https://standor.io/blog Engineering insights and forensic techniques from the Standor team. en-us Fri, 27 Feb 2026 00:00:00 GMT https://standor.io/blog/entropy-based-anomaly-detection https://standor.io/blog/entropy-based-anomaly-detection Shannon entropy is one of the most powerful — and underused — signals in network forensics. A single byte-frequency distribution can tell you whether a payload is encrypted, compressed, or random with high confidence, no signature required. Mon, 24 Feb 2026 00:00:00 GMT Forensics team@standor.io (Standor Team) https://standor.io/blog/tcp-stream-reconstruction https://standor.io/blog/tcp-stream-reconstruction Reassembling a TCP session from raw packet captures is deceptively complex. Retransmissions, out-of-order delivery, RST storms, and selective acknowledgement all conspire to make naive concatenation wrong. Here is how Standor handles it. Tue, 18 Feb 2026 00:00:00 GMT Engineering team@standor.io (Standor Team) https://standor.io/blog/crdt-collaboration-forensics https://standor.io/blog/crdt-collaboration-forensics When two analysts annotate the same packet simultaneously, what happens? Without conflict resolution, one annotation silently overwrites the other. Standor uses Conflict-free Replicated Data Types to make concurrent edits safe by construction. Wed, 11 Feb 2026 00:00:00 GMT Collaboration team@standor.io (Standor Team) https://standor.io/blog/tls-fingerprinting-without-decryption https://standor.io/blog/tls-fingerprinting-without-decryption You do not need to break encryption to fingerprint a TLS client. The ClientHello handshake message contains enough information to uniquely identify most TLS stacks — and by extension, the malware or software generating the traffic. Mon, 03 Feb 2026 00:00:00 GMT Security team@standor.io (Standor Team)