Sign in Subscribe
1 min read

Paper Tigers, a model to describe and measure telemetry.

Paper Tigers, a model to describe and measure telemetry.
Paper Tigers, via Gemini

This a new telemetry model intended to introduce a forensics first approach to cybersecurity. This is meant to compress and accelerate knowledge gaps for practitioners by removing abstraction and the effects of long distance mystery when operating in a SOC. This allows us to trace events all the way down to the transistor state and back up again.

Please subscribe to access both Paper Tigers books.

The PAPER TIGERS Framework

The material uses a multi-layered template to deconstruct security events from the human level down to physical silicon:

  • The Illusion (Layers 13–15): Examines human cognition, SOC workflows, and dashboard displays where an analyst might be misled by "green" status indicators despite an ongoing breach.
  • The Pipeline (Layers 9–12): Analyzes detection logic, SIEM aggregation, and the durable network or file artifacts (such as HTTP headers or SQLite databases) that provide evidence of activity.
  • The Mechanism (Layers 5–8): Focuses on the interaction between applications, libraries, and the OS kernel, including specific API calls and system mediations.
  • The Metal (Layers 1–4): Drills down to the assembly level (ISA) and physical silicon, looking at how the CPU executes instructions and how the Memory Management Unit (MMU) handles data at the hardware level.

The Five Mandates of Interrogation

To move beyond surface-level interpretation, the framework requires answering specific questions for any security event:

  1. What changed? Identifying the specific state transition (e.g., a token being duplicated without a new login event).
  2. Where is the artifact? Locating the durable evidence across the layers.
  3. What was the mediation? Determining which system or kernel process authorized the action.
  4. How was it measured? Understanding the telemetry used to observe the event.
  5. What is the interpretation? Applying discipline to the collected data to identify the true nature of the threat.

Purpose and Structure

  • Alternative Entry: Designed as a non-traditional entry point into cybersecurity by teaching forensics as the primary lens for threat interpretation.
  • Accelerated Learning: Uses short, templated chapters to introduce dense material and systems-level thinking without unnecessary "fluff".
  • Target Audience: Purposefully built to accelerate the learning curve for both students and security professionals.

Published by:

Anthony Mason