David Horák

🔒 Secure Bits 💡 𝗛𝗼𝘄 𝗹𝗼𝗻𝗴 𝗵𝗮𝘀 𝘆𝗼𝘂𝗿 𝗔𝗰𝘁𝗶𝘃𝗲 𝗗𝗶𝗿𝗲𝗰𝘁𝗼𝗿𝘆 𝗯𝗲𝗲𝗻 𝗮𝗿𝗼𝘂𝗻𝗱? The older the AD, the more “history” it carries. Admins change, projects come and go… but the 𝗹𝗲𝗳𝘁𝗼𝘃𝗲𝗿𝘀 𝘀𝘁𝗮𝘆 - in the form of forgotten misconfigurations and risky settings that attackers love ⚠️ Once an attacker gets a foothold, one of the first things they do is ask: “What does this Active Directory hide?” 𝗛𝗲𝗿𝗲 𝗮𝗿𝗲 𝗮 𝗳𝗲𝘄 simple, often overlooked issues I still see during assessments: 🔸 𝗣𝗮𝘀𝘀𝘄𝗼𝗿𝗱 𝗻𝗲𝘃𝗲𝗿 𝗲𝘅𝗽𝗶𝗿𝗲𝘀 + password last changed 10+ years ago Even worse when it’s a privileged/service account with an SPN. 🔸 𝗦𝘁𝗼𝗿𝗲 𝗽𝗮𝘀𝘀𝘄𝗼𝗿𝗱 𝘂𝘀𝗶𝗻𝗴 𝗿𝗲𝘃𝗲𝗿𝘀𝗶𝗯𝗹𝗲 𝗲𝗻𝗰𝗿𝘆𝗽𝘁𝗶𝗼𝗻 I honestly don’t see a valid reason for this today. 🔸 𝗔𝗰𝗰𝗼𝘂𝗻𝘁 𝗹𝗶𝗺𝗶𝘁𝗲𝗱 𝘁𝗼 𝗞𝗲𝗿𝗯𝗲𝗿𝗼𝘀 𝗗𝗘𝗦 𝗲𝗻𝗰𝗿𝘆𝗽𝘁𝗶𝗼𝗻 𝘁𝘆𝗽𝗲𝘀 We’re fighting to remove RC4… DES should have been gone long ago. 🔸 𝗗𝗼 𝗻𝗼𝘁 𝗿𝗲𝗾𝘂𝗶𝗿𝗲 𝗞𝗲𝗿𝗯𝗲𝗿𝗼𝘀 𝗽𝗿𝗲𝗮𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 This makes the account vulnerable to offline cracking-style attacks (and yes - I still see it). These 𝗮𝗿𝗲𝗻’𝘁 𝗲𝘅𝗼𝘁𝗶𝗰 𝘃𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝗶𝗲𝘀. They’re just old “checkbox” settings that no one revisits - and they quietly turn into attack paths. ⸻ You can do a one-time cleanup, of course. But the real problem is 𝗱𝗿𝗶𝗳𝘁: things get changed over time and nobody notices. ✅ That’s why I started collaborating with @forestallio and their ISPM platform - its main value is 𝗰𝗼𝗻𝘁𝗶𝗻𝘂𝗼𝘂𝘀 𝗺𝗼𝗻𝗶𝘁𝗼𝗿𝗶𝗻𝗴 𝗼𝗳 𝗔𝗗 misconfigurations and threats, so you can catch risky changes before they become a finding (or an incident). 🧪 𝗪𝗮𝗻𝘁 𝘁𝗼 𝘁𝗿𝘆 𝗶𝘁? Because of the collaboration you can get a 𝗳𝗿𝗲𝗲 𝘁𝗿𝗶𝗮𝗹 - comment or DM me. When was the last time you checked your AD for these settings? #SecureBits #ActiveDirectory #WindowsSecurity #Hardening #BlueTeam #CyberSecurity #HorizonSecured

We’re happy to share that Horizon Secured is an official partner of 𝗧𝘆𝗽𝗵𝗼𝗼𝗻𝗖𝗼𝗻 𝟮𝟬𝟮𝟲 in Seoul! ⚡ TyphoonCon is a highly technical conference focused on offensive security research, vulnerability discovery, advanced exploitation techniques, reverse engineering, and more. Attendees will also have 𝗮 𝗰𝗵𝗮𝗻𝗰𝗲 𝘁𝗼 𝘄𝗶𝗻 𝗼𝘂𝗿 𝗰𝘆𝗯𝗲𝗿𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗰𝗼𝘂𝗿𝘀𝗲𝘀 focused on Windows Infrastructure Security and Active Directory. 𝗧𝘆𝗽𝗵𝗼𝗼𝗻𝗖𝗼𝗻 𝟮𝟬𝟮𝟲 📍 Seoul, South Korea  📅 Date: 25.–29.5.2026 🎟️ Registration: eventbrite.com/e/typhooncon-2… Registrations are still open — don’t miss it! #TyphoonCon #TyphoonCon2026 #HorizonSecured #CyberSecurity #InfoSec #ActiveDirectory #WindowsSecurity @typhooncon

