Offensive, defensive, and threat-intelligence writeups, research, and projects by Cameron Cottam.https://cottam.io/https://cottam.io/offensive/indirect-syscalls-edr/https://cottam.io/offensive/indirect-syscalls-edr/A conceptual look at why user-mode hooking is a leaky abstraction — and what that means for defenders who rely on it.Sat, 06 Jun 2026 00:00:00 GMTred-teamEDRwindowsmalware-analysishttps://cottam.io/defensive/sigma-from-one-alert/https://cottam.io/defensive/sigma-from-one-alert/A single EDR detection is a starting point, not an answer. Here's how to turn it into a tuned, vendor-neutral Sigma rule without drowning in false positives.Thu, 04 Jun 2026 00:00:00 GMTdetection-engineeringsigmaEDR