DE on Mac Finally Has a Champion. Her name is Olivia Gallucci.

DE on Mac Finally Has a Champion. Her name is Olivia Gallucci.

macOS detection engineering has had a documentation problem for years. Everyone told Olivia Gallucci she was locking herself into a platform nobody cared about. Then infostealers showed up, enterprise Mac fleets exploded, and suddenly her work was the most in-demand research nobody knew existed. Olivia is a security engineer at Datadog living inside macOS internals...from Apple Silicon boot chain to ESF event families to IOKit abuse....and she is single-handedly dragging macOS DE into the light. In this episode we get into: * Why you can't just flag osascript anymore and what to look at instead * The process tree trap that trips up every Windows-native DE who crosses over * Background Task Management: the persistence metadata everyone's sleeping on * Living off the Orchard binaries * Why your EDR is abstracting macOS telemetry from you and what to do about it * Jonathan Levin's books, Jaron Bradley's Sprite Tree, and the resources that actually matter Follow Olivia's work on:  * oliviagallucci.com | [ret]2read — An OS Internals Newsletter (Substack) * LinkedIn: linkedin.com/in/olivia-gallucci * 2026 main stage at BlackHat  Detection Dispatch (Alex's Version) is an independent detection engineering & threat hunting podcast. Rebuilt. Community-first. Featuring a lineup of the real and active projects pushing the limits of detection engineering, threat hunting, and everything in between.

GRC, the Passenger Princess of the SOC? feat. Ayoub Fandi

GRC has been called the passenger princess of security for too long. In this episode, Alex sits down with Ayoub Fandi, GRC engineer and author of the GRC Engineer newsletter, to make the case that GRC and detection engineering are solving solving the same problems and somehow still not working together. This episode covers: * Why GRC plays PvE while everyone else in security plays PvP and why that actually makes them your best ally * How auditors certify 100% coverage from less than 1% of your environment  * Detection debt meets GRC debt: what inheriting someone else's program looks like on both sides * Vibe coding, AI agents deleting production databases, and what that means for both of our jobs Ayoub's newsletter and podcast: GRCengineer.com Detection Dispatch (Alex's Version) is an independent detection engineering & threat hunting podcast. Rebuilt. Community-first. Featuring a lineup of the real and active projects pushing the limits of detection engineering, threat hunting, and everything in between.

A DE's Guide to Staying in the Loop feat. Your Favorite Detection Engineering Instructor Hayden Covington

Detection Dispatch (Alex's Version) episode two brings on the person who treats detection engineering like an actual craft....not a vendor feature list, not a MITRE bingo card, not a vibe coded rule you ship and forget. Hayden teaches detection engineering at Antisyphony Training and runs the SOC at Black Hills Information Security, which means he's not theorizing. He's got the reps, the scars, and even a home SIEM with documentation. This is the episode for practitioners who are watching Claude write their detections and quietly wondering if they're slowly getting worse at their job. In this episode we cover: * The detection lifecycle nobody actually closes: research, write, validate and the canary step that tells you whether your thousand rules are quietly dead in the water six months from now. * The CTI firehose problem. When every vendor blog is just an ad wearing a threat report costume, how do you find the gold? (Hint: DFIR Report and Google TI don't need your clicks) * AI writing detections: yes, with caveats. No for junior engineers who've never written a query. And absolutely not without a review agent, an experimental pipeline, and final approval from a human who still knows how to dribble the ball. * Why you cannot send AI out like a Pokémon and what happens to your detection program when you try. Find Hayden at @kilobytethedust and at antisyphontraining.com [http://antisyphontraining.com]. Detection Dispatch (Alex's Version) is an independent detection engineering & threat hunting podcast. Rebuilt. Community-first. Featuring a lineup of the real and active projects pushing the limits of detection engineering, threat hunting, and everything in between.

Axios, Mythos, and a Lethal Trifecta Walk Into a SOC  feat. John Hammond

Detection Dispatch (Alex's Version) premieres with John Hammond...Huntress senior researcher, former DoD red team, the guy 2M+ people watch break attacks down in real time for the red-meets-blue conversation the week forced into existence. Alex came up blue. John came up red. They meet in the middle on the three stories eating the industry alive. In this episode we cover:  * Axios: one patient social engineer, a fake founder Slack workspace, and an NPM maintainer who never stood a chance.  * The lethal trifecta: private data, untrusted content, network egress. When all three show up in one agent, there be dragons. Why prompt injection isn't getting solved, and what that means for your MCP sprawl. * Mythos + Project Glasswing * The red teamer's detection wishlist Find John at @_JohnHammond, jh.live, and on Huntress's Declassified. Detection Dispatch (Alex's Version) is an independent detection engineering & threat hunting podcast. Rebuilt. Community-first. Featuring a lineup of the real and active projects pushing the limits of detection engineering, threat hunting, and everything in between.