Kostas
@kostastsale.bsky.social
Running ➡ http://defendpoint.ca | http://edr-telemetry.com | https://edr-comparison.com/ | http://detectionstream.com | 🇬🇷🇨🇦
At EDR Telemetry project, we spend a lot of time measuring what EDRs can see. This article is about what they still cannot safely stop.
From LOLBAS to vulnerable drivers to unauthorized RMMs, I walk through the real-world gaps we keep seeing in telemetry and why application control is...
From LOLBAS to vulnerable drivers to unauthorized RMMs, I walk through the real-world gaps we keep seeing in telemetry and why application control is...
Why Your EDR Needs a Partner: The Case for Application Control
How threat intelligence-aware application control fills the gaps that EDR leaves open
www.edr-telemetry.com
January 13, 2026 at 8:19 PM
At EDR Telemetry project, we spend a lot of time measuring what EDRs can see. This article is about what they still cannot safely stop.
From LOLBAS to vulnerable drivers to unauthorized RMMs, I walk through the real-world gaps we keep seeing in telemetry and why application control is...
From LOLBAS to vulnerable drivers to unauthorized RMMs, I walk through the real-world gaps we keep seeing in telemetry and why application control is...
In the screenshot below, you can see an example of this Skill in use (I'm using GPT 5.2-low in Codex)
Link to the skill: github.com/tsale/awesom...
Link to the skill: github.com/tsale/awesom...
github.com
January 8, 2026 at 6:16 PM
In the screenshot below, you can see an example of this Skill in use (I'm using GPT 5.2-low in Codex)
Link to the skill: github.com/tsale/awesom...
Link to the skill: github.com/tsale/awesom...
We have added a new analysis Skill thanks to @BlueTeamSteve! This skill can be used to quickly and accurately map the MITRE ATT&CK tactic and technique to threat behaviors and indicators you enter in the prompt, saving you a ton of time!
github.com
January 8, 2026 at 6:16 PM
We have added a new analysis Skill thanks to @BlueTeamSteve! This skill can be used to quickly and accurately map the MITRE ATT&CK tactic and technique to threat behaviors and indicators you enter in the prompt, saving you a ton of time!
We’ve also expanded 𝗘𝗻𝘁𝗲𝗿𝗽𝗿𝗶𝘀𝗲 options for organizations that need additional flexibility, scale, and support on top of the Advanced tier.
Check out the new tiers now: www.edr-comparison.com/pricing
Check out the new tiers now: www.edr-comparison.com/pricing
EDR Comparison - Compare Endpoint Detection & Response Solutions
Make informed security decisions with expert EDR comparisons. Compare endpoint detection and response solutions with detailed feature analysis and side-by-side comparisons.
www.edr-comparison.com
January 7, 2026 at 5:02 PM
We’ve also expanded 𝗘𝗻𝘁𝗲𝗿𝗽𝗿𝗶𝘀𝗲 options for organizations that need additional flexibility, scale, and support on top of the Advanced tier.
Check out the new tiers now: www.edr-comparison.com/pricing
Check out the new tiers now: www.edr-comparison.com/pricing
𝗪𝗮𝘁𝗰𝗵𝗚𝘂𝗮𝗿𝗱 𝗘𝗗𝗥. We’ve also introduced 𝗕𝗮𝘀𝗶𝗰 𝗮𝗻𝗱 𝗔𝗱𝘃𝗮𝗻𝗰𝗲𝗱 𝘁𝗶𝗲𝗿𝘀 to better reflect how different users engage with the platform. With the 𝗔𝗱𝘃𝗮𝗻𝗰𝗲𝗱 𝘁𝗶𝗲𝗿, we’re introducing a deep dive into the technical justification and expert analysis behind every single feature in our comparison.
EDR Comparison - Compare Endpoint Detection & Response Solutions
Make informed security decisions with expert EDR comparisons. Compare endpoint detection and response solutions with detailed feature analysis and side-by-side comparisons.
www.edr-comparison.com
January 7, 2026 at 5:02 PM
𝗪𝗮𝘁𝗰𝗵𝗚𝘂𝗮𝗿𝗱 𝗘𝗗𝗥. We’ve also introduced 𝗕𝗮𝘀𝗶𝗰 𝗮𝗻𝗱 𝗔𝗱𝘃𝗮𝗻𝗰𝗲𝗱 𝘁𝗶𝗲𝗿𝘀 to better reflect how different users engage with the platform. With the 𝗔𝗱𝘃𝗮𝗻𝗰𝗲𝗱 𝘁𝗶𝗲𝗿, we’re introducing a deep dive into the technical justification and expert analysis behind every single feature in our comparison.
Since launching in November, the platform has already helped hundreds of consultants and enterprises navigate the complexity of EDR selection.