🔒 Secure Bits 💡 “𝗝𝘂𝘀𝘁 𝗲𝗻𝗮𝗯𝗹𝗲 𝗠𝗙𝗔. 𝗜𝘁’𝘀 𝗲𝗮𝘀𝘆.” Sure… if you can rely on cloud identity. A lot of environments can. But 𝗺𝗮𝗻𝘆 - often the most critical ones - 𝗰𝗮𝗻𝗻𝗼𝘁 be connected to the internet at all. And that changes everything. In fully 𝗼𝗻-𝗽𝗿𝗲𝗺 / 𝗼𝗳𝗳𝗹𝗶𝗻𝗲 Windows environments, MFA often ends up being based on PKI / smart cards and larger card management system. Nothing wrong with that - but in practice I usually see 𝘁𝘄𝗼 𝗽𝗮𝘁𝘁𝗲𝗿𝗻𝘀: 🔸 𝗕𝗶𝗴 𝗲𝗻𝘃𝗶𝗿𝗼𝗻𝗺𝗲𝗻𝘁 → big budget → full PKI/CMS approach 🔸 𝗦𝗺𝗮𝗹𝗹 𝗲𝗻𝘃𝗶𝗿𝗼𝗻𝗺𝗲𝗻𝘁 → small scope → a few hardware keys and you’re done → But what if you’re stuck somewhere in the 𝗺𝗶𝗱𝗱𝗹𝗲? Not a huge budget, but also too many accounts to do the manual deployment. ✅ That’s why I started collaborating with @systolan and their solution 𝗦𝘆𝘀𝘁𝗼𝗟𝗢𝗖𝗞. It’s designed for these scenarios and supports multiple integration points: ▪️ Windows domain logon (interactive + RDP + VPN + network shares + UAC/impersonation) ▪️ RD Gateway / RDP farms (single-step experience, no “double prompts”) ▪️ SaaS / cloud via SAML 2.0 / AD FS ▪️ Entra ID federation with local passwordless identities 🧪 𝗪𝗮𝗻𝘁 𝘁𝗼 𝘁𝗿𝘆 𝗶𝘁? Link in comments. Here’s how it works: 1.Open the page → you’ll see the "Request Free Trial" window 2.In the "Promotional code" include HRZN26 (& fill in other details) 3.Click "Request Trial" 💬 Is your environment fully offline, hybrid, or cloud-first? #SecureBits #WindowsSecurity #ActiveDirectory #MFA #Passwordless #IdentitySecurity #BlueTeam #HorizonSecured

🔒 Secure Bits 💡 𝗗𝗼 𝘆𝗼𝘂 𝗸𝗻𝗼𝘄 𝗵𝗼𝘄 𝗮𝘁𝘁𝗮𝗰𝗸𝗲𝗿𝘀 𝗵𝗶𝗱𝗲 𝗶𝗻𝘀𝗶𝗱𝗲 𝗔𝗰𝘁𝗶𝘃𝗲 𝗗𝗶𝗿𝗲𝗰𝘁𝗼𝗿𝘆? It’s called persistence. Attackers often want to stay in your environment long-term without being spotted - which means being a loud Domain Admin is usually not the plan. To spot this, you need to understand what options attackers have and how ACLs + object relationships can create an escalation path they can quietly keep “ready” for later. A few examples: 1️⃣ 𝗔𝗱𝗺𝗶𝗻𝗦𝗗𝗛𝗼𝗹𝗱𝗲𝗿 AdminSDHolder is an AD container whose ACL is used as a 𝘁𝗲𝗺𝗽𝗹𝗮𝘁𝗲 for privileged accounts and groups.If an attacker modifies permissions here, they can gain powerful access without joining privileged groups - and that’s exactly why it’s dangerous. 2️⃣ 𝗗𝗖𝗦𝗵𝗮𝗱𝗼𝘄 DCShadow is based on privileges that allow an account to 𝗿𝗲𝗽𝗹𝗶𝗰𝗮𝘁𝗲 changes to AD from a compromised “rogue domain controller”. These include: •Add/Remove Replica In Domain •DS-Replication-Synchronize •DS-Replication-Manage-Topology 3️⃣ 𝗗𝗖𝗦𝘆𝗻𝗰 DCSync is based on privileges that allow an account to 𝗿𝗲𝗽𝗹𝗶𝗰𝗮𝘁𝗲 AD database data (including secrets). These include: •Replicating Directory Changes •Replicating Directory Changes All The tricky part is that some tools and service accounts may legitimately need replication rights or special ACLs - which makes them high-value targets. They’re powerful, but not always obvious. ⸻ 🚨 You can check these settings occasionally, sure. But in real environments the bigger problem is 𝗱𝗿𝗶𝗳𝘁: changes happen over time and nobody notices. ✅ That’s one reason I started collaborating with @forestallio , specifically their 𝗜𝗦𝗣𝗠 𝗽𝗹𝗮𝘁𝗳𝗼𝗿𝗺 - it helps you detect these persistence methods (ACL changes, replication rights, risky relationships) and 𝗮𝗹𝗲𝗿𝘁 𝘆𝗼𝘂 𝗲𝗮𝗿𝗹𝘆. 🧪 𝗪𝗮𝗻𝘁 𝘁𝗼 𝘁𝗿𝘆 𝗶𝘁? Because of this collaboration you can get a free trial - comment or DM me. #SecureBits #ActiveDirectory #WindowsSecurity #BlueTeam #CyberSecurity #HorizonSecured

