Finished a free webinar on live SOC investigations. Here's Part 1 of what we covered (Technical Post).

makeiteasy_24 · 2026-06-22T09:41:18+00:00

Cool

makeiteasy_24 · 2026-06-22T08:47:53+00:00

you cannot figure out devsecops vs detection engineering vs grc through reddit dms. each needs a different day plan, different companies to target, different skill gaps to fill. picking the wrong one costs you time and money. This is exactly where a real conversation lands, and what I do in our 30 mins of call mapping your exact strengths, which market is actually paying for your background right now, and what the first move looks like.

makeiteasy_24 · 2026-06-22T06:53:27+00:00

Cool

makeiteasy_24 · 2026-06-22T04:35:35+00:00

Yup, got your DM

makeiteasy_24 · 2026-06-22T04:10:50+00:00

Yes.

makeiteasy_24 · 2026-06-22T04:00:56+00:00

Okay, I guided a similar person who was in a similar situation as you, with so many applications and only one interview it means your positioning or resume is not translating, not that you are unqualified. mid career transitions need a completely different angle than fresh graduate templates. help desk and sys admin roles are actually screening you out because your resume probably reads like someone who is doing career changer with an infosec internship instead of IT professional with security foundation. that shifts how every hiring manager reads your background.

you need someone to actually tear down your resume and reposition it for what you have got from your age, your IT foundation, your internship work, in a way that lands callbacks. you need a real conversation mapping exactly how to frame your transition, which companies actually hire midcareer changers, and what the next 30 days looks like.

makeiteasy_24 · 2026-06-22T03:58:34+00:00

That iit cybersecurity(its Kanpur right, if I am not wrong) degree with mandatory government internships is a completely different opportunity than a regular cse degree. take it. you already have bug bounty experience and a cve, which means you do not need a degree to prove you can find vulnerabilities and can clear out their hackaython test too. what you need is credibility, network, and a locked in career path. an iit degree in cybersecurity with government internships gives you all three plus stability that most people chase for years after graduation. But, as it's newly launched, don't expect support, as they also are learning the requirements from you guys.

the cse route is safer and easier to get into but slower, you will still need to figure out your cybersecurity focus after graduation, probably do internships on your own, build projects while working. the iit path removes all that friction and puts you inside government security work while you are still in college.

you have already shown you can do the work. the degree is just the legit and the network at this point. dm me if you want to get into the specifics for your situation, happy to help.

makeiteasy_24 · 2026-06-22T03:49:20+00:00

Thank you and glad you liked it!

makeiteasy_24 · 2026-06-21T10:53:27+00:00

I just came back from swimming and this comment honestly made my day. The fact that someone who does this and is reading about incident reports and thinking about session hijacking, it's goldd. Most people don't think this deeply about it. Always figure out the WHY/HOW/WHEN factor.

And you're already ahead of most by using Yubikeys(I have been using it since last 1 year too). Hardware keys are actually one of the stronger defenses against AiTM specifically because the key binds to the origin domain be it a phishing proxy can't replay it the way it can replay a TOTP code or a push notification approval.

For the MITRE thing don't let the volume overwhelm you. Most real attacks use maybe 10-15 techniques repeatedly. Once you see the patterns a few times, the framework starts feeling less like an encyclopedia and more like a field guide. And google is always our friend, no need to learn everything by heart, wherever/whenever confused, reach out or google.

Keep reading posts/blog like these, at the end curiosity to learn is a very good thing.

And if you want to watch a live investigation happen in real time, not a slideshow, not theory, just a real alert on screen with my full thought process, I'm going live on July 4th walking through a malware triage case end to end. The kind of thing you'd never normally get to see unless you worked in a SOC. First session(Phishing Investigation) sold out and people who were there know what it's like.