This release pushes things forward with a cleaner comparison UX, deeper evaluation context using MITRE ATT&CK evaluation data, and a new vendor added:
This release pushes things forward with a cleaner comparison UX, deeper evaluation context using MITRE ATT&CK evaluation data, and a new vendor added:
January 7, 2026 at 5:02 PM
Since launching in November, the platform has already helped hundreds of consultants and enterprises navigate the complexity of EDR selection.
This release pushes things forward with a cleaner comparison UX, deeper evaluation context using MITRE ATT&CK evaluation data, and a new vendor added:
This release pushes things forward with a cleaner comparison UX, deeper evaluation context using MITRE ATT&CK evaluation data, and a new vendor added:
𝗘𝗗𝗥 𝗖𝗼𝗺𝗽𝗮𝗿𝗶𝘀𝗼𝗻 𝗣𝗹𝗮𝘁𝗳𝗼𝗿𝗺 𝗨𝗽𝗱𝗮𝘁𝗲: 𝗡𝗲𝘄 𝗜𝗻𝘁𝗲𝗿𝗮𝗰𝘁𝗶𝘃𝗲 𝗖𝗼𝗺𝗽𝗮𝗿𝗶𝘀𝗼𝗻 𝗘𝘅𝗽𝗲𝗿𝗶𝗲𝗻𝗰𝗲, 𝗠𝗜𝗧𝗥𝗘 𝗔𝗧𝗧&𝗖𝗞 𝗜𝗻𝘀𝗶𝗴𝗵𝘁𝘀, 𝗮𝗻𝗱 𝗪𝗮𝘁𝗰𝗵𝗚𝘂𝗮𝗿𝗱 𝗘𝗗𝗥
We want to start by thanking everyone who supported us as early adopters.
We want to start by thanking everyone who supported us as early adopters.
EDR Comparison - Compare Endpoint Detection & Response Solutions
Make informed security decisions with expert EDR comparisons. Compare endpoint detection and response solutions with detailed feature analysis and side-by-side comparisons.
www.edr-comparison.com
January 7, 2026 at 5:02 PM
𝗘𝗗𝗥 𝗖𝗼𝗺𝗽𝗮𝗿𝗶𝘀𝗼𝗻 𝗣𝗹𝗮𝘁𝗳𝗼𝗿𝗺 𝗨𝗽𝗱𝗮𝘁𝗲: 𝗡𝗲𝘄 𝗜𝗻𝘁𝗲𝗿𝗮𝗰𝘁𝗶𝘃𝗲 𝗖𝗼𝗺𝗽𝗮𝗿𝗶𝘀𝗼𝗻 𝗘𝘅𝗽𝗲𝗿𝗶𝗲𝗻𝗰𝗲, 𝗠𝗜𝗧𝗥𝗘 𝗔𝗧𝗧&𝗖𝗞 𝗜𝗻𝘀𝗶𝗴𝗵𝘁𝘀, 𝗮𝗻𝗱 𝗪𝗮𝘁𝗰𝗵𝗚𝘂𝗮𝗿𝗱 𝗘𝗗𝗥
We want to start by thanking everyone who supported us as early adopters.
We want to start by thanking everyone who supported us as early adopters.
Feel free to contribute and use these skills to save a ton of time, like we already do.
github.com/tsale/awesom...
Learn about skills:
- developers.openai.com/codex/skills/
- support.claude.com/en/articles/...
github.com/tsale/awesom...
Learn about skills:
- developers.openai.com/codex/skills/
- support.claude.com/en/articles/...
GitHub - tsale/awesome-dfir-skills: A curated collection of DFIR skills and workflows for InfoSec practitioners.
A curated collection of DFIR skills and workflows for InfoSec practitioners. - tsale/awesome-dfir-skills
github.com
December 30, 2025 at 9:10 PM
Feel free to contribute and use these skills to save a ton of time, like we already do.
github.com/tsale/awesom...
Learn about skills:
- developers.openai.com/codex/skills/
- support.claude.com/en/articles/...
github.com/tsale/awesom...
Learn about skills:
- developers.openai.com/codex/skills/
- support.claude.com/en/articles/...
𝗝𝘂𝘀𝘁 𝗹𝗮𝘂𝗻𝗰𝗵𝗲𝗱 𝗮𝘄𝗲𝘀𝗼𝗺𝗲-𝗱𝗳𝗶𝗿-𝘀𝗸𝗶𝗹𝗹𝘀 𝘄𝗶𝘁𝗵 @fr0gger_ !
Designed to save time during investigations and everyday DFIR tasks
Thomas has built an excellent malware triage skill, and I’ve added a couple of timeline analysis skills to help you get started.