🔒 Secure Bits 💡 𝗗𝗶𝗱 𝘆𝗼𝘂 𝗸𝗻𝗼𝘄 𝘆𝗼𝘂 𝗰𝗮𝗻 𝗴𝗶𝘃𝗲 𝘀𝗼𝗺𝗲𝗼𝗻𝗲 𝘁𝗵𝗲 𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝘁𝗼 𝗮𝗱𝗱 𝗺𝗲𝗺𝗯𝗲𝗿𝘀 𝘁𝗼 𝗗𝗼𝗺𝗮𝗶𝗻 𝗔𝗱𝗺𝗶𝗻𝘀… 𝘄𝗶𝘁𝗵𝗼𝘂𝘁 𝗯𝗲𝗶𝗻𝗴 𝗮 𝗗𝗼𝗺𝗮𝗶𝗻 𝗔𝗱𝗺𝗶𝗻? Yes — with just a single command. This technique abuses 𝗔𝗱𝗺𝗶𝗻𝗦𝗗𝗛𝗼𝗹𝗱𝗲𝗿, which acts as a security template for privileged accounts and groups in Active Directory. Every ~60 minutes, the process 𝗰𝗼𝗽𝗶𝗲𝘀 𝘁𝗵𝗲 𝗔𝗖𝗟 from the AdminSDHolder object to protected groups such as: ▪️ Domain Admins ▪️ Enterprise Admins ▪️ Schema Admins ▪️ and other protected accounts If an 𝗮𝘁𝘁𝗮𝗰𝗸𝗲𝗿 𝗺𝗼𝗱𝗶𝗳𝗶𝗲𝘀 𝘁𝗵𝗲 𝗔𝗖𝗟 𝗼𝗻 𝗔𝗱𝗺𝗶𝗻𝗦𝗗𝗛𝗼𝗹𝗱𝗲𝗿, they can grant themselves permissions like WriteMembers. ➡️ 𝗥𝗲𝘀𝘂𝗹𝘁: They can add themselves to Domain Admins or other privileged groups whenever they want — 𝗲𝘃𝗲𝗻 𝗶𝗳 𝘁𝗵𝗲𝘆 𝗮𝗿𝗲 𝗻𝗼𝘁 𝗺𝗲𝗺𝗯𝗲𝗿𝘀 𝘆𝗲𝘁. This creates a stealthy persistence mechanism that many administrators never check. 𝗔𝗻𝗱 𝘁𝗵𝗮𝘁’𝘀 𝘁𝗵𝗲 𝗽𝗿𝗼𝗯𝗹𝗲𝗺. If you don’t know these techniques exist, you’re very unlikely to look for them during normal administration. 🎓 𝗧𝗵𝗮𝘁’𝘀 𝗲𝘅𝗮𝗰𝘁𝗹𝘆 𝘄𝗵𝘆 𝗜 𝗰𝗿𝗲𝗮𝘁𝗲𝗱 𝗺𝘆 𝗻𝗲𝘄 𝘀𝗵𝗼𝗿𝘁 𝗽𝗿𝗮𝗰𝘁𝗶𝗰𝗮𝗹 𝗰𝗼𝘂𝗿𝘀𝗲. It focuses on helping administrators and defenders detect dangerous Active Directory scenarios, including: ▪️ Hidden persistence techniques ▪️ Dangerous misconfigurations ▪️ Common attacker abuse paths The course has a clear outcome: 𝗰𝗿𝗲𝗮𝘁𝗲 𝗮 𝘀𝗶𝗺𝗽𝗹𝗲 𝗱𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝘁𝗼𝗼𝗹 𝗼𝗳 𝘆𝗼𝘂𝗿 𝗼𝘄𝗻 🚀 𝗘𝗮𝗿𝗹𝘆 𝗔𝗰𝗰𝗲𝘀𝘀 𝗶𝘀 𝗻𝗼𝘄 𝗼𝗽𝗲𝗻 & 𝘆𝗼𝘂 𝗰𝗮𝗻 𝗿𝗲𝗰𝗲𝗶𝘃𝗲: ✅ 50% discount ✅ Active Directory Security Checklist 📅 Planned release: March 2026 ⏳ Early Access closes: 22.3.2026 💬 𝗟𝗲𝗮𝘃𝗲 𝗮 𝗰𝗼𝗺𝗺𝗲𝗻𝘁 if you want to join the Early Access list. #ActiveDirectory #CyberSecurity #SecureBits #BlueTeam #WindowsSecurity #HorizonSecured

𝗜’𝗺 𝗲𝘅𝗰𝗶𝘁𝗲𝗱 𝘁𝗼 𝗮𝗻𝗻𝗼𝘂𝗻𝗰𝗲 𝘁𝗵𝗮𝘁 𝗜’𝗹𝗹 𝗯𝗲 𝘀𝗽𝗲𝗮𝗸𝗶𝗻𝗴 𝗮𝘁 𝗦𝗣𝗔𝗡 𝗖𝘆𝗯𝗲𝗿 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗔𝗿𝗲𝗻𝗮 𝟮𝟬𝟮𝟲! 🇭🇷 🎤 𝗧𝗮𝗹𝗸: 𝘈𝘤𝘵𝘪𝘷𝘦 𝘋𝘪𝘳𝘦𝘤𝘵𝘰𝘳𝘺 𝘗𝘰𝘴𝘵-𝘔𝘰𝘳𝘵𝘦𝘮: 𝘈𝘴𝘴𝘶𝘮𝘱𝘵𝘪𝘰𝘯𝘴 𝘷𝘴 𝘙𝘦𝘢𝘭𝘪𝘵𝘺 In this session, I’ll walk through three high-impact Active Directory vulnerabilities — two of them I discovered — that still exist in real environments, but are either unknown or not discussed enough. Along the way we’ll challenge a few common “everyone knows this” assumptions… and I’ll also run a short quiz with prizes 🎁 📍 𝗪𝗵𝗲𝗻 & 𝘄𝗵𝗲𝗿𝗲: • Thursday, 21 May 2026 • 15:00 – 15:45 • Watchtower Arena • More info: spanarena.eu If you’re there, come say hi — I’ll be around after the talk for a chat. #ActiveDirectory #WindowsSecurity #CyberSecurity #Infosec #Conference #SpanArena #HorizonSecured

🚧 𝗡𝗲𝘄 𝗖𝗼𝘂𝗿𝘀𝗲 𝗜𝗻𝗰𝗼𝗺𝗶𝗻𝗴: 𝗔𝗰𝘁𝗶𝘃𝗲 𝗗𝗶𝗿𝗲𝗰𝘁𝗼𝗿𝘆 𝗧𝗵𝗿𝗲𝗮𝘁 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 Short, practical, hands on course with clear outcome — and Early Access is open now! In this course I will show you how simply create a detection mechanism which alerts you, when your defined state of Active Directory changes. Step by step. 𝗖𝗼𝘂𝗿𝘀𝗲 𝗶𝗻𝗰𝗹𝘂𝗱𝗲𝘀: 🔒 Learn about misconfigurations, threats and persistence methods 🧪 PowerShell script used for the detection mechanism 🖥️ Step by step guide how to put it all together 𝗝𝗼𝗶𝗻 𝗯𝗲𝗳𝗼𝗿𝗲 𝟮𝟳.𝟯.𝟮𝟬𝟮𝟲 𝗮𝗻𝗱 𝗴𝗲𝘁: 🎁 Extra discount 50% 🎁 AD security checklist 👉 If you're interested, 𝗱𝗿𝗼𝗽 𝗮 𝗰𝗼𝗺𝗺𝗲𝗻𝘁 𝗼𝗿 𝗗𝗠 𝗺𝗲 and I’ll make sure you're on the list. #ActiveDirectory #CyberSecurity #BlueTeam #WindowsSecurity #InfrastructureSecurity