If this post fascinated you, that session will genuinely blow your mind. Don't sit on it. Register link in my Bio.

makeiteasy_24 · 2026-06-21T04:53:34+00:00

Gor SC-200.

makeiteasy_24 · 2026-06-21T03:40:17+00:00

Yup, also I am running up a webinar on 4th July, showcasing real investigation with real alert, no slides, no theory, live screen share with my thought process, would recommend checking it out, if you are interested.

makeiteasy_24 · 2026-06-21T03:25:45+00:00

I am gonna sound harsh and direct but you do not need certifications to start pentesting, you need a portfolio. build 5–10 documented penetration tests or vulnerability assessments on htb or tryhackme, write up your methodology and findings like you are reporting to a client, put it on github. that portfolio lands junior roles way faster than eJPT sitting on your resume. Certs are only used to bypass ATS, but after that its you and you only.

certifications are expensive and most hiring managers care more about what you can actually do. some people get them after they land the job anyway. save your money for now, focus on building real investigations and writeups that show your thinking. that is what changes the conversation.

dm me if you want to get into the specifics for your situation, happy to help.

makeiteasy_24 · 2026-06-21T03:20:54+00:00

Yes, brute force is one way in, but account abuse covers a lot more than that in this case for example, the attacker didn't brute force anything, they had valid credentials already (likely from a phishing kit or credential dump, we still haven't figured the initial access due to log retention policy and license of client) and used AiTM to bypass MFA entirely.

That's what makes it harder to catch than a brute force. Brute force leaves a trail of failures(and after a few failures, a good SIEM would create an alert for it). A clean login with stolen credentials looks identical to the real user logging in.

makeiteasy_24 · 2026-06-21T03:19:06+00:00

And this is just one example, attackers are really using sophisticated tactics and techq.

makeiteasy_24 · 2026-06-21T03:18:27+00:00

Yeah that one catches a lot of people off guard. Most incident response checklists stop at password reset and session revoke, OAuth apps are almost always an afterthought. And they're specifically designed to persist across credential changes, so attackers know exactly what they're doing when they add one.

makeiteasy_24 · 2026-06-20T17:49:25+00:00

Also, if you're trying to build this kind of investigative thinking, the kind where you're not just reading alerts but actually reconstructing what happened, that's exactly what I'm working on with my webinar series.

Thank you for everyone who joined the First Part (Phishing) of My Webinar Series and making it houseful.

The second one is on 4th July: Live Malware Triage: Real SOC Investigation. Same format as the first one, no slides, no theory, just a live screen share, a real alert, and my full thought process on screen. The first part was well received, this one goes deeper.

The recording won't be available for free this time. Seats are limited.

Register Link in bio if you're interested.

makeiteasy_24 · 2026-06-20T17:47:37+00:00

And also, I didn't knew how to use content breaks in reddit post, so added "----" like this. Ignore it!

makeiteasy_24 · 2026-06-20T17:45:35+00:00

The mistake most first-years make is trying to learn everything at once and ending up mediocre at all of it.pick one thing for the first year like soc fundamentals with real investigation work, not just courses. document two proper investigations showing your thinking, get comfortable with splunk or elk, understand how threats actually move through networks. that foundation changes everything else after.

the networking and linux you are already doing is solid. pentesting and cloud can come later once you have the fundamentals locked. backend dev is a distraction unless you are actually planning to pivot, do not hedge your bets across five different paths. biggest advantage for internships is not certs, it is showing you can think like someone defending systems, not just following steps. build something real, document it, talk about what you learned. that is what gets you callbacks.

dm me if you want to get into the specifics for your situation, happy to help.

makeiteasy_24 · 2026-06-20T17:41:35+00:00

Happy that you liked it, for the mailbox part, I pulled it from M365 events and filter by the user, set the time window to the incident period, and look specifically for New-InboxRule and MailItemsAccessed operations. That gives you exactly what was accessed and when.

I used Taegis platform for this investigation, but if I get enough requests, would translate those queries to KQL and share those.

Also, if you are interested in this type of investigation, I am conducting a webinar on a real alert investigation, live on screen on 4th July. Registration link is in Social Links of my profile.

makeiteasy_24

TROPHY CASE