Chris Sanders 🔎 🧠
@chrissanders88.bsky.social
Digital Forensic Analyst, Researcher, Author
Ed.D.
Founder Applied Network Defense and Rural Tech Fund
Former Mandiant, InGuardians, DoD
Author: Intrusion Detection Honeypots, Practical Packet Analysis, Applied NSM
Ed.D.
Founder Applied Network Defense and Rural Tech Fund
Former Mandiant, InGuardians, DoD
Author: Intrusion Detection Honeypots, Practical Packet Analysis, Applied NSM
Investigation Scenario 🔎
You know an attacker accessed several customer support workstations in the past month based on discovery of a consistent persistence mechanism. You suspect wider access, but auth logs only go back 24h. How can you determine where else the attacker went?
#InvestigationPath
You know an attacker accessed several customer support workstations in the past month based on discovery of a consistent persistence mechanism. You suspect wider access, but auth logs only go back 24h. How can you determine where else the attacker went?
#InvestigationPath
January 20, 2026 at 3:03 PM
Investigation Scenario 🔎
You know an attacker accessed several customer support workstations in the past month based on discovery of a consistent persistence mechanism. You suspect wider access, but auth logs only go back 24h. How can you determine where else the attacker went?
#InvestigationPath
You know an attacker accessed several customer support workstations in the past month based on discovery of a consistent persistence mechanism. You suspect wider access, but auth logs only go back 24h. How can you determine where else the attacker went?
#InvestigationPath
Investigation Scenario 🔎
While reviewing group membership on a Windows domain, you discover that the account of a former IT employee is still active. They left the company nearly a year ago.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
While reviewing group membership on a Windows domain, you discover that the account of a former IT employee is still active. They left the company nearly a year ago.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
January 13, 2026 at 3:00 PM
Investigation Scenario 🔎
While reviewing group membership on a Windows domain, you discover that the account of a former IT employee is still active. They left the company nearly a year ago.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
While reviewing group membership on a Windows domain, you discover that the account of a former IT employee is still active. They left the company nearly a year ago.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
"People tend to show a bias in favor of higher paid peers as collaboration partners, while they show an aversion to hiring people with higher pay histories as subordinates."
January 9, 2026 at 2:50 PM
"People tend to show a bias in favor of higher paid peers as collaboration partners, while they show an aversion to hiring people with higher pay histories as subordinates."
Semi-annual reminder that if you're one of my Applied Network Defense students, you have access to my open office hours. I just updated those for the first half of the year. Details inside your class portal.
January 7, 2026 at 3:24 PM
Semi-annual reminder that if you're one of my Applied Network Defense students, you have access to my open office hours. I just updated those for the first half of the year. Details inside your class portal.
Investigation Scenario 🔎
While reviewing asset scanning reports, you’ve discovered a Mint Linux system that does not appear on any change request.
What do you look for to investigate the origin of the system and whether malicious activity occurred?
#InvestigationPath #DFIR #SOC
While reviewing asset scanning reports, you’ve discovered a Mint Linux system that does not appear on any change request.
What do you look for to investigate the origin of the system and whether malicious activity occurred?
#InvestigationPath #DFIR #SOC
January 6, 2026 at 3:00 PM
Investigation Scenario 🔎
While reviewing asset scanning reports, you’ve discovered a Mint Linux system that does not appear on any change request.
What do you look for to investigate the origin of the system and whether malicious activity occurred?
#InvestigationPath #DFIR #SOC
While reviewing asset scanning reports, you’ve discovered a Mint Linux system that does not appear on any change request.
What do you look for to investigate the origin of the system and whether malicious activity occurred?
#InvestigationPath #DFIR #SOC
Today's the last day for tax-deductible donations to US charitable organizations.
I hope you'll consider the meaningful work we're doing with the Rural Technology Fund.
Even if not, I hope you'll connect with a cause that matters to you and helps folks.
I hope you'll consider the meaningful work we're doing with the Rural Technology Fund.
Even if not, I hope you'll connect with a cause that matters to you and helps folks.
December 31, 2025 at 5:04 PM
Today's the last day for tax-deductible donations to US charitable organizations.
I hope you'll consider the meaningful work we're doing with the Rural Technology Fund.
Even if not, I hope you'll connect with a cause that matters to you and helps folks.
I hope you'll consider the meaningful work we're doing with the Rural Technology Fund.
Even if not, I hope you'll connect with a cause that matters to you and helps folks.
I spent three hours today trying to figure out why I couldn't get my smoker up to 275... I've never had this issue with my offset before...
