Alex Teixeira

Writing about Threat Detection on @Medium? Detect.FYI

Bora Porto! #FCP

🤓 Very nice overview of using AI Agents/LLM for malware reversing by @mr_phrazer It shows clearly how a defined workflow will help an agent do a better analysis. He also addresses valid current limitations and I want to address some of them in this tweet. 1. Human In The Loop (HITL) On highly obfuscated or unusual samples, the agent alone will not be enough for now. You will need a human in the loop to validate, approve, refine, or guide the analysis. (even on more regular samples HITL remains useful) 2. Static vs dynamic analysis The limitation discussed in the blog are mostly true for static analysis. But if you add dynamic analysis to your workflow, the agent gets additional context and sample packed, or obfuscated can be solved (in most cases, not all of them). But you also get behavioral data, memory traces, execution data... all of that will reduce blind spots. 3. Context window With a single agent the context window can get overwhelmed quickly. Binary analysis can fill out the context just by disassembling one function, because of that, the agent can miss important information which will not be processed. There are multiple ways to address this. First, a multi-agent architecture split the context across agents so no single agent carries everything. You increase the context windows by leveraging the window of several agents, useful to split tasks too. Tim mentions the use of Subagent which is delegated by the orchestrator skill so in some cases the split may not be sufficient to save enough information, clearly defining multi agents with specific tasks can improve this. Second, you can architect a persistent memory system. For large data the most common approach is RAG, but the retrieval strategy depends also on what you are building so I will not discuss that here as there is a multitude way to implement with more or less efficiency. In the blog, memory are stored in md files which can be limited for extensive analysis. Usually a mix of short term memory and long term memory will be the best approach but it can be more difficult to orchestrate. 4. Output validation We touched about this with HITL but validation is also closely tied to the context window problem. One additional approach worth mentioning: LLM-as-a-judge where a separate system/agent/model will evaluate the output for accuracy grounded in the raw data. Additionally, as Tim mentioned in the blog, this will likely improve with the next iteration of models. 5. Monitoring and visibility There is one last piece to discuss which is probably the most important point to add. If you run an agent architecture and only validate the final output, you are missing the reasoning steps, the intermediate decisions, and the potential evasion or exploitation of your system. This is important for accuracy, for security, for automation reliability and for the quality of the final output. You need visibility into what the agent actually did and not only what it concluded. Awesome blog overall! These limitations exist and there is already some solutions and the same was true two years ago. The main difference now is that models are significantly more reliable than they were 2 years ago and it will likely continue to improve. I hope that this shows that malware analysis with AI is far from copy pasting a sample into Claude and hoping for the best. Tim demonstrated one step further with structured workflows, Agents, Skills and MCP. Now you can think about the next steps! 🙂

LOLFSAAS Living off Free SaaS Hundreds of SaaS platforms with free tiers, documenting abuse surface, opsec risks, authent methods, C2 framework mappings, and operational limits. lolfsaas.github.io

People who laugh and comment “who still uses telnet” have no idea how this industry actually works - or how power plants, warships, factories, baggage handling systems and other control and logistics systems are planned, built and expected to last for decades

this new feature in Kagi, which converts English into LinkedIn Speak, works like a charm translate.kagi.com/?from=en&to=li…

Too late!

⚡ Researchers Decrypt and Exploit Encrypted Palo Alto Cortex XDR BIOC Rules | Source: cybersecuritynews.com/decrypt-and-ex… A critical evasion flaw in Palo Alto Networks’ Cortex XDR agent that allowed attackers to bypass behavioral detections completely. By reverse-engineering these encrypted rules, the InfoGuard Labs team discovered hardcoded global whitelists that enabled threat actors to execute malicious actions without triggering security alerts.​ Palo Alto Cortex XDR relies heavily on Behavioral Indicators of Compromise (BIOCs) to identify malicious activity on endpoints. These rules are shipped in an encrypted format to prevent tampering and analysis by outside parties. #cybersecuritynews

AI is making CEOs delusional

Seen a lot of chat online recently about rolling out deception technology and wanted to share my thoughts on using the SIEM as your deception platform (for free!). Sample KQL provided :) TL;DR - It's cheaper, easier, and quicker than you think. detect.fyi/detection-via-…

Malicious Encoded PowerShell: Detecting, Decoding & Modeling detect.fyi/malicious-enco…

At this rate everyone’s gonna have their own app and zero users.

@mundodotenispod O pecador leva!

Final de Indian Wells 2026 Sinner x Medvedev Palpites ? O meu: Sinner Mas...

It’s probably just me

Detection Pipeline Maturity Model detect.fyi/detection-pipe…

@jameswebb_nasa Fui na palestra/show dele aqui no Porto. Vale c-a-d-a centavo.

Este é o melhor vídeo que você verá hoje. Juro!

@jameswebb_nasa @grok find me the video containing this clip on YouTube.

stop spending money on Claude Code. Chipotle's support bot is free:

Wow! Note this from the Chancellor of Germany, not @JDVance

Today I’m launching Threat Hunting Labs. Over the years I’ve analyzed many real-world intrusions. One thing became obvious: most training platforms don’t resemble how investigations actually happen. So I built something different. Threat Hunting Labs focuses on investigation-driven learning using real telemetry and structured investigative paths. If you want to get better at investigating breaches, you should practice investigating breaches. More details here: threathuntinglabs.com/blog/introduci…

I'll never stop shilling for @badsectorlabs and Ludus. Just got my NFR key and the team have added some long-requested features that really elevate the whole experience. Interactive range designer FTW