Designed to save time during investigations and everyday DFIR tasks
Thomas has built an excellent malware triage skill, and I’ve added a couple of timeline analysis skills to help you get started.
GitHub - tsale/awesome-dfir-skills: A curated collection of DFIR skills and workflows for InfoSec practitioners.
A curated collection of DFIR skills and workflows for InfoSec practitioners. - tsale/awesome-dfir-skills
github.com
December 30, 2025 at 9:10 PM
𝗝𝘂𝘀𝘁 𝗹𝗮𝘂𝗻𝗰𝗵𝗲𝗱 𝗮𝘄𝗲𝘀𝗼𝗺𝗲-𝗱𝗳𝗶𝗿-𝘀𝗸𝗶𝗹𝗹𝘀 𝘄𝗶𝘁𝗵 @fr0gger_ !
Designed to save time during investigations and everyday DFIR tasks
Thomas has built an excellent malware triage skill, and I’ve added a couple of timeline analysis skills to help you get started.
Designed to save time during investigations and everyday DFIR tasks
Thomas has built an excellent malware triage skill, and I’ve added a couple of timeline analysis skills to help you get started.
github.com/tsale/EDR-Te...
This is exactly the kind of vendor collaboration the project aims to promote.
PR with full details and artifacts:
github.com/tsale/EDR-Te...
Big thanks to the C-Prot team for setting a strong example for Linux EDR transparency.
This is exactly the kind of vendor collaboration the project aims to promote.
PR with full details and artifacts:
github.com/tsale/EDR-Te...
Big thanks to the C-Prot team for setting a strong example for Linux EDR transparency.
December 29, 2025 at 3:00 PM
github.com/tsale/EDR-Te...
This is exactly the kind of vendor collaboration the project aims to promote.
PR with full details and artifacts:
github.com/tsale/EDR-Te...
Big thanks to the C-Prot team for setting a strong example for Linux EDR transparency.
This is exactly the kind of vendor collaboration the project aims to promote.
PR with full details and artifacts:
github.com/tsale/EDR-Te...
Big thanks to the C-Prot team for setting a strong example for Linux EDR transparency.
environment, validated event mappings, and published the raw logs from the evaluation so the community can independently verify everything.
Artifacts included:
• Real production telemetry logs
• Some screenshots from the platform
Validation material to reproduce the results can be found under
Artifacts included:
• Real production telemetry logs
• Some screenshots from the platform
Validation material to reproduce the results can be found under
December 29, 2025 at 3:00 PM
environment, validated event mappings, and published the raw logs from the evaluation so the community can independently verify everything.
Artifacts included:
• Real production telemetry logs
• Some screenshots from the platform
Validation material to reproduce the results can be found under
Artifacts included:
• Real production telemetry logs
• Some screenshots from the platform
Validation material to reproduce the results can be found under
We’ve just added 𝗖-𝗣𝗿𝗼𝘁 EDR to the EDR Telemetry Project and it sets a new bar for Linux telemetry!
C-Prot is currently #1 in the Linux EDR table, with exceptional depth and quality of raw telemetry. What really stands out is the level of transparency: we got direct access to a production...
C-Prot is currently #1 in the Linux EDR table, with exceptional depth and quality of raw telemetry. What really stands out is the level of transparency: we got direct access to a production...
Add C-Prot telemetry coverage to Linux EDR telemetry matrix by tsale · Pull Request #151 · tsale/EDR-Telemetry
EDR Telemetry Pull Request Contribution Details Adding comprehensive Linux telemetry support for C-Prot EDR, including detailed event mappings, field explanations, and validation artifacts. This co...
github.com
December 29, 2025 at 3:00 PM
We’ve just added 𝗖-𝗣𝗿𝗼𝘁 EDR to the EDR Telemetry Project and it sets a new bar for Linux telemetry!
C-Prot is currently #1 in the Linux EDR table, with exceptional depth and quality of raw telemetry. What really stands out is the level of transparency: we got direct access to a production...
C-Prot is currently #1 in the Linux EDR table, with exceptional depth and quality of raw telemetry. What really stands out is the level of transparency: we got direct access to a production...
Be careful what you install and avoid using skills from unknown or unverified libraries.
Read more about skills here:
- support.claude.com/en/articles/...
- developers.openai.com/codex/skills/
Read more about skills here:
- support.claude.com/en/articles/...
- developers.openai.com/codex/skills/
What are Skills? | Claude Help Center
Skills are available as a feature preview for users on Pro, Max, Team, and Enterprise plans. This feature preview requires code execution to be enabled. Skills are also available in beta for Claude…
support.claude.com
December 27, 2025 at 12:18 AM
Be careful what you install and avoid using skills from unknown or unverified libraries.
Read more about skills here:
- support.claude.com/en/articles/...
