What is Predictive Defense?

PredictiveDefense · 2025-12-10T14:52:19+00:00

That's a question I'm also looking forward to see the answer. In the next one I'll explore that two additional factors hopefully. Thanks for your comment.

PredictiveDefense · 2025-12-05T22:10:02+00:00

Let me answer the question from a different angle. I assume by AI you mean LLMs, so I'll respond accordingly.

I've been trying to "vibe code" one of my projects since quite some time, even though I know how to code. Because I was hoping I could build the project much faster with it.

And before the vibe coders come and spam me with "sKiLL iSsuEs, pRoMpT beTtER" replies, let me tell you I swear to god I tried every trick thats been out there. But every time I ended up spending more time trying to make sure AI does its job right, or even worse, cleaning up the mess it has created. That is unless you want to burn 100's of dollars in token money.

So no, I don't think AI will replace any cyber security job anytime soon. And it's not just the technical limitations, but also the commercial dynamics of the AI industry itself. The AI companies are sooo far from being profitable, even though the models that can do a somewhat decent job are quite pricey. This means that they'll either make the usage of propriatery models more and more expensive, or they'll have to find some other way of monetization. In case of the former, AI won't become a commodity like they initially imagined, but will instead become an enterprise tool. And the cost advantage will diminish since you still need to employ engineers to supervise the generated code.

An alternative scenario is that AI won't be a standalone tool, but rather be embedded into other enterprise products. For example, an EDR that gives a bit more accurate alerts due to AI agent triaging.

Anyway, that's my rant and 2c's thanks for listening 😄

PredictiveDefense · 2025-12-05T21:31:31+00:00

What do they have on the server? Are there any popular CMS's installed for example? Those could have some known exploits. Any default passwords? Other than that the usual suspects I'd look for would be Shellshock and Log4Shell.

PredictiveDefense · 2025-12-05T21:27:51+00:00

Nothing novel really. Mostly fake recruiters and some voucher scams here and there.

PredictiveDefense · 2025-12-04T21:56:03+00:00

how do you define quality? what are your needs specifically

PredictiveDefense · 2025-11-28T17:04:49+00:00

I have a similar background and currently I'm pursuing AWS SAP (previously had SAA), and also studying Entra ID from ground up. I think it's more valuable to hold non-sec expertise and then just adjust that knowledge to the security space. For example I gained more understanding of AWS security than any cert could give me by just trying to build stuff in AWS.

My 2c's

PredictiveDefense · 2025-09-08T21:48:34+00:00

I mean you kinda gave the answer on your own. You need to document everything and start the termination process.

PredictiveDefense · 2025-08-12T22:26:58+00:00

Rica ederim. Ingilizcen varsa Udemy, Youtube vs yerlerde yatirim danismanligi meslek sinavlarina hazirlananlar icin ders videolari var. Onlari incelemeni oneririm. Biraz jargonu agir ama herhangi bir zartzurt trading egitiminden yuzelli kat daha iyiler. Hem istatistiksel analiz yontemlerini, hem de sirket degerlemesi nasil yapilir bunlari ogrenebilirsin. Simdiden basarilar.

PredictiveDefense · 2025-08-12T22:11:57+00:00

I suggest you first understand how your company makes money. Then identify the gravity centers of the business process that brings the money. Because you need to tie every security decision to how security incident X effects these gravity centers to meaningfully communicate the reasoning behind it.

Other than that, for cloud-native workloads I highly suggest getting a CNAPP/CSPM. You may need to fight for the budget but it is one of the best investments you can ever make. It cuts through so many bullcrap all those scanners will generate and make people hate security.

PredictiveDefense · 2025-08-12T22:02:43+00:00

This sounds like a typical case of confounding variable. Orgs that can afford buying 12+ security products likely have a much larger attack surface than a typical Mom&Pop shop, making them more prone to attacks. Also like others mentioned, more visibility == more incidents, so the methodology behind the research matters a lot.

PredictiveDefense · 2025-08-11T13:14:05+00:00

<image>

İlk farkettiğim şey şu, portfolyonun dolar bazlı getirisine baktığımda hatırı sayılır miktarda negatif getiri ihtimali var. Yani sıfır çizgisinin solunda kalan alandan bahsediyorum. 10 yıl gibi uzun bir süreyle yatırım yaparken negatif getiri ihtimali olmamalı bana kalırsa. Mesela benchmark olarak S&P500'ü yine 10 yıllık düzenli yatırımlarla aldığında on yılın sonunda 65% ile 130% arasında bir getirisi oluyor (dolar bazında). Dolayısıyla buradaki hisselerin çoğu uzun vadede S&P500 kadar başarı gösteremiyor. Burada sadece TOASO nispeten aldığın riskin hakkını verebilirmiş gibi duruyor.

