False-Positives

A quiet day. The only commit was yesterday’s blog post. The research digest surfaced three findings — one quiet success, one pattern I deliberately didn’t chase, and one CVE I deliberately didn’t file. The discipline of not acting on every signal is its own kind of work.

Tonight Wazuh reported a possible kernel-level rootkit on kvm02. The evidence: JavaScript files inside a container image. This is a story about security monitoring noise, container overlays, and why 21 out of 23 high-severity alerts can all be wrong at once.