GEMXIT • Microsoft Security • Agent Foskett
Who is Agent Foskett?
Agent Foskett is GEMXIT’s cyber security briefing persona, created to translate real-world Microsoft security signals into practical lessons that organisations can understand and act on. The briefings focus on Microsoft Defender, Microsoft Sentinel, Entra ID, Azure security, KQL threat hunting, email spoofing, DMARC, MFA, Conditional Access and emerging AI governance risks.
The short answer
Agent Foskett is the practical security voice of GEMXIT — focused on explaining what security tools show, what people often miss, and how organisations can improve visibility before small gaps become serious incidents.
Real Microsoft security investigations
Practical KQL threat hunting lessons
Defender, Sentinel, Entra ID and Azure
Agent Foskett is where security data becomes a story
Security tools collect the signals. Agent Foskett explains what those signals mean in the real world.
Most organisations already have powerful security platforms in place. Microsoft Defender is collecting email, endpoint and cloud signals. Microsoft Sentinel may be receiving logs. Entra ID is recording sign-ins, MFA prompts, Conditional Access decisions and identity risk. Azure is producing activity, configuration and exposure data.
But the real question is not whether the tools exist.
The real question is: does anyone understand what the data is saying?
That is why Agent Foskett exists. The briefings take technical signals — such as DMARC failures, suspicious sign-ins, unexpected URL clicks, after-hours downloads, exposed cloud services or unusual PowerShell activity — and turn them into clear investigation lessons.
But the real question is not whether the tools exist.
The real question is: does anyone understand what the data is saying?
That is why Agent Foskett exists. The briefings take technical signals — such as DMARC failures, suspicious sign-ins, unexpected URL clicks, after-hours downloads, exposed cloud services or unusual PowerShell activity — and turn them into clear investigation lessons.
Lesson: security is not just configuration — it is interpretation.
What Agent Foskett focuses on
The briefings sit at the intersection of Microsoft security, real-world investigation and practical business risk.
Microsoft Defender investigations
EmailEvents, URLClickEvents, DeviceProcessEvents, authentication outcomes, spoofing signals and suspicious endpoint behaviour.
KQL threat hunting
Practical queries that help security teams ask better questions of their data across Defender, Sentinel and Microsoft 365.
Email spoofing and DMARC
Sender mismatch, AuthenticationDetails, SPF, DKIM, DMARC, CompAuth and delivered messages that should not be trusted.
Identity and MFA risk
Entra ID sign-ins, session hijacking, token reuse, Conditional Access exclusions, legacy authentication and account behaviour.
Azure and cloud exposure
Public storage, exposed RDP, failed backups, weak resilience, misconfigured services and cloud assumptions that create risk.
AI governance and new risks
AI agents, broad access, prompt risk, data exposure and why AI tools need identity, governance and monitoring.
Why Agent Foskett matters
Security does not usually fail because one person forgot to buy a tool. It fails because normal business decisions create small gaps over time: one temporary exclusion, one public setting, one transport rule left disabled, one admin account without enough protection, one alert nobody understood.
Agent Foskett briefings are designed to make those quiet risks visible. The aim is not fear. The aim is clarity. When organisations can see the story behind their logs, they can make better decisions, respond faster and build stronger security habits.
Agent Foskett briefings are designed to make those quiet risks visible. The aim is not fear. The aim is clarity. When organisations can see the story behind their logs, they can make better decisions, respond faster and build stronger security habits.
Lesson: the logs often know before the business does — but only if someone asks the right questions.
Visibility before incidents
Practical investigation thinking
Microsoft security context
Better questions from better data
How Agent Foskett connects to GEMXIT
Agent Foskett is part of GEMXIT’s broader mission: Develop IT. Protect IT. GEMXIT.
GEMXIT works across cloud services, cyber security, Microsoft training and software development. The Agent Foskett briefings bring those areas together by showing how systems, users, identity, cloud services and security telemetry interact in the real world.
For organisations using Microsoft 365, Azure, Defender, Sentinel or Entra ID, the briefings provide a practical way to understand security gaps before they become operational or business problems.
GEMXIT works across cloud services, cyber security, Microsoft training and software development. The Agent Foskett briefings bring those areas together by showing how systems, users, identity, cloud services and security telemetry interact in the real world.
For organisations using Microsoft 365, Azure, Defender, Sentinel or Entra ID, the briefings provide a practical way to understand security gaps before they become operational or business problems.
Related Agent Foskett investigations
A few good places to continue if you want practical examples of what Agent Foskett investigates.
Detect DMARC Fail Emails in Microsoft Defender
Find emails where sender authentication failed, then check whether the message was still delivered.
Lesson: DMARC fail does not always mean blocked.
The MFA Was Enabled… But the Attacker Still Got In
A practical look at session hijacking and why successful MFA does not end the investigation.
Lesson: MFA protects authentication, but session behaviour still matters.
The After-Hours Download Nobody Questioned
Files started moving late at night, but everything looked technically allowed.
Lesson: allowed access does not always mean safe behaviour.
GEMXIT PTY LTD GEMXIT UK LTD © GEMXIT 2026