About

I'm Michael Haag, a security professional focused on building tools that help defenders hunt threats, engineer detections, and automate security operations.

Mission

Help defenders simulate, learn, detect, and ultimately—prevent.

We've spent years building detection capabilities. We know what attackers do. We know what artifacts they leave. We know how to find them. Now it's time to take that knowledge and turn it into prevention.

It's time to take back the farm. The adversaries have been living off the land long enough. Our detection engineering expertise should translate into blocking the techniques we've been detecting over and over again.

The Philosophy

01

Simulate

Safely reproduce attack techniques to understand how adversaries operate.

02

Learn

Study the artifacts, behaviors, and indicators that attacks leave behind.

03

Detect

Build detections that catch real attacks with minimal false positives.

04

Prevent

Turn detection knowledge into preventive controls that stop threats before they execute.

Tools I've Built

Open source projects designed to help defenders at every stage of the security lifecycle.

LOLDrivers

The definitive resource for vulnerable driver detection

LOLRMM

Tracking RMM tools abused by adversaries

Bootloaders.io

Cataloging malicious bootloaders

ShellSweep

Entropy-based web shell detection

PowerShell-Hunter

Threat hunting tools for Windows

ClickGrab

Detecting ClickFix and FakeCAPTCHA attacks

ASRGen

Attack Surface Reduction configuration and testing

SDDLMaker

Parse and create SDDL strings
View all projects →
The Future: Prevention

We've detected the same techniques thousands of times. LSASS access. Malicious drivers. LOLBins. Web shells. At some point, detection becomes prevention.

The next frontier is taking everything we've learned about how attackers operate and building controls that stop them before they even start. Not just alerts—actual prevention.

Projects like LOLDrivers, LOLRMM, and Bootloaders.io are already being used for blocklisting. That's the model: detect → understand → prevent.

Principles

01

Open Source First

Knowledge should be shared. The best tools are the ones everyone can use, learn from, and improve.

02

Defender Focused

Every tool I build is designed to make defenders more effective. The goal is always to reduce time to detection—and ultimately, prevention.

03

Practical Over Perfect

Ship things that work. A tool in production beats a perfect concept in development.

04

Community Driven

The security community is stronger together. Collaboration beats competition.

Connect

Always open to connecting with fellow defenders, discussing security tooling, or collaborating on projects.

GitHub Twitter/X YouTube Medium Atomics on a Friday