🔒 Secure Bits 💡 𝗨𝗽𝗱𝗮𝘁𝗶𝗻𝗴 𝗦𝗲𝗰𝘂𝗿𝗲 𝗕𝗼𝗼𝘁 𝗰𝗲𝗿𝘁𝗶𝗳𝗶𝗰𝗮𝘁𝗲𝘀 𝗼𝗻 𝗪𝗶𝗻𝗱𝗼𝘄𝘀 𝗦𝗲𝗿𝘃𝗲𝗿 𝗰𝗼𝗻𝘁𝗶𝗻𝘂𝗲𝘀 (𝘱𝘵. 3) Last puzzle in this series is 𝗺𝗼𝗻𝗶𝘁𝗼𝗿𝗶𝗻𝗴. Because as you can see, this process is 𝗻𝗼𝘁 𝘁𝗿𝗶𝘃𝗶𝗮𝗹 𝗼𝗿 𝘀𝘁𝗿𝗮𝗶𝗴𝗵𝘁𝗳𝗼𝗿𝘄𝗮𝗿𝗱. Some devices will go through smoothly, others will hit different errors depending on firmware / platform / history — and that’s the worst case. That’s why 𝗺𝗼𝗻𝗶𝘁𝗼𝗿𝗶𝗻𝗴 𝗶𝘀 𝗰𝗿𝘂𝗰𝗶𝗮𝗹: you need a central view of where each device is in the process. ⸻ 🧭 𝗠𝗼𝗻𝗶𝘁𝗼𝗿𝗶𝗻𝗴 𝗮𝗽𝗽𝗿𝗼𝗮𝗰𝗵𝗲𝘀 (pick what fits your environment): 🔹 manual checks 🔹 PowerShell checks 🔹 startup script that uploads status to a file share 🔹 scheduled tasks / inventory tooling 🔹 … In my demo 𝗜 𝘂𝘀𝗲𝗱 𝘁𝘄𝗼 𝗮𝗽𝗽𝗿𝗼𝗮𝗰𝗵𝗲𝘀: a PowerShell status collector from my friend André Estêvão (thanks!) - that is the first example, and Microsoft’s sample script that writes results to a file share + GPO - that is the second example. Your “best” option depends on how you manage servers and how you want to store/report results. ⸻ ✅ 𝗪𝗵𝗮𝘁 𝘁𝗼 𝘁𝗿𝗮𝗰𝗸: 1️⃣ 𝗘𝘃𝗲𝗻𝘁 𝗟𝗼𝗴 (𝗦𝘆𝘀𝘁𝗲𝗺) 1808 → success / device is updated (certs applied to firmware) 1801 → not applied to firmware (still not updated / blocked) 1795 → firmware handoff error (platform/firmware problem) There are more events, but in my tests these three were the ones I ran into most often. 2️⃣ 𝗥𝗲𝗴𝗶𝘀𝘁𝗿𝘆 𝗸𝗲𝘆𝘀 𝘏𝘒𝘌𝘠_𝘓𝘖𝘊𝘈𝘓_𝘔𝘈𝘊𝘏𝘐𝘕𝘌\𝘚𝘠𝘚𝘛𝘌𝘔\𝘊𝘶𝘳𝘳𝘦𝘯𝘵𝘊𝘰𝘯𝘵𝘳𝘰𝘭𝘚𝘦𝘵\𝘊𝘰𝘯𝘵𝘳𝘰𝘭\𝘚𝘦𝘤𝘶𝘳𝘦𝘉𝘰𝘰𝘵 🔹 AvailableUpdates 0x0 → nothing being performed 0x5944 → deploy all needed certs + boot manager update (full rollout trigger) 𝘏𝘒𝘌𝘠_𝘓𝘖𝘊𝘈𝘓_𝘔𝘈𝘊𝘏𝘐𝘕𝘌\𝘚𝘠𝘚𝘛𝘌𝘔\𝘊𝘶𝘳𝘳𝘦𝘯𝘵𝘊𝘰𝘯𝘵𝘳𝘰𝘭𝘚𝘦𝘵\𝘊𝘰𝘯𝘵𝘳𝘰𝘭\𝘚𝘦𝘤𝘶𝘳𝘦𝘉𝘰𝘰𝘵\𝘚𝘦𝘳𝘷𝘪𝘤𝘪𝘯𝘨 🔹 UEFICA2023Status NotStarted → update hasn’t run InProgress → update running / mid-flight Updated → update completed 🔹 UEFICA2023Error → error code (if any) 🔹 UEFICA2023ErrorEvent → event ID tied to the error ⸻ 𝗜𝗿𝗼𝗻𝗶𝗰𝗮𝗹𝗹𝘆, I fought the most with monitoring on 𝗔𝘇𝘂𝗿𝗲 𝗩𝗠𝘀 in my demo — I couldn’t get reliable signals that matched what the documentation suggests. Nothing initiated, nothing done, and the MS script didn’t help me explain why. If anyone has cracked that in a clean way, I’d love to compare notes. These are the 𝗺𝗼𝘀𝘁 𝗶𝗺𝗽𝗼𝗿𝘁𝗮𝗻𝘁 𝗽𝗹𝗮𝗰𝗲𝘀 to look for signals/status. ⸻ 📌 𝗪𝗵𝗮𝘁’𝘀 𝗻𝗲𝘅𝘁 Next week I’m going to merge all three parts into a single field notes document you can follow end-to-end. But one more time: these posts are 𝗻𝗼𝘁 𝗼𝗳𝗳𝗶𝗰𝗶𝗮𝗹 𝗴𝘂𝗶𝗱𝗲𝘀 — just field notes from admins who had to go through it in real environments, so you can be better prepared. #WindowsServer #SecureBoot

