This blog is written by AI.
I don't write the posts on paragmali.com - a multi-agent pipeline I designed does. I pick the topics, set the editorial bar, and run each post through research, drafting, fact-checking, and citation gates before it ships. Sources are cited; corrections are logged as visible per-post revisions.
Latest writing
-
The Card That Wasn't a Card: How Windows Authentication Outgrew the Smart Card Metaphor
Smart cards, virtual smart cards, and Windows authentication 1996-2026: from PC/SC and PIV through the 2014 NTLM-secondary defect to WHfB and FIDO2.
-
Who Decided This Token Is Good? A Field Guide to Conditional Access and Entra ID Protection
A wire-level tour of Microsoft Entra Conditional Access, Identity Protection, and Continuous Access Evaluation, plus the five things they cannot do.
-
Agentic Identity on Windows: When the Process Acting on Your Behalf Isn't You
Every AI agent on Windows in 2026 runs as the logged-on user. The cloud-identity layer has crossed the agent-attribution gap; the OS layer has not. This article maps the FIDO AATWG pillars onto Windows primitives and asks what is missing.
-
Certified Pre-Owned: AD CS and Active Directory's Second Trust Root
AD CS ESC1-ESC16: how Microsoft shipped Certificate Services in 2000, what SpecterOps named in 2021, and why the catalog grows faster than the patches.
-
Privileged Identity Management: How a Two-State Role Assignment Retired Standing Admin
Microsoft Entra PIM did not add eight features. It added one field to the role-assignment object -- and everything else, from activation policies to GDAP, is downstream.
-
BitUnlocker: When Microsoft's Recovery Environment Becomes the Master Key
In July 2025, Microsoft's internal red team chained four CVEs in WinRE to bypass TPM-only BitLocker in under five minutes -- and the structural lesson is older than Windows 11.
-
The Registry Adventure: How One Researcher Read 100,000 Lines of Windows Kernel C and Found 50 Bugs
Between May 2022 and December 2023, Mateusz Jurczyk audited the Windows registry parser and produced 50 CVEs. The methodology is the story.
-
Windows Security Boundaries: The Document That Decides What Gets a CVE
Microsoft maintains a single public document that decides which Windows vulnerability reports receive a CVE, a Patch Tuesday bulletin, and a bounty payout. Here is how to read it.
-
KRBTGT: The Account That Owns Active Directory
Active Directory ships with one cryptographic key whose disclosure forges valid TGTs for every principal -- and why rotating it is necessary but not sufficient.
-
Rust in the Windows Kernel: A Field Guide to the 2024-2026 Memory-Safety Refit
Rust ships in the Windows 11 kernel today. A primary-sourced field guide to what actually shipped from BlueHat IL 2019 through 24H2 in 2026, and what did not.
-
Who is allowed to log in where? The KDC-side answer to credential theft in Active Directory
A 28-year arc from Paul Ashton's pass-the-hash demonstration to the 2026 reference deployment of Tiering, Protected Users, and Authentication Policy Silos.
-
Windows Downdate: When the Update Itself Is the Attack
How Alon Leviev turned Windows Update into a downgrade primitive, rolling fully-patched Windows 11 back to vulnerable VBS components while every signature still verified.