Research interests
I watch attacks happen, investigate how attackers operate, and use methods ranging from honeypots and internet-scale measurement to AI to understand cyber threats.
Cyberattack Observation & Monitoring
Honeypots and internet-scale scanning to watch attacks as they happen — IoT botnets, internet-exposed devices, and exploit activity. The method everything else grows out of, going back to IoTPOT.
Threat Actor & Attacker Behavior Analysis
Following what observed attacks lead back to — Initial Access Brokers, ransomware operations like LockBit, and how attackers adapt once they know they're being watched.
AI/LLM-Assisted Threat Intelligence
Using LLMs to turn what I observe — malware samples, forum posts, Telegram channels — into actionable understanding of attackers, at a scale manual analysis can't reach.
Malware & Sandbox Evasion Analysis
Studying how malware evades detection, including LLM-generated evasion techniques, and building the defenses to catch it.