I have a lot of ‘good’ ideas that come to me at random hours, so naturally, when those ideas come to me, I register a domain because I need a place for my billion-dollar startup to live.

These domains proceed to sit there, and rot for years. I’ve decided to open up the domain cupboard, and share my startup domains, that were simply too ahead of their time.

nowground.com

‘Nowground: don’t look back’ — a better, less discriminatory version of the background check that focused on the now. Only problem was I have no idea what that means.

policybit.com

“You…


Enjoy the opening chapter of Pen Test Diaries: Insecurity Culture. Learn more about the Pen Test Diaries series, and how to read on, here: https://mybook.to/shellshocked

Shellshocked: Chapter One

I’d been arriving at the park and ride progressively earlier each day for the past month. It was currently a slither past six o’clock in the morning, and I was able to slip into one of four remaining parking spaces. This was getting ridiculous. They told us we shouldn’t be driving into Seattle, so everyone was taking the bus. But good luck finding a way to get on the bus in the…


Enjoy the opening chapter of Pen Test Diaries: Insecurity Culture. Learn more about the Pen Test Diaries series, and how to read on, here: https://www.pentestdiaries.com/

Pen Test Diaries Cover
Pen Test Diaries Cover

Insecurity Culture: Chapter One

The reward for completing a two-hundred-mile cross country drive with origins at four in the morning, other than my KFC Zinger Tower sandwich, picked up from a service station for breakfast, was a 1980’s style office campus in the middle of absolutely nowhere. …


I was thinking the other day, the majority of the chatter between security professionals and security vendors on the Internet is overly negative. I myself, have been guilty of giving vendors a hard time over the years. In my defense most of the time it’s been in response to overly aggressive sales tactics, or outrageous claims about their products.

Never, for example, should you slide an unsolicited calendar invite my way and expect that to end well.

So, to reverse the negativity and take a moment to reflect on the positives, I decided to come up with a list of…


I’m super excited to reveal the first installment in a new series of short stories, the Blue Team Diaries. As you can probably guess, the focus is on the Blue Team — the team responsible for monitoring and environment for security problems and responding accordingly.

To create these stories, I’ve drawn on my experiences managing Blue Teams for cloud service providers. For the first time, a series I’ve written is set in the United States, rather than the United Kingdom, which is a relief, because it was starting to get very annoying flipping between American and British English.

What’s interesting…


I’ve spent the best part of the last 10 years triaging Bug Bounty reports that are submitted to the various cloud service providers that I’ve been charged with defending. I’ve also submitted a number of Bug Bounty reports over the years.

With these dual perspectives in mind, I wanted to write up a few tips for anyone who’s about to hit send on a bug report. One thing I want to make very clear from the get go — I personally approach every bug bounty report I get as though it’s the real deal and it will need to be…


T’was the night before the breach, when all through the Slack, not a creature was stirring, not even the alerts channel that was yet to be dialed back.

The employee health questionaries were hung by the chimney with care, in hopes that HIPAA would not apply there.

The security team were nestled all snug in their beds, while visions of zero trust networking solutions danced in their heads.

And CEO in her ‘kerchief, and CISO in his cap, had just settled their brains for a long winter’s nap.

When out of the EDR there arose such a clatter, I sprang…


Possibly, the only information security book written largely on a boat.

One of the really neat things about writing books is knowing the story behind how they were written. For example, in early 2019, I was commuting, as so many folk do, via a ferry to Seattle on a daily basis. It’s an interesting commute full of natural beauty, coffee, and questionable-looking breakfast sandwiches. The best thing about that commute, in a giant metal box with poor wireless connectivity, is that for about 2 hours a day, it was just me, my thoughts about security operations, and my laptop. …


Multifactor authentication (MFA), of any kind, has long been deemed essential in the era of both en-masse and cleverly targeted phishing. No surprise then, that the arc of adoption for multifactor authentication has been very much an ‘up and to the right’ affair.

On the surface, it sounds like an extremely happy tale to tell. A risk (phishing and the compromise of a password) was identified, a mitigation (MFA) was proposed and widely adopted, albeit perhaps not quite as quickly as we’d like in some cases, but still — baby steps, and all that.

Sadly, the story doesn’t quite end…


Twas the night before the breach, when all through the cloud, not a creature was stirring, not even those sourced through the crowd.

The policies and procedures were hung by the chimney with care, in hopes that the auditor soon would leave there.

The SecOps team were nestled all snug in their beds, while visions of SIEM solutions danced in their heads.

And CEO in her ‘kerchief, and CISO in her cap, had just settled their brains for a long winter’s nap.

When out on the IDS there arose such a clatter, I sprang from the bed to see what…

Mike Sheward

Information security professional specializing in SecOps, IR and Digital Forensics. Author of the Digital Forensic Diaries, and now, the Pen Test Diaries.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store