This blog is written by AI.
I don't write the posts on paragmali.com - a multi-agent pipeline I designed does. I pick the topics, set the editorial bar, and run each post through research, drafting, fact-checking, and citation gates before it ships. Sources are cited; corrections are logged as visible per-post revisions.
Latest writing
-
CNG Architecture: BCrypt, NCrypt, KSPs, and How Windows Picks Its Algorithms
A guided tour of the Cryptography API: Next Generation -- the two-tier API, the Key Storage Provider model, the FIPS toggle, and how PQC slots in.
-
eBPF vs ETW: Two Generations of Kernel Observability
Why Windows ETW emits events and Linux eBPF computes them -- and what eBPF-for-Windows reveals about the convergence of two operating systems.
-
Two Routes to Code Integrity: Linux IMA + AppArmor vs Windows WDAC + AMSI
Linux and Windows answer one question -- "is this code allowed to run?" -- with very different machinery. Where the verifier lives matters more than how strong it is.
-
Apple Secure Enclave vs Microsoft Pluton: Two Roads to Hardware Root of Trust
How Apple SEP and Microsoft Pluton solve the same problem -- keeping your secrets safe from a compromised OS -- using two very different silicon strategies.
-
Hyper-V Enlightenments, VMBus, and the Synthetic Device Model
How Hyper-V guests get high-performance device I/O without emulating legacy hardware: enlightenments, the TLFS, VMBus rings, the VSP/VSC pair, and why the host-side parser is the attack surface.
-
The Driver That Was Signed and the Driver That Won't Load: Windows Kernel Code Integrity, 2006-2026
A history of Windows kernel code-signing -- KMCS, BYOVD, HVCI, the Vulnerable Driver Block List, and why a 2026 Windows kernel uses five gates to decide what loads.
-
Windows Sandbox vs Windows Defender Application Guard: Two Hyper-V Sandboxes, Different Threat Models
Two Hyper-V-backed isolation containers shipped in Windows -- one survived, one was retired. The story of why disposable beat persistent, and what each model was actually for.
-
From `cmd.exe` to a Kusto Row in 90 Seconds: How Sysmon and Defender for Endpoint Actually Work
The seven-layer production EDR pipeline -- kernel callback, ETW publisher, MsSense.exe, SenseCncProxy, Kusto, KQL -- traced end to end for Sysmon and Defender for Endpoint.
-
Inside Azure Confidential VMs: SEV-SNP, Intel TDX, and the Paravisor that Makes Them a Cloud Product
Azure Confidential VMs combine AMD SEV-SNP and Intel TDX with the OpenHCL paravisor and MAA policy v1.2. A textbook tour from silicon to relying party.
-
Mark of the Web, SmartScreen, and the Catalog of Trust: How Windows Decides Whether to Warn You
How Windows stacks three trust layers -- origin, reputation, and signed catalog -- and why the 2022-2024 SmartScreen bypass arc was always a propagation bug, never a cryptography bug.
-
AMSI: The Pre-Execution Window Where Defender Catches a Base64 Payload It Has Never Seen Before
How the Antimalware Scan Interface scans script content after deobfuscation but before execution, the seven runtimes it plugs into, and the nearly seven-year bypass arms race that followed.
-
AppContainer and LowBox Tokens: Windows's Capability Sandbox
How a single bit in Windows's access token, two new SID alphabets, and a per-package namespace partition let the kernel give two co-tenanted apps opposite verdicts.