About

# About catandmouse.dev Security documentation explains *what* controls do, but rarely *why* they exist or *what they're responding to*. When you read DMARC specs, you learn about "alignment" and "policy enforcement." But you don't immediately understand that DMARC was the industry's answer to envelope spoofing attacks—where attackers used spoofed `From:` headers with malicious `Reply-To:` fields to redirect victim responses to attacker-controlled mail servers. **catandmouse.dev** documents this adversarial evolution: > Attack → Industry Response → Attacker Adaptation → Current State ## Why This Matters Understanding the *chain* of attack and defense gives you intuition that memorizing controls never will. When you know that DEP was created because attackers were injecting shellcode onto the stack and jumping to it, you understand *why* modern exploitation requires ROP chains. When you know AMSI was Microsoft's response to fileless PowerShell attacks popularized by Empire and PowerSploit, you understand *why* attackers now focus on AMSI bypasses. This context makes you a better defender. You're not just checking boxes—you're understanding the game. ## For SOC Analysts Each entry includes: - **Timeline** — When the technique was at peak, when it declined, and its current status - **What Killed It** — The specific defenses that broke the attack chain - **Detection Guidance** — What to look for in your logs and alerts - **Successor Techniques** — Where attackers went next ## Contributing This site is open source and community-driven. If you have deep knowledge of an attack/defense chain, we want your contribution. **How to contribute:** 1. Fork the repository on [GitLab](https://gitlab.com/offensivetorta/catandmouse) 2. Create a new entry in `src/_entries/` following the format 3. Submit a merge request Quality matters more than quantity. We'd rather have 50 excellent entries than 500 mediocre ones. ## Who Built This catandmouse.dev was created by a SOC analyst who got tired of piecing together attack/defense history from scattered blog posts and decade-old PDFs. The goal is simple: make the "aha" moments happen faster for everyone learning security.