diff --git a/detection/c2/unexpected-https-client-linux.sql b/detection/c2/unexpected-https-client-linux.sql
index db5e601..12a8496 100644
--- a/detection/c2/unexpected-https-client-linux.sql
+++ b/detection/c2/unexpected-https-client-linux.sql
@@ -206,6 +206,7 @@ WHERE protocol IN (6, 17)
     '500,python3.11,0u,0g,protonvpn',
     '500,python3.11,0u,0g,prowler',
     '500,python3,500u,500g,python3',
+    '500,cilium,500u,123g,cilium',
     '500,python.test,500u,500g,python.test',
     '500,qemu-system-x86_64,0u,0g,qemu-system-x86',
     '500,reporter-ureport,0u,0g,reporter-urepor',
diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql
index b28fcc9..ce0b64c 100644
--- a/detection/c2/unexpected-talkers-macos.sql
+++ b/detection/c2/unexpected-talkers-macos.sql
@@ -191,6 +191,7 @@ WHERE
     '443,6,500,chainctl,chainctl,',
     '443,6,500,chainctl_darwin_arm64,a.out,',
     '443,6,500,chainctl_Darwin_arm64,a.out,',
+    '443,6,500,cilium,,',
     '443,6,500,civo,a.out,',
     '443,6,500,cloud_sql_proxy,a.out,',
     '443,6,500,Code Helper,com.microsoft.VSCode.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
@@ -325,6 +326,7 @@ WHERE
     '80,6,500,webhook.test,a.out,',
     '8801,17,500,zoom.us,us.zoom.xos,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)',
     '9418,6,500,git,com.apple.git,Software Signing'
+
   )
   AND NOT exception_key LIKE '443,6,500,java,com.oracle.java.%.java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)'
   AND NOT exception_key LIKE '27%,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)'
diff --git a/detection/collection/high-disk-bytes-written.sql b/detection/collection/high-disk-bytes-written.sql
index 27d709f..9b8abd7 100644
--- a/detection/collection/high-disk-bytes-written.sql
+++ b/detection/collection/high-disk-bytes-written.sql
@@ -48,7 +48,7 @@ FROM
 WHERE
   -- On my Linux machine, creating a gzip archive clocks in at 6780210
   bytes_written_rate > 4000000
-  AND age > 60
+  AND age > 180
   AND p0.pid > 2
   AND p0.path NOT IN (
     '/bin/bash',
diff --git a/detection/evasion/unexpected-alf-exceptions-macos.sql b/detection/evasion/unexpected-alf-exceptions-macos.sql
index 2264160..d9ddd53 100644
--- a/detection/evasion/unexpected-alf-exceptions-macos.sql
+++ b/detection/evasion/unexpected-alf-exceptions-macos.sql
@@ -56,6 +56,7 @@ WHERE
     ',,/Applications/IntelliJ%20IDEA.app/,',
     ',,/Applications/ProtonMail%20Bridge.app/,',
     ',,/Applications/Visual%20Studio%20Code.app/,',
+    'Developer ID Application: Voicemod Sociedad Limitada. (S2MC4XQDSM),net.voicemod.desktop,/Applications/Voicemod.app/,0',
     ',,/Applications/Visual%20Studio%20Code.app/Contents/Frameworks/Code%20Helper.app/,',
     'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.sketch3,/Applications/Sketch.app/,501',
     'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.SketchMirrorHelper,/Applications/Sketch.app/Contents/XPCServices/SketchMirrorHelper.xpc/,501',
diff --git a/detection/evasion/unexpected-tmp-executables-macos.sql b/detection/evasion/unexpected-tmp-executables-macos.sql
index 846b96e..2f4df70 100644
--- a/detection/evasion/unexpected-tmp-executables-macos.sql
+++ b/detection/evasion/unexpected-tmp-executables-macos.sql
@@ -54,6 +54,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
         AND (
           file.path LIKE '%/go-build%'
           OR file.path LIKE '%/bin/%'
+          OR file.path LIKE '/tmp/%ctl'
           OR file.path LIKE '%/CCLBS/%'
           OR file.path LIKE '%/checkout/%'
           OR file.path LIKE '%/ci/%'
diff --git a/detection/execution/unexpected-execdir-macos.sql b/detection/execution/unexpected-execdir-macos.sql
index fae0583..f4137d9 100644
--- a/detection/execution/unexpected-execdir-macos.sql
+++ b/detection/execution/unexpected-execdir-macos.sql
@@ -83,6 +83,7 @@ WHERE
     '/Library/Application Support/Kandji/Kandji Menu/Kandji Menu.app/Contents/MacOS',
     '/Library/PrivilegedHelperTools',
     '/Library/TeX/texbin',
+    '/usr/local/aws-cli',
     '/nix/store',
     '/nix/var/nix/profiles/default/bin',
     '/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/gke-gcloud-auth-plugin',
diff --git a/detection/exfil/high_disk_bytes_read.sql b/detection/exfil/high_disk_bytes_read.sql
index 1286157..a9218c4 100644
--- a/detection/exfil/high_disk_bytes_read.sql
+++ b/detection/exfil/high_disk_bytes_read.sql
@@ -47,8 +47,8 @@ FROM
   LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
   -- On my Linux machine, tarring up a home directory clocks in at 2,800,000 - 4,986,722
-  bytes_read_rate > 2250000
-  AND age > 60
+  bytes_read_rate > 2500000
+  AND age > 180
   AND p0.path NOT LIKE '/Applications/%.app/Contents/%'
   AND p0.path NOT LIKE '/System/Library/%'
   AND p0.path NOT LIKE '/System/Applications/%'
@@ -65,6 +65,7 @@ WHERE
     'com.apple.NRD.UpdateBrainService',
     'docker',
     'emacs',
+    'electron',
     'firefox',
     'osqueryi',
     'fish',
@@ -87,6 +88,7 @@ WHERE
     'nessusd',
     'melange',
     'nix',
+    'tilt',
     'nix-daemon',
     'nvim',
     'osqueryd',
diff --git a/incident_response/processes.sql b/incident_response/processes.sql
index 1fca213..4a4b7e3 100644
--- a/incident_response/processes.sql
+++ b/incident_response/processes.sql
@@ -1,6 +1,6 @@
 -- Currently running programs, only the columns that are not constantly changing
 --
--- tags: postmortem
+-- tags: postmortem often
 -- platform: posix
 SELECT
   pid,