A bird had built a nest in my smoke stack... A bird. A. BIRD.
(The bird was not present during this event)
A bird had built a nest in my smoke stack... A bird. A. BIRD.
(The bird was not present during this event)
December 24, 2025 at 7:24 PM
I spent three hours today trying to figure out why I couldn't get my smoker up to 275... I've never had this issue with my offset before...
A bird had built a nest in my smoke stack... A bird. A. BIRD.
(The bird was not present during this event)
A bird had built a nest in my smoke stack... A bird. A. BIRD.
(The bird was not present during this event)
I've just notified our TWO Golden Ticket winners! If you entered, check your email!
December 22, 2025 at 9:07 PM
I've just notified our TWO Golden Ticket winners! If you entered, check your email!
Today's the LAST DAY to enter our Golden Ticket Fundraiser for @ruraltechfund! We are SO CLOSE to our fundraising goal! Enter and win some great prizes!
December 19, 2025 at 2:33 PM
Today's the LAST DAY to enter our Golden Ticket Fundraiser for @ruraltechfund! We are SO CLOSE to our fundraising goal! Enter and win some great prizes!
In search of cultivating a more cognitively diverse brain, research provides strategies...
"... [Viewing] abstract art elicited greater interindividual variability in activity within higher-order, associative brain areas" compared to representational art. 🎨🧠
"... [Viewing] abstract art elicited greater interindividual variability in activity within higher-order, associative brain areas" compared to representational art. 🎨🧠
December 17, 2025 at 3:15 PM
In search of cultivating a more cognitively diverse brain, research provides strategies...
"... [Viewing] abstract art elicited greater interindividual variability in activity within higher-order, associative brain areas" compared to representational art. 🎨🧠
"... [Viewing] abstract art elicited greater interindividual variability in activity within higher-order, associative brain areas" compared to representational art. 🎨🧠
I just published my annual list of the best books I read all year...
chrissanders.org/2025/12/my-...
What are some of your favorite books you encountered in 2025?
chrissanders.org/2025/12/my-...
What are some of your favorite books you encountered in 2025?
December 17, 2025 at 3:14 PM
I just published my annual list of the best books I read all year...
chrissanders.org/2025/12/my-...
What are some of your favorite books you encountered in 2025?
chrissanders.org/2025/12/my-...
What are some of your favorite books you encountered in 2025?
What's the best interview question you've been asked (or used) for a SOC Analyst/Forensic/Hunting/Threat Intel role?
December 17, 2025 at 3:12 PM
What's the best interview question you've been asked (or used) for a SOC Analyst/Forensic/Hunting/Threat Intel role?
"Those who ultimately come to occupy the most influential positions exhibit early and accurate representations of their network’s general, abstract structure (i.e., who belongs to which communities and cliques)."
December 16, 2025 at 3:26 PM
"Those who ultimately come to occupy the most influential positions exhibit early and accurate representations of their network’s general, abstract structure (i.e., who belongs to which communities and cliques)."
Investigation Scenario 🔎
While reviewing web logs on a Linux Apache server, you discover inbound requests for PHP pages. However, the server is not reported to host PHP content.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
While reviewing web logs on a Linux Apache server, you discover inbound requests for PHP pages. However, the server is not reported to host PHP content.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
December 16, 2025 at 3:00 PM
Investigation Scenario 🔎
While reviewing web logs on a Linux Apache server, you discover inbound requests for PHP pages. However, the server is not reported to host PHP content.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
While reviewing web logs on a Linux Apache server, you discover inbound requests for PHP pages. However, the server is not reported to host PHP content.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
Unsurprisingly, LLMs can boost creativity, BUT... primarily for those who employ metacognitive strategies along with their use. We're talking about actively reflecting on how they're using it and adapting it to complement existing ways of thinking. 🧠
December 15, 2025 at 5:18 PM
Unsurprisingly, LLMs can boost creativity, BUT... primarily for those who employ metacognitive strategies along with their use. We're talking about actively reflecting on how they're using it and adapting it to complement existing ways of thinking. 🧠
If you have influence in our industry, people will eventually try to pay you to endorse their product without disclosing that you were compensated.
Ask yourself... do you think that you're the first and only person they've approached?
Ask yourself... do you think that you're the first and only person they've approached?
December 12, 2025 at 2:42 PM
If you have influence in our industry, people will eventually try to pay you to endorse their product without disclosing that you were compensated.
Ask yourself... do you think that you're the first and only person they've approached?