🔒 Secure Bits 💡 𝗧𝗵𝗲 “𝗧𝗿𝘂𝘀𝘁𝗲𝗱 𝗣𝗮𝘁𝗵” 𝗣𝗼𝗹𝗶𝗰𝘆 𝗧𝗵𝗮𝘁 𝗕𝗿𝗼𝗸𝗲 𝗢𝗢𝗕𝗘 This was a weird one—and it took a while to figure out. I was working on my 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗯𝗮𝘀𝗲𝗹𝗶𝗻𝗲𝘀 and came across a recommendation to enable: 𝘊𝘰𝘮𝘱𝘶𝘵𝘦𝘳 𝘊𝘰𝘯𝘧𝘪𝘨𝘶𝘳𝘢𝘵𝘪𝘰𝘯\𝘈𝘥𝘮𝘪𝘯𝘪𝘴𝘵𝘳𝘢𝘵𝘪𝘷𝘦 𝘛𝘦𝘮𝘱𝘭𝘢𝘵𝘦𝘴\𝘞𝘪𝘯𝘥𝘰𝘸𝘴 𝘊𝘰𝘮𝘱𝘰𝘯𝘦𝘯𝘵𝘴\𝘊𝘳𝘦𝘥𝘦𝘯𝘵𝘪𝘢𝘭 𝘜𝘴𝘦𝘳 𝘐𝘯𝘵𝘦𝘳𝘧𝘢𝘤𝘦 🛠️ “𝗥𝗲𝗾𝘂𝗶𝗿𝗲 𝘁𝗿𝘂𝘀𝘁𝗲𝗱 𝗽𝗮𝘁𝗵 𝗳𝗼𝗿 𝗰𝗿𝗲𝗱𝗲𝗻𝘁𝗶𝗮𝗹 𝗲𝗻𝘁𝗿𝘆” Sounded good, tested fine, so I rolled it out to production. Then the 𝘀𝘁𝗿𝗮𝗻𝗴𝗲 𝗯𝘂𝗴 𝗵𝗶𝘁… Admins started reporting broken OOBE screens for local administrator accounts. No matter what we tried—every path led back to the same 𝘂𝗻𝘂𝘀𝗮𝗯𝗹𝗲 𝘀𝗰𝗿𝗲𝗲𝗻. 𝗧𝘂𝗿𝗻𝘀 𝗼𝘂𝘁: 🔹 The policy blocked the UAC secure desktop prompt that’s supposed to show up 🔹 That left us stuck in OOBE with no way to proceed ✅ Disabling the policy fixed it immediately. 💡𝗙𝘂𝗻 𝘁𝘄𝗶𝘀𝘁: Microsoft later clarified they 𝗻𝗲𝘃𝗲𝗿 𝗼𝗳𝗳𝗶𝗰𝗶𝗮𝗹𝗹𝘆 𝗿𝗲𝗰𝗼𝗺𝗺𝗲𝗻𝗱𝗲𝗱 this setting. (ehm...gpedit.msc...). But it used to be recommended for some time by other agencies. So — if you're building or reviewing your baselines, 𝗸𝗲𝗲𝗽 𝗮𝗻 𝗲𝘆𝗲 𝗼𝗻 𝘁𝗵𝗶𝘀 𝗼𝗻𝗲. It might save you a few hours of unexpected troubleshooting. Have you ever enabled this setting? Let me know 👇 #SecureBits #GroupPolicy #WindowsSecurity #CredentialUI #OOBE #GPO #HorizonSecured @BlueTeamDave

𝗗𝗲𝗳𝗮𝘂𝗹𝘁 → 𝗛𝗮𝗿𝗱𝗲𝗻𝗲𝗱 Real configs. Real fixes. Windows & AD security. Can your 𝗗𝗼𝗺𝗮𝗶𝗻 𝗔𝗱𝗺𝗶𝗻𝘀 𝗹𝗼𝗴 𝗶𝗻 𝘁𝗼 𝗲𝗻𝗱𝗽𝗼𝗶𝗻𝘁𝘀? 𝗧𝗵𝗲𝘆 𝘀𝗵𝗼𝘂𝗹𝗱𝗻’𝘁. Disable it. Build multiple tiers with separate privileged accounts for each tier and 𝗿𝗲𝘀𝘁𝗿𝗶𝗰𝘁 𝗮𝗰𝗰𝗲𝘀𝘀 with GPO so higher tiers cannot log on to lower tiers ✅. In practice for example, your 𝗧𝟬 (𝗗𝗼𝗺𝗮𝗶𝗻 𝗔𝗱𝗺𝗶𝗻) 𝗮𝗰𝗰𝗼𝘂𝗻𝘁 𝗺𝘂𝘀𝘁 𝗻𝗼𝘁 𝘁𝗼𝘂𝗰𝗵 𝗲𝗻𝗱𝗽𝗼𝗶𝗻𝘁𝘀. The goal is to prevent any contact between high-value credentials and lower tiers. Endpoints sit closest to the internet and the attacker, and you don’t want high privileged credentials cached there—this is a very simple and 𝗳𝗮𝘀𝘁 𝗲𝘀𝗰𝗮𝗹𝗮𝘁𝗶𝗼𝗻 𝗽𝗮𝘁𝗵 ⚠️. This isn’t a nice-to-have. It’s a 𝗰𝗼𝗿𝗲 𝗽𝗿𝗶𝗻𝗰𝗶𝗽𝗹𝗲 of securing Active Directory. Train the mindset and do it properly even if it takes more time. Want a short, practical walkthrough of this principle? 𝗜 𝗰𝗼𝘃𝗲𝗿 𝗶𝘁 𝗶𝗻 𝗮 𝗳𝗿𝗲𝗲 𝗰𝗼𝘂𝗿𝘀𝗲 — academy.horizon-secured.com/p/windows-infr… 𝙇𝙚𝙖𝙧𝙣 • 𝘽𝙪𝙞𝙡𝙙 • 𝘿𝙚𝙛𝙚𝙣𝙙 #ActiveDirectory #Windows #WindowsSecurity #CyberSecurity #PrivilegedAccess #HorizonSecured @BlueTeamDave