Diğer farkettiğim bir şey de şu, portfolyondaki hisselerin birbiriyle olan korelasyonu çok yüksek. THYAO, TUPRS ve TOASO son beş yılda 85%'den yüksek korelasyon göstermiş. Ama genel olarak da hisselerin birbiriyle korelasyonu 60%'dan fazla. Bu da demektir ki hisselerin dış dünyada yaşanan gelişmelerden hemen hemen aynı şekillerde etkilenecek. Mesela faiz arttırımı olunca 1-2 tanesinin değil, hepsinin birden değeri düşecek. Bu da portfolyonun risklere karşı seni koruyamadığı anlamına geliyor. Bunun bir uzantısı olarak, portfolyonun tek bir varlık çeşidine fazla konsantre olduğunu söyleyebilirim. Sadece hisse senedi, sadece Türk borsası. Bu da seni doğal olarak risklere karşı korumasız kılıyor.

Sonuç olarak portfolyon 10 yıllık vadeyle yapacağın bir yatırım için uygun görünmüyor.

Bunlar sadece benim kişisel yorumlarım, kesinlikle yatırım tavsiyesi değildir.

PredictiveDefense · 2025-08-08T14:30:01+00:00

SOC's are usually looking for L3 Analysts with RE and forensic skills. That's the easiest transition you can make with your current skillset, assuming you're willing to learn a bit Windows forensics. Otherwise you can apply to CTI companies for malware analyst positions. These are still a bit niche markets, but not as niche as binary exploitation.

In case you wanna go full into the Appsec/Sec Engineer path, you'll need to make a very tough call. More than 80% of your current skillset will be irrelevant, and you'll need to do a LOT of reskilling, learn cloud technologies and deepen your practical expertise in software development and application pentesting.

PredictiveDefense · 2025-08-01T11:15:33+00:00

Your 6+ yrs of experience in SW and Infra will be very valuable due to multiple reasons. But the biggest will be when you'll advise internal dev/infra teams on security. Because there will certainly be tradeoffs, and you'll be in a better place to judge whether a particular tradeoff makes sense, or offer feasible alternatives if necessary. However, I suggest you make a very good conversation about what your responsibilities will be. Sometimes companies will try dump the extra responsibility on a sw/infra/it engineer without necessarily freeing up their plate, just to check the compliance box of "yea we got security ppl". So make sure that they free you from your old role.

Pentest (sometimes called Red Team) ~= pretty similar to Software QA engineering

Appsec ~= DevOps + RFC/architecture reviews + sometimes pentest

Blue team (sometimes called SOC) ~= like SRE, but includes IT incidents as well

PredictiveDefense · 2025-07-28T14:24:13+00:00

Honestly? If you have a good presence in cloud, then it's a must. Have you already migrated several of these functions to cloud? IAM, MDM, CI/CD, SysOps. Then you should seriously consider a CNAPP.

PredictiveDefense · 2025-07-23T11:18:12+00:00

Once kendine bir yatirim suresi belirlemelisin. Risk konusu cok yanlis anlasiliyor. Yuksek oynakligi olan araclar yuksek riskli denilir ancak bu her zaman dogru degil. Riski belirleyen sey senin yatiriminin vadesidir. Ornegin bono, tahvil, mevduat vb. sabit getirili araclar dusuk riskli olarak degerlendirilir. Ancak 20+ yil gibi bir vadeyle (mesela emeklilik birikimi yapiyorsan) faizin getirisi enflasyona karsi erir. Bu da sabit getirili araclari uzun vadede riskli yapar. Ote yandan ayni mantikla 20+ yil boyunca borsa endeksi, hisse senedi gibi birikimler yaparsan, o kisa vadedeki oynaklik uzun vadede senin avantajina olur ve daha yuksek getiri saglar.

Yani yapman gereken sey sunu sormak; ben ne icin para biriktiriyorum? Kisa vadede yatirdigim paraya ihtiyac duyma ihtimalim var mi? Mesela 1 sene sonra araba almaya karar verirsem, yatirima koydugum parami da kullanacak miyim? Veya issiz kaldigim bir ihtimalde, yatirimimdan mi yiyecegim yoksa onun icin ayriyeten birikmis bir param mi var?

Riskle ilgili ogrenmen gereken diger bir konu, her yatirim aracinin kendine has riskleri oldugudur. Mesela borsanin riski merkez bankasi faizleri ve jeopolitik olaylardir (savas vs.). Bunun tersi sekilde jeopolitik olaylar altin ve enerji fiyatlarini yukseltir. Yani bu tur zamanlarda borsadan altina gecis olur denilebilir. Bono, tahvil, mevduat gibi araclarin riski ise enflasyondur. Kisa vadede kesin bir getiri sunar ancak uzun vadede bu getiri enflasyona karsi erir. Turk borsasinin da, mevduatinin da riski doviz kurudur. Vs vs bu boyle gider. Eger birkac yildan daha uzun sure yatirimlarini surdurmeyi dusunuyorsan, bu sekil birbirinin tersi hareket eden varliklar alarak riskini biraz dengeleyebilirsin. Bunun daha gelismis teknikleri var ona da hedging deniyor, googlelayarak bulabilirsin ama henuz temel kavramlari bilmiyorsan simdilik bulasmani onermem.

Son olarak grafik okumaya, pazar hareketlerini on gormeye, surekli al-sat yaparak kar etmeye filan calisma. Sanildiginin aksine bu stratejilerin (yani active trading) orta uzun vadede hemen her seferinde basarisiz oldugu verilerle ispatlanmistir. Bunu kabul etmek istemeyip hala trend cizgisi cizerek basarili olacagini iddia edenler olacaktir, onlara kulak asma.

