I. IDENTITY CONTEXT

Senior Red Team Operator — Adversary Emulation & Detection Validation I build tradecraft to test defenses, not to break systems.

This page is not a biography. It is attribution mapping.

The name attached to research matters because interpretation depends on intent.

The material in this site documents adversary behavior to understand defensive reality — not to operationalize intrusion.

All experiments occur inside controlled lab environments or authorized security assessments.

II. THE SPLIT

OPERATOR: XOCE

STATE: NON-ATTRIBUTABLE

Xoce is the research persona used when analyzing systems as an adversary ecosystem rather than as infrastructure.

The goal is not exploitation. The goal is behavioral indistinguishability.

Most security testing validates vulnerabilities. This research validates assumptions.

Focus areas:

  • hiding inside allowed protocols instead of bypassing them
  • persistence through identity trust instead of privilege escalation
  • communication that resembles normal telemetry
  • defeating monitoring logic instead of controls

Security products rarely fail at blocking malware. They fail at understanding intent.

ENGINEER: JOSÉ MARÍA MICOLI

STATE: ATTRIBUTED

The real-world role translates adversarial research into defensive intelligence.

The work is to answer four operational questions:

  1. What did the attacker actually do
  2. Why was it not detected
  3. Which control assumed safety incorrectly
  4. How a defender would realistically notice it

The output is not a proof-of-compromise. It is a proof-of-blindness.

III. RESEARCH MODEL

Security is treated here as an observational science.

Instead of testing whether a system can be broken, the research tests whether a compromise would look abnormal.

Method:

Recon → Trust Abuse → Persistence → Normalization → Detection Measurement

The objective is always telemetry analysis, never impact.

IV. TOOLING PHILOSOPHY

Tools published in this site are not offensive utilities.

They are instrumentation frameworks designed to reproduce attacker decision making so defenders can observe:

  • missing alerts
  • incorrect correlations
  • invisible lateral movement
  • silent identity abuse

Every project exists to answer a defensive hypothesis.

If a tool can cause damage, it has failed its purpose.

V. REPORTS

The assessment reports included here simulate real enterprise deliverables.

They intentionally avoid challenge-style walkthroughs and instead document:

  • reasoning
  • attacker path selection
  • detection gaps
  • defensive implications

The environment is controlled. The methodology is real.

VI. INTERPRETATION NOTICE

Nothing in this site should be interpreted as intrusion guidance.

The research documents attacker logic, not attack instructions.

Understanding failure modes is required to build reliable defenses. Without realistic adversary modeling, security becomes compliance theater.

VII. TERMINATION

Attribution complete.

Further information about intent and philosophy is described in the manifesto.