Detection Opportunities

CYBERWOX

Detection Opportunities is a podcast for security professionals who care about building resilient detection and response systems. Each episode explores real-world attacks, breaks down how signals become insights, and dives into the engineering mindset behind effective threat detection, investigation, and defense. Grounded in frontline experience across SIEM development, security operations, incident response, and threat hunting, this show brings a practical, systems-level lens to modern security engineering.

Episodes

  1. 6 JUN

    Detection-as-Code & CI/CD in Detection Engineering with Dennis Chow | EP. 9

    Detection as Code is one of the most important evolutions in modern security detection, and in this video, we break it down. I first encountered this concept as a Cloud Threat Detection Engineer at Datadog. Today, I’m joined by Dennis Chow, a Detection Engineering specialist and author of Automating Security Detection Engineering (which I had the honor of technically reviewing). Together, we explore what Detection as Code really means and walk through two hands-on CI/CD pipeline demos: 🔹 Lab 1: Building SIEM detections with synthetic AI testing using Sumo Logic 🔹 Lab 2: Policy-as-Code integration testing with Cloud Custodian on GCP You’ll learn how Detection as Code leverages Git, automated testing, reproducibility, collaboration, and CI/CD to make detection engineering more scalable, accountable, and reliable. Dennis' Blog Dennis' Github Dennis' LinkedIn _____________ 📁RESOURCES: → GitHub repo for lab 1 → GitHub repo for lab 2 → Dennis’ book → My book review → Our podcast episode together _____________ ⚡️⁠⁠⁠⁠⁠⁠JOIN 6,000+ CWX MEMBERS ON DISCORD⁠⁠⁠⁠⁠⁠ 📰 ⁠⁠⁠⁠⁠⁠SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER⁠⁠⁠⁠⁠⁠ 🥶 ⁠⁠⁠⁠⁠⁠CYBERWOX MERCH⁠⁠⁠⁠⁠⁠ _____________ 🧬 CYBERWOX RESOURCES 🔹 ⁠⁠⁠⁠⁠⁠Cyberwox Cybersecurity Notion Templates for planning your career⁠⁠⁠⁠⁠⁠ 🔹 ⁠⁠⁠⁠⁠⁠Cyberwox Best Entry-Level Cybersecurity Resume Template⁠⁠⁠⁠⁠⁠ 🔹 ⁠⁠⁠⁠⁠⁠Learn AWS Threat Detection with my LinkedIn Learning Course⁠⁠⁠⁠⁠⁠ _____________ 📱 LET'S CONNECT → ⁠⁠⁠⁠⁠⁠IG⁠⁠⁠⁠⁠⁠ → ⁠⁠⁠⁠⁠⁠Threads⁠⁠⁠⁠⁠⁠ → ⁠⁠⁠⁠⁠⁠Substack⁠⁠⁠⁠⁠⁠ → ⁠⁠⁠⁠⁠⁠Twitter⁠⁠⁠⁠⁠⁠ → ⁠⁠⁠⁠⁠⁠Linkedin⁠⁠⁠⁠⁠⁠ → ⁠⁠⁠⁠⁠⁠Tiktok⁠⁠⁠⁠⁠⁠ Email: day@cyberwox.com _____________ ⚠️DISCLAIMER This description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support!

    43 min

  2. 29 APR

    Applying AI, LLMs & Prompt Engineering for Threat Detection with Dylan Williams | EP. 8

