@mathias_fuchs profile picture
Mathias Fuchs @mathias_fuchs

Something with IR and Intelligence @InfoGuardAG, Certified Instructor and author @SANSInstitute (@SANSEMEA), Former Principal IR Consultant @Mandiant

Joined October 2009
  • Tweets 1,221
  • Following 952
  • Followers 3,099
90 Photos and videos
Anthropic just disabled Fable 5 & Mythos 5 worldwide after a U.S. export order banned all non-citizens from using them. The model was live for ~72 hours. The ban isn't the story. What it reveals about Europe's dependence is. medium.com/@mathias.fuchs/wh…

When a Partner Pulls the Plug: What the Fable 5 Ban Tells Europe About Digital Autonomy

On the evening of 12 June 2026, Anthropic abruptly disabled access to its two most capable models, Fable 5 and Mythos 5, for every user…

medium.com
7
451
Mathias Fuchs retweeted
Cooper@Ministraitor
Apr 25
Today, after a long battle with cancer, we lost @FVT His wife asked that we share the news of his passing, "His love for the community that he was in (as a curmudgeon). His joy for being involved with every thing that he & any team that he worked with. He fought to the very end."
4
12
2,857
Frontier models don't just drift. They get quietly starved of compute when the vendor needs GPUs for the next one. That's fine for a chatbot. It's an audit problem for anything making security decisions. medium.com/@mathias.fuchs/yo…

Your AI Detections Are Rotting: Model Drift as a Hidden Risk in Security Operations

Why the model behind your classifier quietly changes, why that matters more for detection than for almost any other use case, and why a…

medium.com
265
We built a thing. WarroomX — AI-assisted scenario creation, synchronized observer notes, reports that don't require a ouija board to reconstruct. Tabletop exercises that actually work. Launching Q1. Full breakdown: medium.com/@mathias.fuchs/th…

The Crisis That Never Happened: Why Tabletop Exercises Are the Best Thing You’re Not Doing Enough

In my last piece, I talked about the tools that transfer across crisis domains — from the back of an ambulance to 10,000 feet to your SOC…

medium.com
1
1
316
Most EDR tests are easy mode — Agents spawning commands, “AtomicTest-T1055.ps1.” Your SOC spots them instantly. GHOST changes that: Zero footprint. Real attacker commands. Realistic process trees. If analysts can’t tell it’s a test, you’re ready. More: medium.com/@mathias.fuchs/gh…

GHOST Framework: Zero Footprint EDR Testing That Trains Your Analysts for Real Threats

Genuine Host Operations Security Tester — “Zero Footprint. Maximum Impact.”

medium.com
6
672
🚨 Identity is now global. Are your IR skills? Explore how breaches leverage Microsoft, Google, Apple, GitHub, and AWS—and master the practical GLIDER Framework for modern incident response. Full guide here 👉 medium.com/@mathias.fuchs/fr… #CyberSecurity #IncidentResponse #GLIDER

From Local to Global: The Evolution of Identity in Incident Response

Introduction

medium.com
8
601
Attackers love RDP for sneaky lateral moves—but every pixel leaves a clue! 🕵️‍♂️ Check out my latest blog on tracking attackers through logs, bitmap caches, and clipboard trails (plus a printer tale too funny to miss). #DFIR #BlueTeam #CyberSecurity medium.com/@mathias.fuchs/ch…

Chasing Ghosts Over RDP: Lateral Movement in Tiny Bitmaps

Introduction

medium.com
3
83
270
26,001
🗓 Logs lie. Prefetch tattles. ShimCache whispers. Timestamps dance. Building timelines in DFIR isn’t just science—it’s chaos theory in action. Join me in taming Chronos: medium.com/@mathias.fuchs/ch… #DFIR #IncidentResponse #CyberSecurity

Chronos vs Chaos: The Art (and Pain) of Building a DFIR Timeline

Building a coherent DFIR timeline can feel like wrangling the Greek god of time (Chronos) while fending off complete chaos. Timelines are…

medium.com
5
19
1,052
🚨 Bob from Accounting could be your biggest cyber threat. Seriously. 83% of orgs saw insider attacks last year. Tesla sabotage, Snowden leaks—your office has never felt spookier. Read how to spot & stop these insider rogues 👉medium.com/@mathias.fuchs/un… #CyberSecurity #InsiderThreat

