Published content

On this page you will find several videos, documents and presentations I have created on the topic of security monitoring and incident response over the years. I hope some of them can give be of inspiration to you. Let me know if they are.


The following are recordings of two of the presentations.

PDF Articles

I have written quite a bit over the years. Mostly it has been shorter posts and articles, but I've also written a couple of long-reads. I've put a couple of them them here for your reading pleasure.

Banner image

Dance like a dragonfly
sting like a bear

On tuesday the 26th of August, the Norwegian national CERT, NorCERT issued a press release informing the public about a large notification effort. In cooperation with NVE and PTIL, NorCERT notified around 300 companies about a severe data breach attempt hitting parts of the Norwegian energy sector.

Banner image

See it coming
The four M:s of Digital Espionage

We read about espionage in the papers almost weekly, but can you tell me how your company expects to be hit by cyber espionage? If not, you are in good – or perhaps bad – company. Threat perception is still a challenging area for most, and poor threat perception will render you vulnerable. It's time to change that. It's time to start understanding the attacker. Say hello to «the Four M’s of Espionage».

Banner image

Don't act so surprised
You were always an obvious target

This essay is about our adversaries' target development process, and about how I believe a base rate fallacy on our part makes us blind to important parts of it. We tend to mix up "being prioritized targets" with "being obvious targets", and that’s the topic I want to comment on in this essay. But I want to do that by telling you a story, and our story begins in Russia – but maybe not in the way you expect.

Web Presentations

The following presentations are more or less variations over the same topic, and the topic is tactical incident response. Tactical response will be explained in the presentations, but in once sentence it is response tailord to fighting your adversaries' goal and mission, not primarily their technical foothold – although that of course is an importent part of your containment and eradication execution.

Banner image

FIRST TC Oslo 2015

This presentation provides an overview of the modern CSIRT, aiming to enhance understanding of security monitoring and incident response. It explores the need for a tactical approach to effectively respond to advanced threats, and how covertly uncovering an attacker's tactics within your infrastructure is necessary to develop an appropriate and effective response strategy.

Banner image

FIRST TC Prague 2016

This presentation is an extended version of the «FIRST TC Oslo 2015 presentation».

PDF Presentations

The following presentations are on a slightly more broad variety of topics, but still mostly on the topic of threat intelligence and incident response.