Sometimes great old blog posts are hard to find (especially on Medium), so I decided to do a periodic list blog with my favorite posts over the past quarter.

Here is the next one. The posts below are ranked by lifetime views. This covers both Anton on Security and my posts from Google Cloud blog, and now our Cloud Security Podcast too!

Top 5 most popular posts of all times:


As you recall from “Anton and The Great XDR Debate, Part 1”, there are several conflicting definitions of XDR today. As you also recall, I never really voted for any of the choices in the post.

While some of you dismiss XDR as the work of excessively excitable marketing people (hey … some vendor launched “XDR prevention”, no way, right?), perhaps there is a way to think about it from a different perspective.

What if we don’t look at XDR from either EDR or SIEM angle, but we look at it from first principles? …


As you are reading our recent paper “Autonomic Security Operations — 10X Transformation of the Security Operations Center”, some of you may think “Hey, marketing inserted that 10X thing in there.”

Well, 10X thinking is, in fact, an ancient tradition here at Google. We think that it is definitely possible to apply “10X thinking” to many areas of security (at the same link, they say that sometimes it is “easier to make something 10 times better than it is to make it 10 percent better”). …


I know you may hate me for this, but I‘ve been finally tempted into the Great XDR Debate.

Here, if you want TL;DR, my position on XDR today is “wait and see” (boring, huh?). Unlike some of my esteemed former colleagues, I don’t really have a horse in the race.

First, a very brief bit of history. The origin of the term XDR (Extended Detection and Response) is disputed. Wikipedia (entry, reviewed 8/6/2021) has us believe that Palo Alto invented the term “in 2018.” Josh Zelonis points out that he in fact invented the term.


I keep coming to the same topic over and over — why are we still bad at detecting threats?

I’ve lamented on this a few times, either touching on general difficulties with detection, its uncertainty or highlighting the fragile detections people write. I also noted the critical role of context in threat detection, which seems to imply that the best detections are written on-site by each team, and not by the vendors in their comfy little labs …

Here, I want to continue the conversation on detection quality. Also, I want to look for some ideas that can help everybody…


It is with much excitement that we announce a new paper about transforming your security operations; it is published under the Office of the CISO at Google Cloud.

This work is focused on our vision as well as our lessons in building effective security operations for the future. We spent a lot of time thinking about what to call the new model. We ultimately settled on the name “Autonomic Security Operations” for the vision (note that the previous contender was “10X SOC”, which one do you like more?)

Now, when we say “autonomic” here, we do not mean “without people”…


Sometimes great old blog posts are hard to find (especially on Medium …), so I decided to do a periodic list blog with my favorite posts of the past quarter or so.

Here is my third. The posts below are ranked by lifetime views. This covers both Anton on Security and my posts from Google Cloud blog, and now our Cloud Security Podcast too!

Top 3 most popular posts of all times:


Now, we all agree that various cloud technologies such as SaaS SIEM help your Security Operations Center (SOC). However, there’s also a need to talk about how traditional SOCs are challenged by the need to monitor cloud computing environments for threats. In this post, I wanted to quickly touch on this very topic and refresh some past analysis of this (and perhaps reminisce on how sad things were in 2012).

Back in my analyst days, I’ve noticed that some traditional organizations tried to include their cloud environments in the scope of their security monitoring at some point in their cloud…


A few days ago we did a very well-attended webinar focused on the modern Security Operations Center (SOC) approach (see “Trend for the Modern SOC” for a replay link). We got a lot of great questions, and just like in the good old times, I am writing a blog where I cover some of the answers.

Q: You mentioned that SOC is first a team: which skills are expected to distinguish the “basic” SOC from the modern SOC?

A: From our presentation, it’s relatively clear that such skills include threat hunting, threat intelligence, data analytics, and others. These are less…


Back in my analyst years, I rather liked the concept of NDR or Network Detection and Response. And, despite having invented the acronym EDR, I was raised on with NSM and tcpdump way before that. Hence, even though we may still live in an endpoint security era, the need for network data analysis has not vanished.

As we discussed during this recent webinar, this is not about competing with endpoint or endlessly arguing about what security telemetry is “better.” This is about reminding the security leaders and technologists that network telemetry matters today! …

Anton Chuvakin

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store