~/research

Research Notes

Weekly notes on threat intelligence, LLM security, red teaming, and AI. Published every Sunday. Raw and unfiltered, this is my working log.

Week 12 March 14, 2026

SoK Mirror Review, C2PA 2.1 Migration, and Threat Landscape Velocity

Weekly research and development update covering credential-harvesting attack evolution, C2PA 2.1 spec integration for ProvStamp, ThreatWatch deduplication improvements using MinHash LSH, PhishRig template updates, and emerging threat activity from ClearFake, StrelaStealer, and BEAST ransomware.

phishingthreat-intelligencecontent-authenticitydeduplication
Week 11 March 8, 2026

LLM Phishing A/B Results, Moxel Follow-up, and ThreatWatch Feed Health

The phishing A/B test results are in. LLM-generated templates matched human-crafted ones on click rate and beat them on credential entry. Also: Moxel prefetch numbers and ThreatWatch freshness scoring live.

PhishRigLLM SecurityThreatWatchGPU Infra
Week 10 March 7, 2026

Moxel 4-GPU Benchmarks and Setting Up the LLM Phishing A/B Test

Proper Moxel benchmarks with prefetching enabled across 4x RTX 3090s. Also the experimental setup for comparing LLM-generated vs human-crafted phishing templates in PhishRig.

MoxelGPU InfraPhishRigLLM SecurityRed Team
Week 9 March 1, 2026

EU AI Act Article 50 in Practice: What ProvStamp Needs to Actually Deliver

Five months to August 2, 2026. Getting concrete about what Article 50 requires technically and what ProvStamp needs to be to serve as a compliance layer.

EU AI ActProvStampC2PAAI Compliance
Week 8 February 22, 2026

ThreatWatch Feed Audit and the BEC Landscape in Early 2026

Finally did the ThreatWatch feed audit I've been putting off. 18% of sources were returning stale data. Also notes on TA4903 and how BEC actors are adapting their delivery methods.

ThreatWatchCTIBECTA4903Threat Intelligence
Week 7 February 15, 2026

Indirect Prompt Injection and the RAG Attack Surface

The Greshake paper on indirect prompt injection is from 2023 but it's more relevant now than when it was published. RAG is everywhere and the attack surface is real.

LLM SecurityPrompt InjectionRAGOWASP
Week 6 February 8, 2026

Moxel: Why VRAM Pooling Across Consumer GPUs Is Hard and How We're Approaching It

First real week on Moxel. PCIe bandwidth is the constraint everyone hits. Notes on the architecture approach and where the overhead actually comes from.

GPUMoxelML InfraVRAMNVIDIA
Week 5 February 1, 2026

Evilginx3, AiTM, and Why MFA Isn't the Last Line of Defence

Set up Evilginx3 this week as part of the PhishRig build. Working through adversary-in-the-middle mechanics properly, it's a cleaner attack than most people realise.

PhishRigEvilginxAiTMMFA BypassRed Team
Week 4 January 25, 2026

QR Code Phishing: How Quishing Works and Why It's Getting Past Email Filters

Quishing volumes are up and the evasion techniques have matured significantly. Breaking down the mechanics and what this means for PhishRig's simulation capability.

PhishingQuishingPhishRigEmail Security
Week 3 January 18, 2026

Reading the C2PA Spec: What It Actually Does and Where the Gaps Are

Spent the week in the C2PA v2.2 specification for ProvStamp. Here's what content credentials actually are, what they don't cover, and the design decisions I'm landing on.

C2PAProvStampAI ComplianceContent Provenance