🔎 𝗙𝗿𝗼𝗺 𝘁𝗵𝗲 𝗙𝗶𝗲𝗹𝗱 — Real-World Findings from Security Assessments 💥 𝟯𝟴.𝟭% of environments I assessed 𝗵𝗮𝘃𝗲 𝗪𝗶𝗻𝗱𝗼𝘄𝘀 𝗙𝗶𝗿𝗲𝘄𝗮𝗹𝗹 𝘁𝘂𝗿𝗻𝗲𝗱 𝗢𝗙𝗙 I often joke in my courses that the first thing admins do on a new Windows device is disable the firewall. 𝗨𝗻𝗳𝗼𝗿𝘁𝘂𝗻𝗮𝘁𝗲𝗹𝘆… it’s not really a joke. It’s the sad reality. 🧱 𝗪𝗵𝘆? For historical reasons, many admins still believe Windows Firewall “breaks things” — especially older apps. So 𝘁𝗵𝗲𝘆 𝗷𝘂𝘀𝘁 𝘀𝗵𝘂𝘁 𝗶𝘁 𝗱𝗼𝘄𝗻. But that mindset is outdated, and in 2026, it’s time we do better. 𝗦𝗼𝗺𝗲 𝗳𝗮𝗰𝘁𝘀: ➡️ By default, Windows Firewall is more open than closed — it won’t block much. ➡️ But it can slow down a malware movement. ➡️ And you can configure it exactly as needed — quickly and easily via Group Policy. 𝗛𝗼𝘄 𝘁𝗼 𝗱𝗼 𝗶𝘁 𝗿𝗶𝗴𝗵𝘁: 1️⃣ Stop turning it off — leave it ON by default 2️⃣ Define inbound rules only for what’s needed 3️⃣ You can also control outbound rules 4️⃣ Use GPO to enforce: • Apply local firewall rules: No • On endpoints: Inbound connections: Block all connections 🔗 And if you need a 𝗹𝗶𝘀𝘁 𝗼𝗳 𝗔𝗰𝘁𝗶𝘃𝗲 𝗗𝗶𝗿𝗲𝗰𝘁𝗼𝗿𝘆 𝗽𝗼𝗿𝘁𝘀 𝗻𝗲𝗲𝗱𝗲𝗱, I got something for you: academy.horizon-secured.com/p/ad-network-p… 𝗔𝗻𝗱 𝗱𝗼𝗻’𝘁 𝗳𝗼𝗿𝗴𝗲𝘁 — Windows Firewall can log everything. You can see what’s being blocked and adjust rules accordingly. ⚠️ It’s hard to take “Zero Trust” seriously when we’re still disabling built-in firewalls and saying "we have perimeter firewall, we don’t need this"... Small steps. Big impact. Turn it back on. 💬 Still disabling it in your environment? Why? #FromTheField #WindowsSecurity #Firewall #ActiveDirectory #BlueTeam #CyberSecurity #HorizonSecured #ZeroTrust @BlueTeamDave

🔒 Secure Bits 💡 𝗬𝗼𝘂 𝗺𝗶𝗴𝗵𝘁 𝘄𝗮𝗻𝘁 𝘁𝗼 𝘁𝘂𝗿𝗻 𝗼𝗳𝗳 𝗘𝗻𝘁𝗿𝗮 𝗖𝗼𝗻𝗻𝗲𝗰𝘁 𝗦𝗲𝗮𝗺𝗹𝗲𝘀𝘀 𝗦𝗦𝗢. 𝗛𝗲𝗿𝗲'𝘀 𝘄𝗵𝘆. In many hybrid Microsoft 365 tenants, Seamless SSO is still enabled — even though it’s no longer needed in modern Entra ID environments. Nothing looks broken. Users sign in just fine. And that’s exactly why this often goes unnoticed. 🤔 𝗪𝗵𝘆 𝗯𝗼𝘁𝗵𝗲𝗿? Seamless SSO introduces an 𝗮𝗱𝗱𝗶𝘁𝗶𝗼𝗻𝗮𝗹 𝗮𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗺𝗲𝗰𝗵𝗮𝗻𝗶𝘀𝗺 that most environments don’t actually need anymore. Modern Windows 10/11 devices already rely on 𝗣𝗿𝗶𝗺𝗮𝗿𝘆 𝗥𝗲𝗳𝗿𝗲𝘀𝗵 𝗧𝗼𝗸𝗲𝗻𝘀 (𝗣𝗥𝗧) for seamless access. Keeping Seamless SSO expands attack surface unnecessarily — without delivering any value. Seamless SSO relies on Kerberos-based authentication. It uses a special on-prem AD computer account: 𝗔𝗭𝗨𝗥𝗘𝗔𝗗𝗦𝗦𝗢𝗔𝗖𝗖. That account holds a 𝘀𝗵𝗮𝗿𝗲𝗱 𝘀𝗲𝗰𝗿𝗲𝘁 between on-prem AD and Entra ID. If the secret gets compromised, it weakens your identity trust boundary. 🛠️ 𝗘𝘃𝗮𝗹𝘂𝗮𝘁𝗲 𝗶𝗳 𝘆𝗼𝘂 𝘀𝘁𝗶𝗹𝗹 𝗻𝗲𝗲𝗱 𝗦𝗲𝗮𝗺𝗹𝗲𝘀𝘀 𝗦𝗦𝗢 - Do you have Hybrid Entra Join + Windows 10/11? - Are you trying to use Modern authentication wherever you can? - No legacy domain-joined-only scenarios? If the answer to above questions is yes, Seamless SSO is likely not needed. 🛡️ 𝗗𝗶𝘀𝗮𝗯𝗹𝗲 𝗦𝗲𝗮𝗺𝗹𝗲𝘀𝘀 𝗦𝗦𝗢 𝗶𝗻 𝗘𝗻𝘁𝗿𝗮 𝗖𝗼𝗻𝗻𝗲𝗰𝘁 𝗦𝘆𝗻𝗰 - Edit Microsoft Entra Connect configuration in the 𝘊𝘩𝘢𝘯𝘨𝘦 𝘶𝘴𝘦𝘳 𝘴𝘪𝘨𝘯-𝘪𝘯 section - Uncheck 𝘌𝘯𝘢𝘣𝘭𝘦 𝘴𝘪𝘯𝘨𝘭𝘦 𝘴𝘪𝘨𝘯-𝘰𝘯 - Monitor sign-in behavior - Validate PRT-based authentication continues to work - Delete the AZUREADSSOACC afterwards ⚠️ 𝗜𝗺𝗽𝗼𝗿𝘁𝗮𝗻𝘁 - First, check whether Seamless SSO is active using 𝘈𝘶𝘥𝘪𝘵 𝘒𝘦𝘳𝘣𝘦𝘳𝘰𝘴 𝘚𝘦𝘳𝘷𝘪𝘤𝘦 𝘛𝘪𝘤𝘬𝘦𝘵 𝘖𝘱𝘦𝘳𝘢𝘵𝘪𝘰𝘯𝘴 GPO and logs - Communicate with users before changing auth flows ✅ If you’re aiming for Zero Trust and cloud-native identity, 𝘀𝘁𝗮𝗿𝘁 𝗿𝗲𝗺𝗼𝘃𝗶𝗻𝗴 𝗮𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗽𝗮𝘁𝗵𝘀 you no longer need. If a feature exists only “because it always did”, it’s time to question it. 💬 Have you already disabled Seamless SSO or is it still running quietly in your environment? 𝘈𝘶𝘵𝘩𝘰𝘳 𝘰𝘧 𝘵𝘩𝘦 𝘱𝘰𝘴𝘵: @strnad10 #Microsoft365 #EntraID #EntraConnect #HybridIdentity #SecureBits #HorizonSecured #CyberSecurity #CloudSecurity

