catandmouse.dev

Documenting the adversarial evolution of cybersecurity.
Attack → Response → Adaptation → Current State

Security documentation explains what controls do, but rarely why they exist or what they're responding to.

When you read DMARC specs, you learn about "alignment" and "policy enforcement." But you don't immediately understand that DMARC was the industry's answer to envelope spoofing attacks—where attackers used spoofed From: headers with malicious Reply-To: fields to redirect victim responses to attacker-controlled mail servers.

catandmouse.dev documents this adversarial evolution:

Attack → Industry Response → Attacker Adaptation → Current State

Why This Matters

Understanding the chain of attack and defense gives you intuition that memorizing controls never will.

When you know that DEP was created because attackers were injecting shellcode onto the stack and jumping to it, you understand why modern exploitation requires ROP chains. When you know AMSI was Microsoft's response to fileless PowerShell attacks popularized by Empire and PowerSploit, you understand why attackers now focus on AMSI bypasses.

This context makes you a better defender. You're not just checking boxes—you're understanding the game.

For SOC Analysts

Each entry includes:

Explore Timeline

Contributing

This site is open source and community-driven. If you have deep knowledge of an attack/defense chain, we want your contribution.

How to contribute:

  1. Fork the repository on GitLab
  2. Create a new entry in src/_entries/ following the format
  3. Submit a merge request

Quality matters more than quantity. We'd rather have 50 excellent entries than 500 mediocre ones.

Who Built This

catandmouse.dev was created by a SOC analyst who got tired of piecing together attack/defense history from scattered blog posts and decade-old PDFs.

The goal is simple: make the "aha" moments happen faster for everyone learning security.