Phishing Infrastructure Analysis — Mapping Campaigns Through Passive DNS and WHOIS

Phishing campaigns rarely use a single domain. This post explains how analysts pivot from one suspicious registration to an entire infrastructure cluster using registrar data, nameserver patterns, and WHOIS correlation.

read more →

FoilGuard Detection Architecture — Multi-Signal Scoring and False Positive Analysis

A technical walkthrough of how FoilGuard detects domain impersonation: signal architecture, scoring weights, benchmark results against 60+ labeled domains, and the false positive tradeoffs that shaped design decisions.

read more →

TTL Covert Channels — Encoding Data in DNS Time-to-Live Fields

A TTL covert channel hides binary data inside a field nobody watches — the Time-to-Live value in DNS responses. This post explains how it works, why it bypasses most detection, and how to find it in a pcap.

read more →

C2 Beacon Analysis — Recognising Command-and-Control Traffic in Packet Captures

After initial compromise, malware phones home on a schedule. This post explains beaconing patterns, how to measure jitter and interval consistency, and how to find a beacon hiding in normal HTTP traffic.

read more →

DNS Exfiltration — How Attackers Tunnel Data Through Name Queries

DNS was designed to translate names to IPs — not to carry stolen data. This post explains how attackers encode files in DNS queries, why firewalls miss it, and how to detect it in a pcap.

read more →

How attackers spoof email — and how to catch them

SMTP was built without authentication. We explain how spoofing works, what SPF, DKIM, and DMARC actually protect against, and walk through the FoilLab mail-trap challenge to show email forensics in practice.

read more →

How Typosquatting Works — and How FoilGuard Catches It

Attackers register domains one character away from brands you trust. We walk through the techniques — character substitution, homoglyphs, combosquatting — and explain exactly how FoilGuard's heuristic engine detects each one.

read more →

Password Manager Threat Models — and Why Local-First Wins

Cloud-synced vaults and local-first encryption solve different threat models. We break down what LastPass got wrong, how PBKDF2 iteration counts matter, and why FoilVault keeps your credentials off the network entirely.

read more →