What started as a simple idea, exploring how AI could support a modern Security Operations Center, has grown into a structured series that documents both real solutions and the learning journey behind them. This collection of articles is intended to walk through the evolution from traditional, deterministic automation toward more adaptive, agent-driven approaches, while sharing… Read More: AI-Driven SOC Series Overview »
Have you heard about Microsoft’s new Claude Enterprise connector for Purview. At a high level, enterprise AI connectors are designed to collect and govern activity occurring within enterprise AI platforms. Depending on the platform and integration, that can include information such as user activity, utilization, prompts, responses, uploaded content, administrative actions, and other telemetry generated… Read More: Enterprise AI Connectors for Purview »
Recently, I found myself thinking about certification exams again. It had been several months since I last sat for a major certification exam, and while reviewing some of Microsoft’s newer AI certifications, I started asking myself a simple question: What should I take next? That led me down a rabbit hole of reviewing Microsoft’s current… Read More: Microsoft Security and AI Certification Roadmap »
I was flying home from a security conference in Boston on a Friday evening, enjoying an unexpected complimentary upgrade to business class, listening to Dungeon Crawler Carl, and reflecting on some of the conversations I had over the previous few days. During one of those conversations, I had confidently stated that a YouTube channel I… Read More: Building a YouTube Statistics Tracker at 35,000 Feet »
Why I Started Building This Several weeks ago, I set out to create a proper Microsoft Defender Vulnerability Management (TVM) data connector for Microsoft Sentinel. What started as a relatively simple side project turned into a much larger effort involving API comparisons, ingestion architecture, scaling limitations, and a deeper understanding of how Defender exposure-management data… Read More: Sentinel TVM Snapshot Data Connector V2 »
Over the last two years, Microsoft’s AI ecosystem has expanded incredibly fast. What initially started as a relatively straightforward launch of Microsoft 365 Copilot has rapidly evolved into a much broader platform involving enterprise grounding, semantic intelligence, multi-model orchestration, AI agents, delegated workflows, governance platforms, and enterprise AI security controls. Along the way, Microsoft has… Read More: Understanding Microsoft’s Growing AI Ecosystem »
The phrase “AI Security” is becoming increasingly difficult to define because the risks change dramatically depending on how organizations interact with AI. Sometimes employees are simply using public AI services to summarize documents or generate content. Sometimes organizations deploy enterprise copilots grounded on internal data. Increasingly, organizations are building AI workflows and agents capable of… Read More: Securing AI Depends on How AI Is Being Used »
I officially pre-registered for Black Hat USA 2026 and DEF CON today, and every year I find myself trying to recruit additional attendees from friends, coworkers, and peers across the cybersecurity community. One thing I hear repeatedly is that many people, especially those not sponsored by their employer, assume these conferences are financially out of… Read More: Hacker Week on a Budget: Black Hat-DEF CON »
Security teams are starting to use and pay closer attention to tools like MCP servers, AI agents, GitHub Copilot, VS Code integrations, and other AI-assisted operational tooling. As organizations become more familiar with these tools, it naturally raises questions around the privacy and security implications of connecting them to enterprise systems. The real issue is… Read More: Authorized Access Unauthorized Destinations »
Introduction This series started with a simple question: what does an agentic SOC actually look like in practice? Early on, I focused on making that idea tangible. Instead of staying theoretical, I built out a working approach using Azure AI Foundry and Azure Logic Apps. The goal was not to prescribe a single “right” architecture,… Read More: Intro and Initial Deployment of a Foundry Agent »
This started as a straightforward idea. I wanted to get Defender Threat and Vulnerability Management (TVM) data into Microsoft Sentinel for long-term retention and dashboarding. The data potentially has value, and Sentinel is designed to ingest large volumes of security data, so on the surface it felt like something that should already exist. After building… Read More: Sentinel TVM Snapshot Data Connector »
This article builds on a series of previous discussions around building an agentic SOC solution, comparing agentic versus deterministic logic, and walking through an overview of Sentinel MCP. In this one, the focus shifts to hands-on evaluation. The goal here is to take Microsoft Sentinel MCP and run it inside Visual Studio Code to see… Read More: Using Sentinel MCP in VS Code »
Earlier this week, I had a conversation about Sentinel MCP where I gave a quick gut reaction. I said Sentinel MCP, or more broadly this type of model, might be on its way out. The thinking felt reasonable at the time. With how easy it is to vibe code API integrations now, why introduce another… Read More: Sentinel MCP and the Evolution of Automation »
There is a subtle shift happening in how we design incident response systems. For years, most solutions followed a deterministic (explicit, rule-based, structured) model. An alert fires, a playbook runs, actions execute in a defined order, and results are returned. When something breaks, we trace the path, fix the logic, and run it again. That… Read More: Deterministic vs. Agentic Incident Response »
I want to take a few minutes to explore the perceived risk of public cloud endpoints, and why that risk is often misunderstood. If something has a public endpoint, it is easy to assume it is exposed. In reality, that is only part of the story. The Door in the City Imagine you have something… Read More: Are Public Endpoints Risky? »
I am excited to announce the public release of KQL Event Viewer. This is easily the most complete and useful project I have built to date. KQL Event Viewer is a Windows Event Viewer-style experience for KQL data. Instead of starting with a query, you start with the data. Tables are organized, pre-filtered, and easy… Read More: Introducing KQL Event Viewer! »
This week marked the end of an era. I am in the process of transitioning to a new role, and I will share more about that soon. As part of that transition, I delivered what will likely be my final class in this program, a three-day remote cybersecurity session. Keeping an audience engaged for three… Read More: From Cybersecurity Training to Space Pinball »
I have been working with Microsoft Sentinel since before it reached general availability in September 2019, supporting customers, delivering training, and developing real-world deployment guidance. Over that time, I have worked with dozens of organizations across both commercial and government environments, ranging from small universities to large global enterprises. I share that context only to… Read More: Building a Sentinel Cost Estimator »
A practical alternative and complement to Security Copilot I wrote about Alternatives to Microsoft Security Copilot last year and why many organizations are still looking for practical ways to bring AI into their SOC. That conversation has continued to come up in customer engagements. Some teams do not have access yet. Others are constrained by… Read More: Building a SOC AI API with Azure AI Foundry »
In the last article, I introduced Azure AI Foundry as a way to stand up a private AI service for SOC use cases. The key idea is that the model itself is not the solution. The value comes from how you shape requests using system prompts and structured input. One deployment can support many different… Read More: SOC AI Series, Part 2: Using Logic Apps »