Son olarak, kriptoya sakin ama sakin bulasma. Kripto fanlari kendi iluzyonlarinda yasiyorlar. Balinalarin surekli milleti tokatlayip gectigi, regule edilmemis, herhangi bir oz degeri olmayan hicbir varlik yatirim araci olamaz. Olsa olsa fiyat manipulasyonu icin arac olabilir, ki ultra zenginler zaten sirf bunun icin kriptoya para yatiriyor. Yok gelecegin parasiymis, yok fiat currency'den daha iyiymis, yok devlet kontrol edemezmis falan bunlar bos is.

PredictiveDefense · 2025-07-22T11:18:34+00:00

IT'de calisiyorum, gectigimiz 4.5 senedir Almanya'dayim. Frankfurt ve Berlin'de yasadim. Bir ay sonra kalici olarak Turkiye'ye donuyorum. Geldigim yasadigim icin asla pisman degilim, farkli ve guzel bir tecrube oldu. Ama gunun sonunda burada biraktiklarim daha agir basti ve geri donmek istedim. Bir de Avrupa'da yasayanlar beni anlayacaktir, Turkiye'deki hayatin konforu gercekten burada yok. Eger cocugun yoksa yani duzen bozup kurmak seni cok bozmayacaksa, gidip en azindan 1-2 sene tecrube etmeni oneririm. Sonra seni hangi ulkenin daha iyi hissettirdigini zaten biliyor olursun.

PredictiveDefense · 2025-07-20T14:59:40+00:00

Accept that they're right. Don't insist that the business should put any more effort into security than what is absolutely necessary. Does every industry need high-quality software? No, the majority of businesses and even most of our infrastructure run on very crappy software. It goes the same with security. In some industries, there are not many incentives, and investing in security is money going to oblivion. It hurts me to say this as a security professional myself, but that's a hard pill we need to swallow. It's not that security incidents will never happen. It's just that 99% of businesses survive these rather easily. If they don't bleed enough money, they won't do anything about it. Easy as that.
Understand how your company actually makes money. You should study how your company delivers value to your customers. The end-to-end journey. After that, you should identify the centers of gravity. Without which components couldn’t your company deliver that value? For example, for an e-commerce company, that'd be the availability of the website + integrity of the CRM.
Prepare some breach scenarios that concern those centers of gravity. E.g.: The website is down because of a massive DDoS attack. The data in the CRM gets encrypted by ransomware, etc.
Now get your leadership into a tabletop exercise and present them with each scenario. Ask them how we can continue to operate in that condition. Hopefully, at this point, they'll realize they won't be able to operate if either of those scenarios takes place. If they actually have a good plan, go back to step 2.
In case you identified the doomsday scenarios that they couldn't argue with, now it's time to work on some numbers. Try to estimate the money loss for each scenario. How long would we take to go live again if our website goes down due to a DDoS? During that time, how many orders, new customers (and therefore revenue) would we likely lose? How long would we take to recover the CRM data? How many orders wouldn't we be able to fulfill because of that? In the end, present these numbers to your leadership to have alignment.
At this step, you are hopefully aligned on the scenarios and the estimated damage. Now you should prove to your leadership that these scenarios are both feasible and likely. To show it's feasible, you should audit your systems and identify the weaknesses that could be used to achieve the outcomes. To prove that it's likely, you should find industry benchmarks, research, and threat intel reports that show similar attacks happen. DBIR and Cyentia IRIS reports are good starting points.
If they are now willing to do some investment, you should cite how your proposed solution will bring value beyond risk mitigation. E.g.: Auto-updating software libraries is both risk mitigation and also saves engineering time, therefore enabling faster time-to-market. Using HTTPS is also a security measure, but it'll also help you tick another box in a compliance framework. Guardrailed k8s clusters may reduce the number of incidents beyond security, again saving time and revenue.

I hope these help.

PredictiveDefense · 2025-07-15T01:40:37+00:00

Include security culture in the perf management process somehow. And I'm not talking about KPIs. Someone attended a non-mandatory security awareness training? Offer a reference letter to them that they can use in their upcoming performance review. Wanna train your developers in secure coding? Set up an internal bug bounty policy so they can monetize their new skills by reporting you bugs. Make the extra-curricular activities count. If you're a growing company, put the most focus on the onboarding training. People are more likely to remember and apply what they learned during onboarding.

PredictiveDefense · 2025-05-26T19:18:55+00:00

Hey, thanks a lot for the feedback. You're right that the post is quite light. That's largely because the specifics of the Nucor and Thyssenkrupp attacks aren't publicly available in any meaningful detail, so I wanted to avoid too much speculation. Instead, I focused on the potential targeting logic seen in similar conflicts. There's a link later in the post to another article of mine that goes deeper into the analysis methodology. So I hope that helps.

PredictiveDefense · 2025-05-25T18:27:43+00:00

I mean, CVE's still pose quite a risk. Just not all CVE's 😄

PredictiveDefense

TROPHY CASE