    Visit my ⁠sponsor⁠ to view the current average annual salary for a Cybersecurity degree and learn how to get started. I had the pleasure of hosting Dylan Williams and we explored how AI can be applied in cybersecurity, focusing on threat detection. We also examined how his project, D.I.A.N.A., turns threat intelligence reports into actual detections. Connect with Dylan Dylan's Resource on Applying LLMs & GenAI to Cybersecurity Dylan's Medium D.I.A.N.A Project DI.A.N.A App _____________ TIMESTAMPS 00:00 Intro 01:39 Dylan's Background 02:40 How Dylan started exploring AI 03:07 SNHU 04:36 Dylan's ChatGPT Moment 06:22 Training LLMs for Cybersecurity 09:53 Updating LLMs 14:27 D.I.A.N.A - Detection and Intelligence Analysis for New Alerts 17:07 Going from Threat Intelligence to Threat Detection 32:02 Getting started with LLMs & Gen AI for Cybersecurity 33:55 Connect with Dylan 35:12 Outro _____________ ⚡️⁠⁠⁠⁠⁠JOIN 6,000+ CWX MEMBERS ON DISCORD⁠⁠⁠⁠⁠ 📰 ⁠⁠⁠⁠⁠SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER⁠⁠⁠⁠⁠ 🥶 ⁠⁠⁠⁠⁠CYBERWOX MERCH⁠⁠⁠⁠⁠ _____________ 🧬 CYBERWOX RESOURCES 🔹 ⁠⁠⁠⁠⁠Cyberwox Cybersecurity Notion Templates for planning your career⁠⁠⁠⁠⁠ 🔹 ⁠⁠⁠⁠⁠Cyberwox Best Entry-Level Cybersecurity Resume Template⁠⁠⁠⁠⁠ 🔹 ⁠⁠⁠⁠⁠Learn AWS Threat Detection with my LinkedIn Learning Course⁠⁠⁠⁠⁠ _____________ 📱 LET'S CONNECT → ⁠⁠⁠⁠⁠IG⁠⁠⁠⁠⁠ → ⁠⁠⁠⁠⁠Threads⁠⁠⁠⁠⁠ → ⁠⁠⁠⁠⁠Substack⁠⁠⁠⁠⁠ → ⁠⁠⁠⁠⁠Twitter⁠⁠⁠⁠⁠ → ⁠⁠⁠⁠⁠Linkedin⁠⁠⁠⁠⁠ → ⁠⁠⁠⁠⁠Tiktok⁠⁠⁠⁠⁠ Email: day@cyberwox.com _____________ ⚠️DISCLAIMER This description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support!

    35 min

  3. 29 APR

    Get-RoleGroup - Detecting Attacker Enumeration in Microsoft 365 Exchange with Purav Desai | EP. 7

    Visit my sponsor to view the current average annual salary for a Cybersecurity degree and learn how to get started. ⁠Purav's LinkedIn⁠ ⁠Deciphering UAL Exchange Admin Audit Logging Office365 Management Activity API Connect-IPPSSession _____________ TIMESTAMPS: 00:00 Intro 00:36 Get-RoleGroup Operation 01:37 Enumeration is not logged?? 05:53 SNHU 07:22 Using the Security Compliance Center EOPCmdlet 08:54 Abusing Purview Compliance & E-Discovery 10:21 Useful Log Fields & Key Fields of note 12:48 Attack Demo 14:45 Fields to Decipher 15:51 How To Detect/Analyse 17:59 Get-RoleGroupMember 19:39 Useful Log Fields 20:30 Attack Demo 23:01 Segmentation Of Behaviors 23:57 Connect-IPPSSession 26:07 Final Thoughts 27:40 Outro _____________ ⚡️⁠⁠⁠⁠JOIN 6,000+ CWX MEMBERS ON DISCORD⁠⁠⁠⁠ 📰 ⁠⁠⁠⁠SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER⁠⁠⁠⁠ 🥶 ⁠⁠⁠⁠CYBERWOX MERCH⁠⁠⁠⁠ _____________ 🧬 CYBERWOX RESOURCES 🔹 ⁠⁠⁠⁠Cyberwox Cybersecurity Notion Templates for planning your career⁠⁠⁠⁠🔹 ⁠⁠⁠⁠Cyberwox Best Entry-Level Cybersecurity Resume Template⁠⁠⁠⁠ 🔹 ⁠⁠⁠⁠Learn AWS Threat Detection with my LinkedIn Learning Course⁠⁠⁠⁠ _____________ 📱 LET'S CONNECT → ⁠⁠⁠⁠IG⁠⁠⁠⁠ → ⁠⁠⁠⁠Threads⁠⁠⁠⁠ → ⁠⁠⁠⁠Substack⁠⁠⁠⁠ → ⁠⁠⁠⁠Twitter⁠⁠⁠⁠ → ⁠⁠⁠⁠Linkedin⁠⁠⁠⁠ → ⁠⁠⁠⁠Tiktok⁠⁠⁠⁠ Email: day@cyberwox.com _____________ ⚠️DISCLAIMER This description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support!

