GRC, there’s probably something here for you. If not, there’s always Miscellaneous.
What stays private
Governance Risk and Conformity
Governance, Risks and Conformity is the map of content for this section. It currently covers EBIOS RM, the French risk assessment methodology widely used in regulated environments.
Looking forward to publish more content on the topic, ideally in the following order :
- ISO 27001/2/5 : auditing, implementing from both technical and organizational standpoints.
- NIS2 : Examinate the directive articles, explain thoroughly what it actually means for a company and how to implement it.
- DORA : Lex Specialis, overriding NIS2 directive for financial sector. Analysis of the difference in requirements.
- CISSP : preparing the certification, writing-up the learning process, useful and feeback during and after the training.
- Systems Thinking & System Dynamics : how to use these concepts in cybersecurity and Governance ?
Cloud & Infrastructure
Cloud explained without assuming you already know about the topic.
Cloud Fundamentals starts from the NIST definition (not the marketing version) and covers public/private/hybrid models, service delivery tiers and why the distinction actually matters. Written after explaining SaaS to someone who had been using it for years without knowing it.
- Google Cloud Platform
- Microsoft Azure (in progress)
- Amazon Web Services (in progress)
Offensive Security
Practical security notes on platforms, methodology and write-ups.
PortSwigger Web Security Academy is where most of the published content lives right now. Lab write-ups covering SQL injection, XSS, SSRF … Written with the full thought process, not just the solution. If you want the “how did you get there” rather than just the answer, that’s the point.
Hack The Box and Root Me notes are a bit different. It is less about individual solutions and more about how to actually get value out of these platforms without wasting months going in blind. I made those mistakes and try to share insights so you don’t have to.
Before diving into any of these platforms
Read Learning Process first. Genuinely.
IT & Systems
Deeper dives into specific subjects where security is always somewhere nearby.
- Intel Hybrid Architecture and Virtualization : P-cores, E-cores, what Windows gets wrong about scheduling, and how to fix VMware Workstation when it dedicates efficiency cores to your VM.
- Block-level Encryption on Linux : LUKS, LVM, full disk encryption and its actual limitations.
- Challenge: OSINT + LUKS decryption : combining public OSINT with custom wordlist cracking. Doable without specific hardware.
Worth taking a look at
Silverhack works on monkey365. Great tool to partially cover the Microsoft365 CIS, maintained and active.
Klcium Write-up on ELF dynamic entries on Android.
Shout out to jackyzha0