Living off the Cloud: Modern Persistence in M365 & Workspace
How attackers maintain access in Microsoft 365 and Google Workspace without classic malware: OAuth consent, automation abuse, and identity misdesign—plus what to log and how to respond.
Resources
Research Notes
Readable, practitioner-focused lab outputs.
Research Notes are short-to-medium length writeups that sit between blog posts and formal papers. They encode adversary tradecraft and recommendations for real environments: cloud, SaaS, identity, detection, and IR.
Browse by Category
Use dropdown or category pills to refine.
All
Cloud & SaaS
Identity & Access
Detection & Telemetry
Incident Response
Governance & Risk
AI & Automation
Fewer, Better Signals: Detection Engineering for Lean Teams
A practical approach to building a minimal signal set that still catches meaningful attacks, with examples across identity logs, endpoint telemetry, and SaaS audit trails.
Tabletops That Matter: Simulations that Change Behavior
Lessons from running incident simulations where leadership, legal, and engineering all participate—what works, what fails, and how to design exercises that lead to concrete change.
Identity Design Failures You Can’t Fix with MFA
Where identity architecture—not just MFA configuration—creates systemic risk, with examples in Entra ID and Workspace and concrete patterns for hardening.
Governance vs. Reality: What Boards Aren’t Seeing
How security narratives are often misaligned with actual exposure, and ways to present cloud, identity, and SaaS risk to leadership without hand-waving.
AI Is the New Insider: Managing Model-Driven Access & Leakage
Why AI assistants integrated with M365, Google Workspace, and SaaS behave like power users with perfect memory—and what that means for access, logging, and incident response.