David J. Bianco
@davidjbianco.bsky.social
Threat Hunting, CTI, incident detection & response. SANS instructor. Special interest in helping newbies get started. Also happy to talk about other geeky topics. He/Him.
Pinned
David J. Bianco
@davidjbianco.bsky.social
· Nov 19
The Pyramid of Pain
Update 2014-01-17 I'm updating this post to include a slightly revised version of the Pyramid. The only real change I made was that I adde...
bit.ly
You might know some of my previous work, including:
The Pyramid of Pain (bit.ly/PyramidOfPain)
The Sqrrl Threat Hunting Model
The PEAK Threat Hunting Framework (co-authored with Dr. Ryan Fetterman & @letswastetime.bsky.social)
The Pyramid of Pain (bit.ly/PyramidOfPain)
The Sqrrl Threat Hunting Model
The PEAK Threat Hunting Framework (co-authored with Dr. Ryan Fetterman & @letswastetime.bsky.social)
I don't normally promote vendor talks, but this one will have some very practical ways to apply #AI to solve real #cybersecurity challenges, including my own agentic #ThreatHunting assistant.
www.ciscolive.com/emea/learn/s...
www.ciscolive.com/emea/learn/s...
February 6, 2026 at 2:00 AM
I don't normally promote vendor talks, but this one will have some very practical ways to apply #AI to solve real #cybersecurity challenges, including my own agentic #ThreatHunting assistant.
www.ciscolive.com/emea/learn/s...
www.ciscolive.com/emea/learn/s...
Forget #Moltbook. I propose Molt Overflow.
Stack Molterflow?
Stack Overmolt?
Whatever. Let the agents share programming tips, many of which will be inefficient or just plain wrong, but will no doubt be copied verbatim into code anyway.
Stack Molterflow?
Stack Overmolt?
Whatever. Let the agents share programming tips, many of which will be inefficient or just plain wrong, but will no doubt be copied verbatim into code anyway.
February 3, 2026 at 9:28 PM
Forget #Moltbook. I propose Molt Overflow.
Stack Molterflow?
Stack Overmolt?
Whatever. Let the agents share programming tips, many of which will be inefficient or just plain wrong, but will no doubt be copied verbatim into code anyway.
Stack Molterflow?
Stack Overmolt?
Whatever. Let the agents share programming tips, many of which will be inefficient or just plain wrong, but will no doubt be copied verbatim into code anyway.
That's what they *should* look like.
On the other hand, if you're unprepared, this is what they actually look like:
www.youtube.com/watch?v=FXMc...
On the other hand, if you're unprepared, this is what they actually look like:
www.youtube.com/watch?v=FXMc...
February 1, 2026 at 10:32 PM
That's what they *should* look like.
On the other hand, if you're unprepared, this is what they actually look like:
www.youtube.com/watch?v=FXMc...
On the other hand, if you're unprepared, this is what they actually look like:
www.youtube.com/watch?v=FXMc...
New CLAUDE.md requirement just dropped.
vibecoded web apps have such boring security bugs. "the whole database was wide open". oh. ok.
at least have some class and write some sql-injectable php. maybe a little stack buffer overflow as a treat.
at least have some class and write some sql-injectable php. maybe a little stack buffer overflow as a treat.
February 1, 2026 at 7:45 PM
New CLAUDE.md requirement just dropped.
My latest project was released this morning: the PEAK #ThreatHunting Assistant harnesses teams of AI agents to accelerate the process of preparing and planning your hunt.
Blog: blogs.cisco.com/security/int...
GitHub: github.com/cisco-founda...
Blog: blogs.cisco.com/security/int...
GitHub: github.com/cisco-founda...
Introducing The PEAK Threat Hunting Assistant: Agentic AI to Supercharge Your Hunt
Learn about the PEAK Threat Hunting Assistant, introduced by Cisco Foundation AI
blogs.cisco.com
January 29, 2026 at 1:47 PM
My latest project was released this morning: the PEAK #ThreatHunting Assistant harnesses teams of AI agents to accelerate the process of preparing and planning your hunt.
Blog: blogs.cisco.com/security/int...
GitHub: github.com/cisco-founda...
Blog: blogs.cisco.com/security/int...
GitHub: github.com/cisco-founda...
I work for Cisco Foundation AI, figuring out how to make AI useful for security, rather than just throwing AI at a problem and hoping it magically gets better.
If you want to see some of the things we're working on, this is the session for you.
www.linkedin.com/feed/update/...
If you want to see some of the things we're working on, this is the session for you.
www.linkedin.com/feed/update/...
January 28, 2026 at 2:04 PM
I work for Cisco Foundation AI, figuring out how to make AI useful for security, rather than just throwing AI at a problem and hoping it magically gets better.
If you want to see some of the things we're working on, this is the session for you.
www.linkedin.com/feed/update/...
If you want to see some of the things we're working on, this is the session for you.
www.linkedin.com/feed/update/...
