Kai Nakamura

DAST is useful when it is fast enough to run regularly and scoped enough to avoid chaos. I use baseline scans on pull request environments to catch missing headers, obvious injection risk, and regressions in exposed attack surface. It is not a substit

I like threat hunting queries that map to observable attacker behavior rather than vague fear. MITRE ATT&CK gives a useful shared language, but the hunt still needs concrete fields, sources, and hypotheses. The best hunt queries are specific enoug

Certificate transparency monitoring is cheap detection for a surprisingly important risk. If a certificate appears for a domain you own and you did not expect it, that deserves immediate investigation. I like monitoring this externally so it still wor

I use MFA not only at login but also for high-risk step-up flows like email change or payout setup. TOTP is straightforward to implement if secrets are handled carefully and backup codes are part of the design. Recovery flow quality matters as much as

Public cloud storage needs explicit safety rails because the defaults are not enough by themselves. I deny insecure transport, block public access at the account level, and scope principals tightly. Storage mistakes are still one of the easiest ways t

Cloud IAM mistakes become high-impact quickly, so I keep policies narrow and resource-scoped. Wildcards are convenient until they become an incident report. The baseline question is always the same: what exact actions on what exact resources does this

Privilege escalation detection is rarely one command. I look for unexpected SUID binaries, writable service units, dangerous sudo rules, and kernel or package drift. These checks are not glamorous, but they catch a lot of real misconfigurations that a

Display filters are how I turn a noisy packet capture into something useful fast. I keep a short set of patterns for TLS failures, retransmissions, HTTP errors, and suspicious DNS behavior. Filtering skill matters more than opening a giant capture fil

Packet capture is most useful when it is scoped enough to answer a question quickly. I capture by host, port, subnet, or flag pattern rather than grabbing everything and hoping to sort it out later. Storage, privacy, and time all argue for precision.

During incidents I want a repeatable evidence collection script that preserves volatile context before a system changes again. Time, network state, processes, and recent logs usually matter immediately. Good collection is quiet, timestamped, and resis

Detection engineering works best when the rule reflects a behavior you can explain, not just a string that looked scary once. I use Suricata for network patterns that are specific enough to matter operationally. Rule quality is a maintenance problem a

YARA is useful when you need lightweight pattern matching across files during incident response or malware triage. I keep rules specific and review false positives often. Overbroad rules create noise fast, which is the enemy during an active investiga