    28 min

  4. 29 APR

    Add-RoleGroupMember - Detecting Persistence in Microsoft 365 Exchange with Purav Desai | EP. 6

    Learn how to decipher the Microsoft Unified Audit Log (UAL) from a Digital Forensics & Incident Response (DFIR) perspective with Purav Desai, an experienced M365/Azure Incident Responder. In today's episode, we explore the Add-RoleGroupMember operation in Exchange Online. Purav's LinkedIn Deciphering UAL Microsoft Application IDs Permission Alert Policy _____________ TIMESTAMPS: 00:00 Intro 00:48 Add-RoleGroupMember Overview 03:22 The Result Status 04:53 The Application IDs 08:59 Key Fields of Note 10:39 Fields to Decipher 20:14 Detection - Permission Alert Policies 23:18 Custom Alerting 24:32 Final Thoughts 25:39 Outro _____________ ⚡️⁠⁠⁠JOIN 6,000+ CWX MEMBERS ON DISCORD⁠⁠⁠ 📰 ⁠⁠⁠SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER⁠⁠⁠ 🥶 ⁠⁠⁠CYBERWOX MERCH⁠⁠⁠ _____________ 🧬 CYBERWOX RESOURCES 🔹 ⁠⁠⁠Cyberwox Cybersecurity Notion Templates for planning your career⁠⁠⁠🔹 ⁠⁠⁠Cyberwox Best Entry-Level Cybersecurity Resume Template⁠⁠⁠ 🔹 ⁠⁠⁠Learn AWS Threat Detection with my LinkedIn Learning Course⁠⁠⁠ _____________ 📱 LET'S CONNECT → ⁠⁠⁠IG⁠⁠⁠ → ⁠⁠⁠Threads⁠⁠⁠ → ⁠⁠⁠Substack⁠⁠⁠ → ⁠⁠⁠Twitter⁠⁠⁠ → ⁠⁠⁠Linkedin⁠⁠⁠ → ⁠⁠⁠Tiktok⁠⁠⁠ Email: day@cyberwox.com _____________ ⚠️DISCLAIMER This description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support!

    26 min

  5. 29 APR

    New-RoleGroup - Detecting Privilege Escalation in Microsoft 365 with Purav Desai | EP. 5

    Learn how to decipher the Microsoft Unified Audit Log (UAL) from a Digital Forensics & Incident Response (DFIR) perspective with Purav Desai, an experienced M365/Azure Incident Responder. ⁠Purav's LinkedIn⁠ ⁠Deciphering UAL⁠ ⁠Learn about auditing solutions in Microsoft Purview⁠ _____________ TIMESTAMPS 00:00 Intro 00:20 Deciphering New-RoleGroup 09:06 Key Fields 10:11 Deciphering with Exchange Online PowerShell 13:42 Detection Opportunities 16:16 SIEM & Attacker Tactics 21:43 Outro _____________ ⚡️⁠⁠JOIN 6,000+ CWX MEMBERS ON DISCORD⁠⁠ 📰 ⁠⁠SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER⁠⁠ 🥶 ⁠⁠CYBERWOX MERCH⁠⁠ _____________ 🧬 CYBERWOX RESOURCES 🔹 ⁠⁠Cyberwox Cybersecurity Notion Templates for planning your career⁠⁠🔹 ⁠⁠Cyberwox Best Entry-Level Cybersecurity Resume Template⁠⁠ 🔹 ⁠⁠Learn AWS Threat Detection with my LinkedIn Learning Course⁠⁠ _____________ 📱 LET'S CONNECT → ⁠⁠IG⁠⁠ → ⁠⁠Threads⁠⁠ → ⁠⁠Substack⁠⁠ → ⁠⁠Twitter⁠⁠ → ⁠⁠Linkedin⁠⁠ → ⁠⁠Tiktok⁠⁠ Email: day@cyberwox.com _____________ ⚠️DISCLAIMER This description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support! Email: day@cyberwox.com