Calendar systems should include options for both "Accept" and "Grudgingly Accept".
January 23, 2026 at 9:28 PM
Calendar systems should include options for both "Accept" and "Grudgingly Accept".
Spent my day off creating an AI-assisted web app to convert recordings of D&D sessions into transcripts and in-character journal entries for the party's adventure log.
In case you're wondering if I'm a nerd as well as a geek.
In case you're wondering if I'm a nerd as well as a geek.
January 20, 2026 at 7:52 PM
Spent my day off creating an AI-assisted web app to convert recordings of D&D sessions into transcripts and in-character journal entries for the party's adventure log.
In case you're wondering if I'm a nerd as well as a geek.
In case you're wondering if I'm a nerd as well as a geek.
I am just now coming to the realization that all those holodeck "programs" were in fact vibe-coded.
January 20, 2026 at 5:30 PM
I am just now coming to the realization that all those holodeck "programs" were in fact vibe-coded.
A personal project I've been working on: MCP Remixer, server that proxies requests to other MCP servers. It allows you to:
- Aggregate multiple servers into one
- Add new tools or suppress existing tools
- Log every request from the MCP client and the servers' responses
github.com/DavidJBianco...
- Aggregate multiple servers into one
- Add new tools or suppress existing tools
- Log every request from the MCP client and the servers' responses
github.com/DavidJBianco...
GitHub - DavidJBianco/MCP-Remixer: An MCP proxy that allows you to "remix" the tools available in the proxied servers
An MCP proxy that allows you to "remix" the tools available in the proxied servers - DavidJBianco/MCP-Remixer
github.com
January 9, 2026 at 4:28 PM
A personal project I've been working on: MCP Remixer, server that proxies requests to other MCP servers. It allows you to:
- Aggregate multiple servers into one
- Add new tools or suppress existing tools
- Log every request from the MCP client and the servers' responses
github.com/DavidJBianco...
- Aggregate multiple servers into one
- Add new tools or suppress existing tools
- Log every request from the MCP client and the servers' responses
github.com/DavidJBianco...
Ouch! It hurts because it's true.
January 8, 2026 at 9:54 PM
Ouch! It hurts because it's true.
If my job were a D&D class, I'd probably be an Artificer, subclass Cybersecurity. I spend a lot of time coming up with new prototypes to apply AI to solve security challenges and figuring out ways to do that better.
What would yours be?
What would yours be?
January 8, 2026 at 7:02 PM
If my job were a D&D class, I'd probably be an Artificer, subclass Cybersecurity. I spend a lot of time coming up with new prototypes to apply AI to solve security challenges and figuring out ways to do that better.
What would yours be?
What would yours be?
Crazy sitting-in-the-airport thought: prompt injection is to llms as code-is-data is to the von Neumann computer architecture. We got so used to it that we barely notice it anymore even though it's a major underlying factor of security issues. Prompt injection ain't going away.
November 24, 2025 at 1:21 PM
Crazy sitting-in-the-airport thought: prompt injection is to llms as code-is-data is to the von Neumann computer architecture. We got so used to it that we barely notice it anymore even though it's a major underlying factor of security issues. Prompt injection ain't going away.
Finally, Sysmon will just be part of Windows, not a separate download. This should make visibility a lot easier!
Native Sysmon functionality coming to Windows | Microsoft Community Hub
Learn how to eliminate manual deployment and reduce operational risk with Sysmon functionality in Windows.
techcommunity.microsoft.com
November 19, 2025 at 5:11 PM
Finally, Sysmon will just be part of Windows, not a separate download. This should make visibility a lot easier!
I love the idea of calculating the decay rate of an IOC. It's not always strictly mathematical, because it also relies on threat actors' choices about how they use the IOCs, but as an estimate and for decision making, this seems promising.
Also, I really like @netresec.com's ASCII art Pyramid. 😀
Also, I really like @netresec.com's ASCII art Pyramid. 😀
Monitoring for too many old indicators not only costs money, it can even inhibit detection of real intrusions.
📆 Include "last seen" date when publishing IOCs
❌ Prune old IOCs
📜 Prioritize long lived IOCs over short lived ones
netresec.com?b=25Be9dd
📆 Include "last seen" date when publishing IOCs
❌ Prune old IOCs
📜 Prioritize long lived IOCs over short lived ones
netresec.com?b=25Be9dd
Optimizing IOC Retention Time
Are you importing indicators of compromise (IOC) in the form of domain names and IP addresses into your SIEM, NDR or IDS? If so, have you considered for how long you should keep looking for those IOCs...
netresec.com
November 6, 2025 at 1:23 PM
I love the idea of calculating the decay rate of an IOC. It's not always strictly mathematical, because it also relies on threat actors' choices about how they use the IOCs, but as an estimate and for decision making, this seems promising.