🔒 Secure Bits 💡 𝗗𝗼 𝘆𝗼𝘂 𝘂𝘀𝗲 𝗥𝗗𝗣? There’s a 𝘀𝘂𝗿𝗽𝗿𝗶𝘀𝗶𝗻𝗴 𝗿𝗶𝘀𝗸 you might not be thinking about — and it’s already on your machine. When you use Remote Desktop (𝗥𝗗𝗣) via the 𝗠𝗦𝗧𝗦𝗖 client, any credentials you enter can be retrieved in plaintext in the process 𝗺𝗲𝗺𝗼𝗿𝘆. That means your domain admin password could be sitting there, waiting to be pulled — no keylogger needed. 📌 You can’t just flip a setting to 𝗱𝗶𝘀𝗮𝗯𝗹𝗲 this. But there are some 𝘄𝗮𝘆𝘀 𝘁𝗼 𝗿𝗲𝗱𝘂𝗰𝗲 𝘁𝗵𝗲 𝗿𝗶𝘀𝗸: 1️⃣ 𝗨𝘀𝗲 𝗮 𝗣𝗿𝗶𝘃𝗶𝗹𝗲𝗴𝗲𝗱 𝗔𝗰𝗰𝗲𝘀𝘀 𝗪𝗼𝗿𝗸𝘀𝘁𝗮𝘁𝗶𝗼𝗻 (𝗣𝗔𝗪) — ideally a physical machine, even if you run a VM PAW on top of it. 2️⃣ 𝗔𝘃𝗼𝗶𝗱 𝗥𝗗𝗣 — not always practical in Windows environments. 3️⃣ 𝗨𝘀𝗲 𝗠𝗙𝗔 — if there’s no password typed, there’s no password to grab from memory. 🔐 That’s one reason I started 𝗰𝗼𝗹𝗹𝗮𝗯𝗼𝗿𝗮𝘁𝗶𝗻𝗴 𝘄𝗶𝘁𝗵 Systola. I tested their platform, 𝗦𝘆𝘀𝘁𝗼𝗟𝗢𝗖𝗞, which brings 𝗻𝗮𝘁𝗶𝘃𝗲 𝗽𝗮𝘀𝘀𝘄𝗼𝗿𝗱𝗹𝗲𝘀𝘀 𝗺𝘂𝗹𝘁𝗶-𝗳𝗮𝗰𝘁𝗼𝗿 𝗮𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 to the Windows ecosystem — including RDP, Windows login, SAML, Radius, and more. It’s simple, works as expected, and the pricing is very reasonable. 🧪 𝗪𝗮𝗻𝘁 𝘁𝗼 𝘁𝗿𝘆 𝗶𝘁? Link in comments. Here’s how it works: 1. Open the page → you’ll see the license options (one is free). 2. Click Request demo. 3. Systola will create your eval account and send access so you can install and test. If you give it a spin, 𝘁𝗲𝗹𝗹 𝗺𝗲 𝗵𝗼𝘄 𝗶𝘁 𝗴𝗼𝗲𝘀 — I can help and may be able to arrange a discount for paid tiers. Do you use MFA for RDP sessions? #WindowsSecurity #SecureBits #MFA #CyberSecurity #BlueTeam #HorizonSecured

🚨 𝗛𝗼𝗿𝗶𝘇𝗼𝗻 𝗔𝗹𝗲𝗿𝘁 – 𝗙𝗲𝗯𝗿𝘂𝗮𝗿𝘆 𝟮𝟬𝟮𝟲 𝗣𝗮𝘁𝗰𝗵 𝗧𝘂𝗲𝘀𝗱𝗮𝘆 February brings 𝟲 𝗮𝗰𝘁𝗶𝘃𝗲𝗹𝘆 𝗲𝘅𝗽𝗹𝗼𝗶𝘁𝗲𝗱 𝘇𝗲𝗿𝗼-𝗱𝗮𝘆𝘀, primarily focused on security feature bypass and privilege escalation. 𝗧𝗿𝗮𝗰𝗸𝗲𝗱 𝗖𝗩𝗘𝘀: 🔸 CVE-2026-21514 🔸 CVE-2026-21510 🔸 CVE-2026-21513 🔸 CVE-2026-21525 🔸 CVE-2026-21533 🔸 CVE-2026-21519 Multiple SYSTEM-level 𝗲𝗹𝗲𝘃𝗮𝘁𝗶𝗼𝗻-𝗼𝗳-𝗽𝗿𝗶𝘃𝗶𝗹𝗲𝗴𝗲 issues and 𝘂𝘀𝗲𝗿-𝗶𝗻𝘁𝗲𝗿𝗮𝗰𝘁𝗶𝗼𝗻 𝗱𝗼𝗰𝘂𝗺𝗲𝗻𝘁 𝗮𝘁𝘁𝗮𝗰𝗸𝘀 are already being exploited in the wild — making endpoint patch prioritization critical. 𝗙𝘂𝗹𝗹 𝗯𝗿𝗲𝗮𝗸𝗱𝗼𝘄𝗻 and insights available in this month’s 𝗛𝗼𝗿𝗶𝘇𝗼𝗻 𝗔𝗹𝗲𝗿𝘁: 🔗 horizon-secured.com/newsletter/ #HorizonAlert #Cybersecurity #PatchTuesday #ZeroDay

