about

postinstall is a personal research log. The name comes from the moment right after a package manager finishes, after the installer reboots your system, after the vendor default configuration is in place and before anyone has started actually using the thing you've built. That hour is where many documented security failure could have been prevented, and it is the hour this site is about.

Every post corresponds to a finding from a lab notebook. A finding is a control, a configuration, or a detection I studied in a VM I can rebuild from scratch, with before and after evidence and a validation method I can run again later. If it is not tested, I let you know. If a control defeats one attack and not another, I say that too.

Every post leads with a threat model, because the alternative is checklist writing, and checklists without context are how people break unrelated workflows and then roll everything back without learning anything. For each control I study, I name the attack, I map it to MITRE ATT&CK where that fits, and I am explicit about what the control does not defeat.

The scope is Windows, Active Directory, Linux, and Microsoft 365 security, with detection and validation as first-class parts of every hardening question. The audience is working practitioners in SMB and mid-market environments, where the tradeoffs and the tooling look different from the Fortune 500 case studies that dominate the currently available material.

This site and the research behind it are personal. Nothing here represents the views or work of any employer, client, or organization I am affiliated with.