Also, I really like @netresec.com's ASCII art Pyramid. 😀
Also, I really like @netresec.com's ASCII art Pyramid. 😀
If you think "No Kings" means "Hate America", I respectfully suggest you don't know what America is.
October 16, 2025 at 6:03 PM
If you think "No Kings" means "Hate America", I respectfully suggest you don't know what America is.
I did NOT see this coming.
1. Kryptos is fully solved (!!!!)
2. There's the threat of a lawsuit if the solution is made public
www.nytimes.com/2025/10/16/s...
1. Kryptos is fully solved (!!!!)
2. There's the threat of a lawsuit if the solution is made public
www.nytimes.com/2025/10/16/s...
A C.I.A. Secret Kept for 35 Years Is Found in the Smithsonian’s Vault
Jim Sanborn is auctioning off the solution to Kryptos, the puzzle he sculpted for the intelligence agency’s headquarters. Two fans of the work then discovered the key.
www.nytimes.com
October 16, 2025 at 3:49 PM
I did NOT see this coming.
1. Kryptos is fully solved (!!!!)
2. There's the threat of a lawsuit if the solution is made public
www.nytimes.com/2025/10/16/s...
1. Kryptos is fully solved (!!!!)
2. There's the threat of a lawsuit if the solution is made public
www.nytimes.com/2025/10/16/s...
#ARM64 support is huge if you want to run this on a Mac. Soooo happy to hear this.
I released another update to the SOF-ELK platform yesterday!
The update incorporates the latest Elastic and operating system components, as well as a few fixes that were left over from the migration to Ubuntu. Both ARM and x86 VMs are distributed, so check it out!
for572.com/sof-elk
The update incorporates the latest Elastic and operating system components, as well as a few fixes that were left over from the migration to Ubuntu. Both ARM and x86 VMs are distributed, so check it out!
for572.com/sof-elk
Virtual Machine README
Configuration files for the SOF-ELK VM. Contribute to philhagen/sof-elk development by creating an account on GitHub.
for572.com
October 15, 2025 at 3:43 PM
#ARM64 support is huge if you want to run this on a Mac. Soooo happy to hear this.
If you are #ThreatHunting with #Splunk, you really need to check out the Threat Hunters' Cookbook. It's a free ebook download too!
The latest TTP is here. Listen to Ryan Fetterman and Sydney Marrone from Cisco's SURGe team, who wrote the Threat Hunter’s Cookbook: a collection of practical “recipes” security teams can pick up and apply: cs.co/63329Awszt
September 24, 2025 at 5:31 PM
If you are #ThreatHunting with #Splunk, you really need to check out the Threat Hunters' Cookbook. It's a free ebook download too!
It's #TalkLikeaPirate day!
One of my favorite #AI chat debug tricks is "Say it again, but like a pirate". It checks that the app looks backwards to see what it just said AND that it got my new instruction. Plus success is obvious!
And no, in case you were wondering, I code in Python, not R, matey.
One of my favorite #AI chat debug tricks is "Say it again, but like a pirate". It checks that the app looks backwards to see what it just said AND that it got my new instruction. Plus success is obvious!
And no, in case you were wondering, I code in Python, not R, matey.
September 19, 2025 at 1:27 PM
It's #TalkLikeaPirate day!
One of my favorite #AI chat debug tricks is "Say it again, but like a pirate". It checks that the app looks backwards to see what it just said AND that it got my new instruction. Plus success is obvious!
And no, in case you were wondering, I code in Python, not R, matey.
One of my favorite #AI chat debug tricks is "Say it again, but like a pirate". It checks that the app looks backwards to see what it just said AND that it got my new instruction. Plus success is obvious!
And no, in case you were wondering, I code in Python, not R, matey.
Considering addressing everyone as "My brother/sister/sibling in Science".
As in, "My brother in Science, no one looks their best in an airport. Especially kids."
As in, "My brother in Science, no one looks their best in an airport. Especially kids."
August 29, 2025 at 2:16 PM
Considering addressing everyone as "My brother/sister/sibling in Science".
As in, "My brother in Science, no one looks their best in an airport. Especially kids."
As in, "My brother in Science, no one looks their best in an airport. Especially kids."
Dude is really hung up on "gratitude".
August 29, 2025 at 2:10 PM
Dude is really hung up on "gratitude".
This is really cool research by one of my new teammates: examining the internal state of an #LLM can not only tell you what type of information it's processing, but is really good at detecting malicious or unsafe prompt injections.
It's like fMRI for LLMs.
www.linkedin.com/pulse/how-bu...
It's like fMRI for LLMs.
www.linkedin.com/pulse/how-bu...
August 25, 2025 at 4:57 PM
This is really cool research by one of my new teammates: examining the internal state of an #LLM can not only tell you what type of information it's processing, but is really good at detecting malicious or unsafe prompt injections.
It's like fMRI for LLMs.
www.linkedin.com/pulse/how-bu...
It's like fMRI for LLMs.
www.linkedin.com/pulse/how-bu...