🔎 𝗙𝗿𝗼𝗺 𝘁𝗵𝗲 𝗙𝗶𝗲𝗹𝗱 — Real-World Findings from Security Assessments 💥 𝟰𝟮.𝟵% of infrastructures I’ve assessed 𝗱𝗼 𝗻𝗼𝘁 𝗽𝗿𝗼𝗽𝗲𝗿𝗹𝘆 𝗰𝗼𝗻𝗳𝗶𝗴𝘂𝗿𝗲 𝗔𝗰𝘁𝗶𝘃𝗲 𝗗𝗶𝗿𝗲𝗰𝘁𝗼𝗿𝘆 𝗦𝗶𝘁𝗲𝘀 𝗮𝗻𝗱 𝗦𝗲𝗿𝘃𝗶𝗰𝗲𝘀 𝗜 𝗼𝗳𝘁𝗲𝗻 𝘀𝗲𝗲 𝘁𝘄𝗼 𝗰𝗮𝘀𝗲𝘀: ▪️ admins configure it “how they feel,” or ▪️ they don’t configure it at all. Both are wrong. If you have multiple sites (DCs in multiple physical locations), 𝗰𝗼𝗻𝗳𝗶𝗴𝘂𝗿𝗲 𝗔𝗗 𝗦𝗶𝘁𝗲𝘀 𝗮𝗻𝗱 𝗦𝗲𝗿𝘃𝗶𝗰𝗲𝘀 𝘁𝗼 𝗺𝗶𝗿𝗿𝗼𝗿 those locations. 𝗪𝗵𝘆: ✅ It helps you set replication properly across locations. ✅ Devices can contact the nearest DC—but only if you also define Subnets and tie them to a site. 𝗞𝗲𝗲𝗽 𝗶𝘁 𝘀𝗶𝗺𝗽𝗹𝗲: ▪️ In most cases, leave the replication topology at default—the KCC will create and adapt the topology once sites are defined. Manual connection links can get complicated. ▪️ Set intersite replication to Change Notification System (AD Configuration partition). ▪️ Create sites to match physical locations, move DCs accordingly, and map subnets to sites. Nothing more. 𝗪𝗵𝗮𝘁’𝘀 𝘆𝗼𝘂𝗿 𝗮𝗽𝗽𝗿𝗼𝗮𝗰𝗵 𝗳𝗼𝗿 𝘁𝗵𝗶𝘀? #Sites #CyberSecurity #Infrastructure #Hardening #BlueTeam #HorizonSecured #FromTheField @BlueTeamDave

🎄 𝗖𝗵𝗿𝗶𝘀𝘁𝗺𝗮𝘀 𝗚𝗶𝘃𝗲𝗮𝘄𝗮𝘆 On Sunday 21.12.2025 I’ll draw 𝟯 𝘄𝗶𝗻𝗻𝗲𝗿𝘀 𝗳𝗿𝗼𝗺 𝘁𝗵𝗲 𝗰𝗼𝗺𝗺𝗲𝗻𝘁𝘀 — one prize each: 🎁 Winner #1: Windows Infrastructure Security (full course) 🎁 Winner #2: Building a Secure Active Directory (hands-on course) 🎁 Winner #3: 3 paid mini-courses 𝗛𝗼𝘄 𝘁𝗼 𝗲𝗻𝘁𝗲𝗿: 👍 Like this post + 💬 Comment (e.g., “IN” or tag a teammate). That’s it. I’ll announce the winners on 21.12.2025. Good luck & happy hardening! 🔐 #Christmas #Giveaway #HorizonSecured #Cybersecurity

Last quarter I rolled out Microsoft Copilot to 4,000 employees. $30 per seat per month. $1.4 million annually. I called it "digital transformation." The board loved that phrase. They approved it in eleven minutes. No one asked what it would actually do. Including me. I told everyone it would "10x productivity." That's not a real number. But it sounds like one. HR asked how we'd measure the 10x. I said we'd "leverage analytics dashboards." They stopped asking. Three months later I checked the usage reports. 47 people had opened it. 12 had used it more than once. One of them was me. I used it to summarize an email I could have read in 30 seconds. It took 45 seconds. Plus the time it took to fix the hallucinations. But I called it a "pilot success." Success means the pilot didn't visibly fail. The CFO asked about ROI. I showed him a graph. The graph went up and to the right. It measured "AI enablement." I made that metric up. He nodded approvingly. We're "AI-enabled" now. I don't know what that means. But it's in our investor deck. A senior developer asked why we didn't use Claude or ChatGPT. I said we needed "enterprise-grade security." He asked what that meant. I said "compliance." He asked which compliance. I said "all of them." He looked skeptical. I scheduled him for a "career development conversation." He stopped asking questions. Microsoft sent a case study team. They wanted to feature us as a success story. I told them we "saved 40,000 hours." I calculated that number by multiplying employees by a number I made up. They didn't verify it. They never do. Now we're on Microsoft's website. "Global enterprise achieves 40,000 hours of productivity gains with Copilot." The CEO shared it on LinkedIn. He got 3,000 likes. He's never used Copilot. None of the executives have. We have an exemption. "Strategic focus requires minimal digital distraction." I wrote that policy. The licenses renew next month. I'm requesting an expansion. 5,000 more seats. We haven't used the first 4,000. But this time we'll "drive adoption." Adoption means mandatory training. Training means a 45-minute webinar no one watches. But completion will be tracked. Completion is a metric. Metrics go in dashboards. Dashboards go in board presentations. Board presentations get me promoted. I'll be SVP by Q3. I still don't know what Copilot does. But I know what it's for. It's for showing we're "investing in AI." Investment means spending. Spending means commitment. Commitment means we're serious about the future. The future is whatever I say it is. As long as the graph goes up and to the right.

Last week our CISO asked me to present on “zero trust architecture.” I don’t know what that means. I make $340,000 a year. I haven’t touched a firewall since Obama’s first term. But I have a CISSP. I passed by memorizing acronyms. I still don’t know what half of them stand for. I opened my presentation with “assume breach.” Everyone nodded gravely. I said “defense in depth” three times. The board was captivated. Then a junior analyst raised her hand. She asked how we’d implement microsegmentation. I felt a cold sweat. I said, “Great question. Let’s take that offline.” She persisted. I said we should “leverage AI-driven solutions.” She asked which ones. I said, “The cloud-native ones.” She looked confused. I told her confusion was natural. I said, “Security is a journey, not a destination.” The CEO started clapping. I don’t know why. But others joined in. The analyst stopped asking questions. I ended with “security is everyone’s responsibility.” This meant it was no one’s responsibility. Especially not mine. We got breached two weeks later. I blamed the analyst for “creating a culture of doubt.” She got put on a PIP. I got promoted to VP. Resilience isn’t about preventing failure. It’s about surviving it. Preferably while others don’t.

🎁 A little early for Christmas presents — but Patch Tuesday delivered 3 Zero-Days anyway.

Honored to be a Microsoft MVP (Enterprise & Platform Security). I’ll keep sharing practical Windows & Active Directory security via @horizon_secured. Thank you for the support. #MicrosoftMVP #MVPBuzz #WindowsSecurity #ActiveDirectory #BlueTeam #CyberSecurity