incident-response

YARA is useful when you need lightweight pattern matching across files during incident response or malware triage. I keep rules specific and review false positives often. Overbroad rules create noise fast, which is the enemy during an active investiga

Essential diagnostic commands and runbook procedures for production incidents. Quickly triage high CPU, memory leaks, disk full, and network issues with structured investigation scripts. Includes severity classification, escalation procedures, and pos

The first hour of an incident should be structured enough that teams do not invent process under pressure. I keep severity definitions, communication paths, and containment priorities explicit. A good checklist reduces panic and preserves evidence at

During incidents I want a repeatable evidence collection script that preserves volatile context before a system changes again. Time, network state, processes, and recent logs usually matter immediately. Good collection is quiet, timestamped, and resis

Packet capture is most useful when it is scoped enough to answer a question quickly. I capture by host, port, subnet, or flag pattern rather than grabbing everything and hoping to sort it out later. Storage, privacy, and time all argue for precision.

Display filters are how I turn a noisy packet capture into something useful fast. I keep a short set of patterns for TLS failures, retransmissions, HTTP errors, and suspicious DNS behavior. Filtering skill matters more than opening a giant capture fil