Cyber Security

> defend.intel().respond().monitor()

Three products, one playbook. Weekly CVE intelligence scoped to what you ship, ransomware response briefings for the 2am call, and AI-powered SOC consulting for teams that have outgrown alert triage. Plus a real monitoring setup for builders on AWS, Vercel, Supabase, and GitHub.

// THE STACK

Three pillars. One front line.

// weekly intel

CyberHawk

Weekly CVE digest sifted from CISA KEV and NVD high/critical, scoped for AI builders, vibe coders, and OSS maintainers. Plus a one-line Cowork prompt that turns the digest into a recurring repo audit.

→ Read this week

// ai consulting

AI for Cybersecurity

SOC automation, AI threat detection, and SOAR playbook generation for teams ready to cut alert noise 85% and triage 10x faster. Assessment, implementation, and managed advisory engagements.

→ See engagements

// MONITORING & DETECTION

"How would I know if someone was hacking my site?"

Honest answer: for a typical static-site-plus-serverless stack, most attack signals are scattered across six different consoles and nobody's watching any of them. Here's where attacks actually surface, ranked by what matters most for builders running on AWS, Vercel, Supabase, and GitHub.

Vercel Firewall & Runtime Logs

The dynamic surface (any API route, any serverless function) is your highest-signal target. Vercel's firewall logs blocked requests, rate-limit hits, and the path scanners go after first.

Spike of 4xx on /api/*, suspicious paths like /.env or /wp-admin, repeat hits from one IP

Supabase Advisors & Auth Logs

Run Supabase advisors regularly — RLS misconfig is the #1 way Supabase projects get owned. Auth logs catch credential stuffing and password sprays.

RLS-enabled tables with no policies, SECURITY DEFINER funcs callable by anon, failed-login bursts

PostHog Traffic Anomalies

Not security-purpose, but the cheapest scanner detector you have. Filter for known bad User-Agents (sqlmap, nuclei, nikto) and unmapped paths.

404 spikes on /admin, /.git/config, /wp-login.php from a single ASN

AWS GuardDuty & CloudTrail

CloudTrail logs every API call against your AWS account. GuardDuty flags credential abuse, crypto-mining, and reconnaissance — ~$3/mo for a small account is cheap insurance.

Root account login, unfamiliar region activity, IAM key usage from a Tor exit, sudden EC2 spend

GitHub Secret Scanning & Dependabot

Free with every repo. Secret scanning catches leaked API keys (often within minutes of a push). Dependabot flags vulnerable dependencies before anyone exploits them.

Dependabot alert on a top-100 npm package, secret-scanning hit on a recent commit

CloudFront Access Logs & WAF

Static-site CDNs are usually unprotected at L7. Turn on access logs to S3 and query weekly with Athena. AWS WAF adds managed rule sets for OWASP top 10 if you outgrow this.

Scanner UA hits, path-traversal patterns, bot crawlers ignoring robots.txt

The realistic threat model for a builder stack

You're not a high-value target for nation-state campaigns. What you'll actually see, in order of likelihood:

  • Opportunistic scanners hammering /wp-login.php, /.env, /admin, /.git/config
  • Form-spam and signup-spam through public RPC endpoints
  • Credential-stuffing against any auth endpoint with public sign-up enabled
  • Stolen platform credentials from a leaked commit or compromised dev machine — this is the real risk, not someone "hacking the site"
  • Supply-chain compromise via a malicious npm/pip dependency update

// QUICK WINS

The cheapest things that move the needle.

Enable AWS GuardDuty (~$3/mo) — one CLI command
Run Supabase advisors weekly; fix all ERRORs and triage WARNs
Turn on Supabase leaked-password protection in Auth settings
Verify GitHub secret scanning + Dependabot are on for every repo
MFA on AWS root, Vercel, Supabase, GitHub, and your domain registrar
AWS billing alerts — sudden spend is often the first compromise signal
Enable CloudFront access logs to S3 (~pennies/mo)
Lock the domain at the registrar; DNS hijack is a one-shot kill

Need help wiring this up for your team?

30-minute strategy call. We walk through your stack, flag the highest-impact gaps, and map an AI-powered SOC roadmap if there's a real engagement to scope. No pitch — just an honest read.

Book a Strategy Call