>_
The Fuzz.
← /blog
SOC

Hello, World: Why The Fuzz Exists

Starting a defensive-security blog because notes get lost in vaults, in Teams chats, in chat logs. This is where mine live now.

$ author 0xFuzz·Apr 25, 2026·4 min read
metaintrowriting

Every analyst keeps a graveyard of unfinished notes. Half-written triage docs. A regex that worked once and got buried in a Teams chat. The clean version of a YARA rule you'll definitely write up later, and never do.

The Fuzz is where mine live now.

Why this blog exists

I started writing things down for me, not for the internet. After a few years of detection engineering, DFIR rotations, and the occasional malware sample on a quiet evening, I had a folder full of fragments: half-finished IOC pivots, screenshots of memory dumps with arrows, code snippets I knew I'd need again.

Putting them on the open web does two things:

  1. Forces me to finish the thought. A draft in my vault is a draft forever. A draft that has to render correctly, link to a real CVE, and survive scrutiny. That's a real piece of work.
  2. Makes them findable. If I needed this writeup once, someone else probably will too.

What you'll find here

The five categories on the archive page aren't aspirational. They map to the work I actually do.

  • Malware analysis. Static and dynamic. Not exhaustive, just the parts that took me longer than they should have.
  • SOC / detection engineering. YARA rules, hunt queries, the noisy false-positive stories.
  • Threat intel. Pivots from one indicator to a campaign. The "how" more than the "who".
  • CTF writeups. HTB, THM, picoCTF. Less for the points, more because they're a useful sandbox for techniques you can't safely practice on real infrastructure.
  • Tools & scripts. Things I built or wired together that I'd want again.

DFIR runs through most of these. When I write about memory forensics or a timeline reconstruction, that's where the day-job lives.

What you won't find

  • Hot takes on the latest APT report. There's enough of that.
  • Breathless vendor announcements. Same.

House rules

  • Every post links its sources or shows the artifact (rule, snippet, dump).
  • IOCs are defanged (example[.]com, 185[.]244[.]181[.]14) so this page doesn't get flagged by your perimeter.
  • Code blocks are runnable or near-runnable. No pseudocode pretending to be working tooling.

That's it. Welcome to The Fuzz. The first real writeups are already in the archive. Start there if you'd rather skip the meta and read something technical.

$ echo "thanks for reading" | tee /dev/null
$ next post