Ask yourself... do you think that you're the first and only person they've approached?
It's harder to sustain attention the longer a task takes. That's pretty well established, but importantly and often overlooked is that this effect remains *even if the task is engaging*.
Even if we think we're actively engaged, the mind wanders more with time.
Even if we think we're actively engaged, the mind wanders more with time.
December 11, 2025 at 3:20 PM
It's harder to sustain attention the longer a task takes. That's pretty well established, but importantly and often overlooked is that this effect remains *even if the task is engaging*.
Even if we think we're actively engaged, the mind wanders more with time.
Even if we think we're actively engaged, the mind wanders more with time.
Lest we forget observer bias -- In part of this recent experiment, managers were more likely to rate employees they monitored more frequently as less productive, even though their productivity was on par with that of other employees.
December 10, 2025 at 5:29 PM
Lest we forget observer bias -- In part of this recent experiment, managers were more likely to rate employees they monitored more frequently as less productive, even though their productivity was on par with that of other employees.
Incredibly meaningful lessons learned from a student in my Practical Threat Hunting course...
The research doesn't distract from the work; it *is the work*.
Bonus? You get to carry that attack knowledge to future hunts and investigations.
The research doesn't distract from the work; it *is the work*.
Bonus? You get to carry that attack knowledge to future hunts and investigations.
December 9, 2025 at 3:15 PM
Incredibly meaningful lessons learned from a student in my Practical Threat Hunting course...
The research doesn't distract from the work; it *is the work*.
Bonus? You get to carry that attack knowledge to future hunts and investigations.
The research doesn't distract from the work; it *is the work*.
Bonus? You get to carry that attack knowledge to future hunts and investigations.
Investigation Scenario 🔎
A Windows system executed dsa.msc for the first time.
What do you look for to investigate whether an incident occurred AND its scope?
#InvestigationPath #DFIR #SOC
A Windows system executed dsa.msc for the first time.
What do you look for to investigate whether an incident occurred AND its scope?
#InvestigationPath #DFIR #SOC
December 9, 2025 at 3:00 PM
Investigation Scenario 🔎
A Windows system executed dsa.msc for the first time.
What do you look for to investigate whether an incident occurred AND its scope?
#InvestigationPath #DFIR #SOC
A Windows system executed dsa.msc for the first time.
What do you look for to investigate whether an incident occurred AND its scope?
#InvestigationPath #DFIR #SOC
My friends, the time has come. This holiday season, I'm giving away a golden ticket that grants free entry into ALL my training courses, a year's worth of chocolate, and tons of other amazing prizes.
December 3, 2025 at 3:00 PM
My friends, the time has come. This holiday season, I'm giving away a golden ticket that grants free entry into ALL my training courses, a year's worth of chocolate, and tons of other amazing prizes.
FINAL DAY!!
Every one of my courses is 25% off until midnight 🚀✨
It's the only sitewide sale we do all year, and the cheapest you'll see these courses.
This discount is for all y'all, so use the code ALLYALL at checkout.
View my courses here: networkdefense.io/
Every one of my courses is 25% off until midnight 🚀✨
It's the only sitewide sale we do all year, and the cheapest you'll see these courses.
This discount is for all y'all, so use the code ALLYALL at checkout.
View my courses here: networkdefense.io/
December 2, 2025 at 3:00 PM
FINAL DAY!!
Every one of my courses is 25% off until midnight 🚀✨
It's the only sitewide sale we do all year, and the cheapest you'll see these courses.
This discount is for all y'all, so use the code ALLYALL at checkout.
View my courses here: networkdefense.io/
Every one of my courses is 25% off until midnight 🚀✨
It's the only sitewide sale we do all year, and the cheapest you'll see these courses.
This discount is for all y'all, so use the code ALLYALL at checkout.
View my courses here: networkdefense.io/
Investigation Scenario 🔎
You've found a new entry in ShimCache on Windows 10: C:\Users\Public\svchost32.exe with a last modified timestamp predating system boot.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
You've found a new entry in ShimCache on Windows 10: C:\Users\Public\svchost32.exe with a last modified timestamp predating system boot.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
December 2, 2025 at 2:30 PM
Investigation Scenario 🔎
You've found a new entry in ShimCache on Windows 10: C:\Users\Public\svchost32.exe with a last modified timestamp predating system boot.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC
You've found a new entry in ShimCache on Windows 10: C:\Users\Public\svchost32.exe with a last modified timestamp predating system boot.
What do you look for to investigate whether an incident occurred?
#InvestigationPath #DFIR #SOC