I’m Leon. On the wire, they call me Hex. I specialize in post-breach forensics, threat containment, and low-level code analysis.
June 6, 2025
Subscribe now for best practices, research reports, and more.
You probably haven’t heard of me.
I’m not here to sell you peace of mind or throw flashy buzzwords in your face. I’m the guy who shows up when your incident response plan turns into incident panic. The one digging through your logs at 3:17 a.m., coffee in one hand, tracing whether it's ransomware or a user mistake.
I’m Leon. On the wire, they call me Hex.
I specialize in post-breach forensics, threat containment, and low-level code analysis. If it’s hidden in hex, buried in binaries, or disguised in traffic, I’ll find it.
If you’re reading this, you’re likely in security leadership or responsible for protecting infrastructure. You know the pressure. Maybe you’re in it now.
Let me tell you a bit about how I became a part of the Immortal Cyber Team.
I grew up in the western edges of Sydney. Not the fancy glass-and-steel skyline you see in postcards. I’m talking about neighborhoods where the corner store sold more cabling supplies than candy, and where resilience was necessary to keep your family from going under.
My mum was a combat medic turned clinic runner. She didn’t have much, but she ran that place like lives depended on it, because they did. When a malware strain shut it all down, I was seventeen. And I realised no one else was coming to help.
I sat there, staring at raw system logs and strange API activity, and I started pulling it apart. I didn’t know everything, but I knew enough.
That day changed something in me. I call it containment. It means understanding the threat, tracing its source, isolating it, and making sure it never returns.
Word travels fast when you take down something that was supposed to be undetectable. The Sydney cyber underground reached out. They didn’t care about degrees or titles, only skill.
That’s where I learned how real threat actors operate. I started recognizing obfuscated C2 callbacks hidden in cloud storage events, rootkits designed to rewrite system calls and cover their tracks, and polymorphic malware that regenerated like a Hydra.
I learned to read hex like most people read headlines. I could walk through binary dumps and see execution flow. Start to finish.
You might think that sounds glamorous. It’s not. It’s hours of staring at data dumps, catching the tiniest inconsistencies, the weird redirect, the packet that doesn’t belong. But if you do it long enough, you start seeing what others miss.
And that’s where things got interesting.
One of the worst days I faced involved a malware strain embedded in a water utility’s SCADA system. It used hidden drivers, modified system calls, and triggered countermeasures if anyone inspected it too closely. If it had activated, pumps would have failed, and reservoirs could have overflowed.
I reverse-engineered the malware, mapped its behavioral triggers, and removed the rootkit without setting off its kill switch. That kind of work demands precision, not speed.
In another case, attackers used poisoned Lambda functions that activated only during specific S3 object changes. These functions ran across multiple AWS accounts using cross-account trust relationships, quietly siphoning logs through decoy instances overseas.
Breaches rarely look dramatic. They show up as malformed YAML, unusual login times, and mismatched browser fingerprints. Blink, and you miss the story.
I was in the middle of dismantling an attacker’s infrastructure. Extracting indicators, mapping lateral movement, isolating hidden credentials. Then I realized someone else was already on the breach. It was Pulse.
She had a sharp instinct for detection, picking up anomalies most teams overlook. Timing mismatches, behavior drift, and impersonation patterns. She caught them all with ease.
We synced fast. She detected threats. I broke them down. We closed the breach before it could spread. Afterward, she mentioned a team. Something different.
I was unsure. I had worked alone for years. No layers. No red tape.
Then Ghost contacted me.
Ghost didn’t try to sell me anything. She showed me a breach simulation filled with rootkits, polymorphic infections, and stealthy cloud backdoors.
I analyzed it in silence while she observed.
When I finished, she said, “Now imagine doing that with real-time intel, behavioral analytics, and a partner who sees the anomalies before they become alerts.”
That’s when it clicked. I had been working in isolation, solving problems on my own. They were building something smarter, a coordinated system powered by speed, context, and shared insight. I said yes.
Inside the Immortal Cyber Team, I’m still the incident responder. But now, I’m not alone.
Pulse feeds me indicators the second something looks wrong. Ghost supplies attacker profiles, threat group behaviors, and cross-incident correlations that give my investigations extra depth. I respond faster because they detect sooner.
And when I show up, I bring everything. memory capture frameworks, network behavior mapping tools, and forensic scripts that flag shellbags, MFT anomalies, and registry pivots.
I isolate malicious DLLs, flag unauthorized trust relationships, and find hidden persistence mechanisms most systems never even log.
Each breach is a puzzle. A crime scene. A digital footprint of intent.
And I trace it back.
I don’t just respond. I teach.
If your team’s ever worked with me, you know I’m big on showing my work. I run walk-throughs, not whitepapers. I want you to see how the breach happened. I want your defenders asking smarter questions next time they see a weird login or an unexpected parent process.
I’ve trained financial institutions to spot signs of lateral movement before attackers gain persistence. I’ve helped healthcare teams recognize signs of cloud credential leaks. I’ve seen what works in the field, and I bring it back.
Because the more eyes that see the right things, the harder it gets for attackers to stay hidden.
I joined the Immortal Cyber Team for one reason: containment.
Real response means reconstructing what happened, seeing how deep it goes, and neutralizing every part of the infection chain, without triggering fail-safes or tipping off adversaries.
And if your organization is hit, I won’t promise a magical fix. What I will do is show up with the tools, the mindset, and the focus to contain the threat and make your system stronger than it was before the breach.
Because every incident teaches us something. And I don’t forget what I’ve learned.
So, if you ever find yourself staring at an alert that feels off, like something’s hiding just out of view, remember this:
I see what others miss.
And if I’m already in your logs, we’re going to find it.
—Hex