Understanding and Mitigating Insider Threats

Introduction: The Call is Coming from Inside the House

medium.com
3
530
🕵️‍♂️ How do attackers ghost past your EDR? New blog post dives deep into evasion tricks—LOLBins, memory games, syscall magic & more. Time to up your detection game! 👻🔍 👉 medium.com/@mathias.fuchs/gh…

Ghosts in the Endpoint: How Attackers Evade Modern EDR Solutions

Endpoint Detection and Response (EDR) solutions are the cyber sentinels on our endpoints — vigilant guards that monitor system behavior…

medium.com
3
18
892
Tier 1 SOC Analysts: Highest responsibility, least experience, infinite alerts—what could go wrong? Plenty. Find out how automation and AI could save your analysts' sanity (and yours). ☕️🤖 #CyberSecurity #SOC #AI medium.com/@mathias.fuchs/wh…

Why Being a Tier 1 SOC Analyst Is Practically Impossible (And What to Do About It)

Disclaimer: This article isn’t an attack on Tier 1 SOC analysts. Far from it — it’s a heartfelt tribute to their Herculean task, and a…

medium.com
2
362
Choosing an IR partner = Picking a parachute packer. 🪂 Know your red flags 🚩, must-haves ✅, and absolute no-gos ❌ before you're in free-fall. Dive into my latest blog 👉 medium.com/@mathias.fuchs/ch… #CyberSecurity #IncidentResponse #DFIR #CISO

Choosing an Incident Response Partner: Red Flags, Must-Haves, and Deal‑Breakers

Selecting the right incident response (IR) partner can feel like choosing a parachute packer for your skydiving trip — you need someone…

medium.com
4
549
Last week: macOS forensics (easy!). This week: Linux forensics (not easy at all!). Ever wondered why Linux is tougher than Windows forensics? Scripts, logs, chaos! ☕🐧 #DFIR #Linux #CyberSecurity medium.com/@mathias.fuchs/li…

Linux Forensics is Harder than Windows (Here’s Why)

Introduction

medium.com
1
9
585
Think Mac forensics is harder than Windows? Think again. 🍏 Unified logs, fewer artifacts, built-in snapshots—macOS might be easier for DFIR. Except memory. That’s still hell. 🔥 Full deep dive for IR pros here 👉 medium.com/@mathias.fuchs/ap… #DFIR #macOS #forensics #cybersecurity

Apples to Apples: Why macOS Forensics Can Be Easier Than Windows

Introduction

medium.com
1
8
479
🛡️ Microsoft's new ReFS filesystem is changing the rules of digital forensics & IR. NTFS artifacts are evolving—are you ready? Read our deep dive here: medium.com/@mathias.fuchs/th… #DFIR #ReFS #CyberSecurity #IncidentResponse #Forensics

The Impact of Microsoft’s ReFS on DFIR

A New File System, New Forensic Challenges

medium.com
1
2
12
889
Even the best responders can’t work miracles in the dark. 🔍 Why visibility is everything in incident response – and what EDRs & network monitoring don't tell you. Read the blog 👉 medium.com/@mathias.fuchs/fr… #DFIR #CyberSecurity #IncidentResponse #Velociraptor

From All-Seeing to Flying Blind: A Journey in Incident Response Visibility

From All-Seeing to Flying Blind: A Journey in Incident Response Visibility Introduction I never realized how much I leaned on near-omniscient visibility during investigations until I transitioned …

medium.com
315
🚨 What aviation taught us about handling cyber crises ✈️ When incidents hit, it's not just tech that saves the day —it's teamwork. I just published a new article on how Crew Resource Management from aviation can level up incident response and crisis management in cybersecurity.
1
3
223
medium.com/p/c062d29affc2

Applying Crew Resource Management (CRM) Principles to Cyber Incident Response and Crisis Management

1. Introduction

medium.com
173
Brilliant!
Stephan Berger
@malmoeb
8 Sep 2022
No way, this really works! 🤯 % dig txt dfir.<redacted>.<tld> short [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('DFIR FTW!','BlueTeam <3')
3
696
Mathias Fuchs retweeted
SANS DFIR@sansforensics
31 Oct 2024
🎉 Congrats to @mathias_fuchs on being promoted to #SANS Senior Instructor! Mat is an instructor for #FOR508 & #FOR608. Congrats again, Mat! We are so lucky to have you be an instrumental part of the #DFIR curriculum! 👏 Learn more about Mat, here: sans.org/profiles/mathias-fu…
3
2
17
2,176
Load more