Long-form on ARP, detection, and the parts vendors don't talk about.
ARP spoofing is one of the oldest layer-2 attacks and one of the most under-defended. These pieces explain how it actually works, why most detection silently fails in production, and what ARP Guardian does differently.
What is ARP spoofing, really?
From the wire format to the man-in-the-middle. The 28-byte packet that's been pwning networks since 1982 — and what makes it so persistent.
Why most ARP-spoofing detection silently fails.
Three real failure modes: switched-fabric blind spot, broadcast-only rules, and the unverified-baseline trap.
Distributed sensors vs. SPAN ports.
The two ways to give a sensor enough traffic to actually detect attacks. Trade-offs, costs, and the hybrid model.
Reversible mitigation, explained.
L0 alert, L1 corrective ARP, L2 NAC quarantine. Why every action has a TTL and a one-click revert.
Three tiers of detection.
Deterministic baseline (Tier 1), bind-flip + signature rules (Tier 2), entropy/storm anomaly (Tier 3). How each tier earns its own evidence.
Incident lifecycle — from detection to post-mortem.
Triage, assign, mitigate, close, reopen. SLA. Audit trail. Forensics bundle. What the SOC actually does after a CRITICAL fires.