The Cade Blog
AI for security work
Field notes from building AI for the SOC: how to investigate identity-based attacks, judge the native security agents, and lay the foundation for an autonomous SOC.
-
AI for the SOC
AI for the SOC: What Works, What Doesn't Yet, and the Path to AutonomyPillar
AI for the SOC is stuck in pilots, not production. The three gaps holding it back (human intelligence, operational fit, and judging the native agents) and the path to an autonomous SOC.
-
AI SOC Agents
Judging the Native Security Agents: Security Copilot, Charlotte AI, and Cortex
Microsoft Security Copilot, CrowdStrike Charlotte AI, and Palo Alto Cortex win on their own alerts and are becoming free. Why the move is to orchestrate and judge them, not replace them.
-
Organizational Memory
Tribal Knowledge in the SOC: Why Hand-Curated Knowledge Files Don't Scale
SOC verdicts depend on tribal knowledge that was never written down. Why static knowledge files are a losing race, and how organizational memory captures judgment that compounds.
-
Identity Threat Detection
Investigating Identity-Based Attacks: A Modern SOC GuidePillar
A practitioner's guide to investigating identity-based attacks (AiTM, BEC, and device-code phishing) with evidence tiers, signal correlation, and remediation that actually evicts the attacker.
-
BEC
Business Email Compromise (BEC): The Four Variants and Why a Password Reset Isn't Enough
The four canonical BEC variants, how to investigate them across a rolling window, and why a password reset does not evict the attacker, plus the full eviction checklist.
-
AiTM
AiTM Phishing: SafeLinks + Entra Correlation, Session-Cookie Replay, and Why FIDO2 Wins
How adversary-in-the-middle phishing steals the live session to bypass MFA, the detection signals that catch it, and why FIDO2 passkeys are the durable defense.