    22 min

  6. 29 APR

    Microsoft 365 Forensics & Incident Response with Purav Desai | EP. 4

    Learn how to decipher the Microsoft Unified Audit Log (UAL) from a Digital Forensics & Incident Response (DFIR) perspective with Purav Desai, an experienced M365/Azure Incident Responder. Purav's LinkedIn Deciphering UAL Learn about auditing solutions in Microsoft Purview _____________ TIMESTAMPS 00:00 Intro 00:49 Microsoft 365 Auditing 04:43 The Deciphering UAL Project 07:55 Accessing Purview Audit 17:41 Outro _____________ ⚡️⁠JOIN 6,000+ CWX MEMBERS ON DISCORD⁠ 📰 ⁠SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER⁠ 🥶 ⁠CYBERWOX MERCH⁠ _____________ 🧬 CYBERWOX RESOURCES 🔹 ⁠Cyberwox Cybersecurity Notion Templates for planning your career⁠ 🔹 ⁠Cyberwox Best Entry-Level Cybersecurity Resume Template⁠ 🔹 ⁠Learn AWS Threat Detection with my LinkedIn Learning Course⁠ _____________ 📱 LET'S CONNECT → ⁠⁠IG⁠⁠ → ⁠⁠Threads⁠⁠ → ⁠⁠Substack⁠⁠ → ⁠⁠Twitter⁠⁠ → ⁠⁠Linkedin⁠⁠ → ⁠⁠Tiktok⁠⁠ Email: day@cyberwox.com _____________ ⚠️DISCLAIMER This description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support! Email: day@cyberwox.com

    18 min

  7. 29 APR

    Attack & Detection of a Cloud Security Breach with 0xd4y | EP. 3

    This episode covers an attack scenario very similar to the one that led to the breach of US Bank Capital One.  @0xd4y  goes over the attack scenario using CloudGoat by Rhino Security Labs, and I detect his activities using AWS CloudTrail Lake. _____________ 🧬 VIDEO RESOURCES 🔹 Segev's YouTube Channel:  @0xd4y  🔹 Segev's walkthrough 🔹 Former AWS engineer convicted over hack that cost Capital One $270m 🔹 CloudGoat 🔹 Instance Metadata 🔹 Sneaky Endpoints 🔹 AWSealion 🔹 GuardDuty Findings 🔹 CloudTrail Lake _____________ ⏰ TIMESTAMPS 00:00 Intro 00:34 Attack Scenario 00:51 Key Terminology 01:41 Cloud Attack Walkthrough - CloudGoat 10:06 Attack Detection Walkthrough - CloudTrail Lake 13:44 Remediation & Final Thoughts _____________ ⚡️⁠JOIN 6,000+ CWX MEMBERS ON DISCORD⁠ 📰 ⁠SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER⁠ 🥶 ⁠CYBERWOX MERCH⁠ _____________ 🧬 CYBERWOX RESOURCES 🔹 ⁠Cyberwox Cybersecurity Notion Templates for planning your career⁠ 🔹 ⁠Cyberwox Best Entry-Level Cybersecurity Resume Template⁠ 🔹 ⁠Learn AWS Threat Detection with my LinkedIn Learning Course⁠ _____________ 📱 LET'S CONNECT → ⁠⁠IG⁠⁠ → ⁠⁠Threads⁠⁠ → ⁠⁠Substack⁠⁠ → ⁠⁠Twitter⁠⁠ → ⁠⁠Linkedin⁠⁠ → ⁠⁠Tiktok⁠⁠ Email: day@cyberwox.com _____________ ⚠️DISCLAIMER This description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support! Email: day@cyberwox.com

