I've been sitting on this for a while, and it's time to talk about it.

Zeus is OffStrike's post-exploitation framework, and it's built around a concept I've been researching called temporal evasion — executing operations during the microsecond windows when the EDR's threads are descheduled by the OS. If Defender isn't running when you act, it can't see what you did.

The idea is simple. EDR processes compete for CPU time like everything else. The OS scheduler preempts them constantly. By consuming CSwitch events via ETW, Zeus maps exactly when Defender's threads are on or off the processor and executes tasks in the gaps. In testing on Windows 11 with Defender fully enabled, we measured an average scheduling gap of 565µs, executed nearly 4 million operations with a 100% success rate, and generated zero alerts. We also threw Meterpreter at it — 1,623 payload attempts, zero detections.

Zeus pairs this scheduler awareness with two other components: an embedded Tiny C Compiler that compiles and runs tools from source strings entirely in memory (no binaries on disk, no MZ headers on the wire), and a compact Seq2Seq model that generates syntactically varied C code from intent tokens so nothing looks the same twice.

The C2 architecture itself had to be rethought. Traditional persistent shells don't work when you're executing in microsecond windows — you can't hold a socket open. Zeus uses a task queue model instead. The agent pulls tasks on check-in, executes them during gaps, and sends results back later. It's less interactive than a traditional shell, but when stealth is the priority, that's the right trade.

The full research paper will be available soon. It covers the methodology, the empirical results, the limitations we hit (AMSI is immune, high-core-count systems narrow the gaps, managed code is a non-starter), and thoughts on how defenders can address the underlying vulnerability.

This isn't a finished product — it's a research framework and a proof of concept. But the core finding holds, and I think it opens up an interesting conversation about what happens when offensive tradecraft starts treating the scheduler as an attack surface.

More to come.

When I look at the people pushing the field forward and a huge chunk of them have never sat for a proctored exam. The researchers dropping zero-days, publishing novel evasion techniques, and building the tools everyone relies on often learned by doing, not by studying for a test. That's not a coincidence. Certifications are structured around known problems with known answers. The most interesting work in security happens in the space where neither exists yet.

That's not a knock on certs. I have plenty of them and they served a purpose — they gave me structure early on, validated skills for employers who needed that checkbox, and forced me into corners of the field I might not have explored otherwise. But there's a ceiling to what you learn when the goal is passing an exam. You study the syllabus, not the rabbit hole. You optimize for the grade, not the question that keeps you up at night.

OffStrike exists because I needed a place to think without a rubric. It's where I get to chase the weird ideas — temporal evasion, ML driven implants, tooling that doesn't fit neatly into any course outline. No learning objectives, no exam at the end, just the work itself. The best research I've done didn't come from preparing for a certification. It came from tinkering with something that didn't make sense until it did.