- developers.openai.com/codex/skills/
Read more about skills here:
- support.claude.com/en/articles/...
- developers.openai.com/codex/skills/
One quick caveat tho, as skills libraries become more popular, where you will be able to search and find the right skill you want to install, we’re likely going to see malicious skills pop up that download and execute malware...
What are Skills? | Claude Help Center
Skills are available as a feature preview for users on Pro, Max, Team, and Enterprise plans. This feature preview requires code execution to be enabled. Skills are also available in beta for Claude…
support.claude.com
December 27, 2025 at 12:18 AM
One quick caveat tho, as skills libraries become more popular, where you will be able to search and find the right skill you want to install, we’re likely going to see malicious skills pop up that download and execute malware...
Claude set a strong bar for structured, workflow-driven AI usage, and it’s no surprise we’re now seeing similar ideas across other platforms like OpenAI.
I’ve built DFIR and quick triage workflows that save me hours every time! The time savings really add up, and it’s completely changed how I work.
I’ve built DFIR and quick triage workflows that save me hours every time! The time savings really add up, and it’s completely changed how I work.
Agent Skills
Give Codex new capabilities and expertise
developers.openai.com
December 27, 2025 at 12:18 AM
Claude set a strong bar for structured, workflow-driven AI usage, and it’s no surprise we’re now seeing similar ideas across other platforms like OpenAI.
I’ve built DFIR and quick triage workflows that save me hours every time! The time savings really add up, and it’s completely changed how I work.
I’ve built DFIR and quick triage workflows that save me hours every time! The time savings really add up, and it’s completely changed how I work.
Merry Christmas everyone! Hope everyone’s enjoying some downtime 🎄
December 25, 2025 at 7:26 PM
Merry Christmas everyone! Hope everyone’s enjoying some downtime 🎄
Much of it remains applicable today, along with the threat hunting series, which I’m especially proud of.
December 23, 2025 at 5:10 PM
Much of it remains applicable today, along with the threat hunting series, which I’m especially proud of.
I’ve moved all of my blog posts from Medium to a new blog section on my personal website.
If you’re looking for a good read, I’d recommend my Cobalt Strike write-ups (Part 1 & Part 2) from 2021–2022.
kostas.page/blog/cobalt-...
If you’re looking for a good read, I’d recommend my Cobalt Strike write-ups (Part 1 & Part 2) from 2021–2022.
kostas.page/blog/cobalt-...
Cobalt Strike, a Defender's Guide - Part 2
The second part of the Cobalt Strike defender's guide, focusing on network traffic analysis and practical detection methods to identify Cobalt Strike beacons in your environment.
kostas.page
December 23, 2025 at 5:06 PM
I’ve moved all of my blog posts from Medium to a new blog section on my personal website.
If you’re looking for a good read, I’d recommend my Cobalt Strike write-ups (Part 1 & Part 2) from 2021–2022.
kostas.page/blog/cobalt-...
If you’re looking for a good read, I’d recommend my Cobalt Strike write-ups (Part 1 & Part 2) from 2021–2022.
kostas.page/blog/cobalt-...
Don't be naive. They will get rid of you at the first opportunity they find.
December 18, 2025 at 10:22 PM
Don't be naive. They will get rid of you at the first opportunity they find.
Many large companies are using AI and forcing their employees to use their AI models. They do this to train their AI models, getting them ready to replace many low-level analyst positions.
If you are a security analyst in one of these big organizations, you need to have plan B….
If you are a security analyst in one of these big organizations, you need to have plan B….
December 18, 2025 at 10:22 PM
Many large companies are using AI and forcing their employees to use their AI models. They do this to train their AI models, getting them ready to replace many low-level analyst positions.
If you are a security analyst in one of these big organizations, you need to have plan B….
If you are a security analyst in one of these big organizations, you need to have plan B….
Haha thank you, man! Appreciate you. Jokes aside, having passion and doing what you love is a big motivator. Helping people is also another one. At the end, we all come out winners.
December 16, 2025 at 9:16 PM
Haha thank you, man! Appreciate you. Jokes aside, having passion and doing what you love is a big motivator. Helping people is also another one. At the end, we all come out winners.
Ah, dammit! I think that might be an issue with the mobile version of the website. I'll check it out and fix it. Thank you very much! I guess this adds an element of challenge for signing up 😂
Regarding your question, it's easy, I don't sleep 😂
Regarding your question, it's easy, I don't sleep 😂
December 16, 2025 at 6:22 PM
Ah, dammit! I think that might be an issue with the mobile version of the website. I'll check it out and fix it. Thank you very much! I guess this adds an element of challenge for signing up 😂
Regarding your question, it's easy, I don't sleep 😂
Regarding your question, it's easy, I don't sleep 😂