    14 min

  8. 29 APR

    The Anatomy of a Google Cloud (GCP) Cryptomining Attack | EP. 2

    GCP Service Accounts are interesting cloud identities. Let's review how they contributed to a Cryptocurrency Mining Attack in this Case. _____________ 🧬 EPISODE RESOURCES 🔹How A Compromised AWS Lambda Function Led to a Phishing Attack 🔹GCP Lateral Movement & PrivEsc 🔹GCP Service Accounts 🔹 DEFCON 30 Cloud Village - Weather Proofing GCP Defaults 🔹GCP IAM basic and predefined roles reference _____________ ⏰ TIMESTAMPS 00:00 How GCP Service Accounts Work 02:12 Initial Access - Stolen Service Account Credentials 02:52 Attack Flow 03:33 Privilege Escalation - Permission Upgrades 03:50 Detection Opportunity 1 04:04 Defense Evasion - Firewall Rule Modification 05:19 Detection Opportunity 2 05:38 1,600 VMs created during attack 05:51 Persistence - New Token Creations 06:16 Final Thoughts _____________ ⚡️⁠JOIN 6,000+ CWX MEMBERS ON DISCORD⁠ 📰 ⁠SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER⁠ 🥶 ⁠CYBERWOX MERCH⁠ _____________ 🧬 CYBERWOX RESOURCES 🔹 ⁠Cyberwox Cybersecurity Notion Templates for planning your career⁠ 🔹 ⁠Cyberwox Best Entry-Level Cybersecurity Resume Template⁠ 🔹 ⁠Learn AWS Threat Detection with my LinkedIn Learning Course⁠ _____________ 📱 LET'S CONNECT → ⁠⁠IG⁠⁠ → ⁠⁠Threads⁠⁠ → ⁠⁠Substack⁠⁠ → ⁠⁠Twitter⁠⁠ → ⁠⁠Linkedin⁠⁠ → ⁠⁠Tiktok⁠⁠ Email: day@cyberwox.com _____________ ⚠️DISCLAIMER This description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support! Email: day@cyberwox.com

    7 min

  9. 29 APR

    How A Compromised AWS Lambda Function Led to a Phishing Attack | EP. 1

    In this video, I’ll be going over detection opportunities at various stages of cloud security attacks. Compromised Cloud Compute Credentials: Case Studies From the Wild _____________ TIMESTAMPS 00:00 Intro 00:40 The Attack Case 02:12 The Attack Graph 02:44 The Attack Flow 03:06 Detection Opportunity 1: Enumeration/Reconnaissance/Discovery - Cloud Infrastructure Discovery 05:27 Detection Opportunity 2: Persistence - Create Cloud Account 08:19 Detection Opportunity 3: Impact - Resource Hijacking 09:54 Detection Opportunity 4: Defense Evasion - Indicator Removal 10:23 Detection Opportunity 5: Credential Access - Stealing an application access token 12:04: Conclusion _____________ ⚡️JOIN 6,000+ CWX MEMBERS ON DISCORD 📰 SUBSCRIBE TO THE CYBERWOX UNPLUGGED NEWSLETTER 🥶 CYBERWOX MERCH _____________ 🧬 CYBERWOX RESOURCES 🔹 Cyberwox Cybersecurity Notion Templates for planning your career 🔹 Cyberwox Best Entry-Level Cybersecurity Resume Template 🔹 Learn AWS Threat Detection with my LinkedIn Learning Course _____________ 📱 LET'S CONNECT → ⁠⁠IG⁠⁠ → ⁠⁠Threads⁠⁠ → ⁠⁠Substack⁠⁠ → ⁠⁠Twitter⁠⁠ → ⁠⁠Linkedin⁠⁠ → ⁠⁠Tiktok⁠⁠ Email: day@cyberwox.com _____________ ⚠️DISCLAIMER This description has some affiliate links, and I may receive a small commission for purchases made through these links. I appreciate your support! Email: day@cyberwox.com

    13 min
  • 9 Episodes

About

Detection Opportunities is a podcast for security professionals who care about building resilient detection and response systems. Each episode explores real-world attacks, breaks down how signals become insights, and dives into the engineering mindset behind effective threat detection, investigation, and defense. Grounded in frontline experience across SIEM development, security operations, incident response, and threat hunting, this show brings a practical, systems-level lens to modern security engineering.

Information

More From CYBERWOX