Anwer Gertani

The Cyber Desk

Writing & notes.

Field notes from running a malware reverse engineering team — technical pieces on the work itself, and reflections on leading the people who do it.

Featured series

7 parts · Apr – May 2026

Building Security Operations That AI Can Run

A practitioner’s guide to the only transformation path that actually works — from decision mapping to policy-driven AI autonomy. Most programmes fail because they skip the foundation. This series explains why, and what to do instead.

Read the series

  1. May 17, 2026

    Start With Decisions, Not Data

    The right question is not what should I collect. It is what decisions does my security operation make every day — and which twenty are killing my team.

    AI / MLSecurity OperationsStrategy

  2. May 10, 2026

    Why AI Security Programmes Fail Before They Start

    The most common AI security failure mode: applying AI to processes that were never defined, documented, or cleaned up. You do not automate chaos. You accelerate it.

    AI / MLSecurity OperationsLeadership

  3. May 3, 2026

    Define Your Operations Before You Instrument Them

    SOC, IR, and Threat Intel are not three separate teams. They are one interconnected decision system. Map it as such, or your AI programme will optimise the parts while breaking the whole.

    Security OperationsSOCStrategy

  4. April 30, 2026

    The AI Arms Race in Cybersecurity: What I'm Seeing from the Inside

    Adversaries adopted AI faster than defenders. After years of reversing the malware behind that shift, here is what the threat landscape actually looks like — and what defending against it requires.

    AI / MLThreat IntelligenceSecurity Strategy

  5. April 26, 2026

    AI as Second Opinion: Building the Trust Record

    Do not start with AI making decisions. Start with AI making recommendations alongside the decisions your analysts are already making. Trust is earned by evidence, not declared by procurement.

    AI / MLSecurity OperationsAutomation

  6. April 21, 2026

    Notes on Byte-Transformer Models for Detecting EDR-Evading Malware

    How we trained an in-memory detection agent on raw bytes — and what surprised us about generalization to unseen packers.

    AI / MLMalware AnalysisEDR

  7. April 19, 2026

    SOC, IR, and Threat Intel: Three Different Paths to AI Maturity

    SOC automation is already mature in most enterprise environments. Threat Intel AI augmentation is deployable today. IR autonomy is furthest away. Forcing all three to move in lockstep is a mistake.

    SOCIncident ResponseThreat Intelligence

  8. April 12, 2026

    Policy Autonomy: The Right End State (And Why You're Framing It Wrong)

    "AI as decision maker" creates maximum board resistance. "AI executing human-defined policy at machine speed" gets CISO sign-off. The difference in framing is everything. The difference in practice is almost nothing.

    AI / MLSecurity StrategyLeadership

  9. April 5, 2026

    The Policy-Driven Security Operation: What It Looks Like When You've Arrived

    The operations centre becomes a policy centre. Analysts become policy authors. The CISO becomes a policy architect. AI runs the operation. Humans make it better.

    AI / MLSecurity OperationsLeadership

  10. February 10, 2026

    Building a Follow-the-Sun Reverse Engineering Team

    What I learned building a global RE team that hands off live malware incidents across three time zones — and the parts I’d do differently.

    LeadershipIncident ResponseThreat Intel

  11. November 7, 2025

    What the C-Suite Actually Wants to Hear About Ransomware

    After dozens of executive briefings during active incidents, three things matter — and threat intelligence is usually not one of them.

    Executive CommunicationIncident ResponseRisk

← Back to home