diff --git a/opsec/cloud_provider_adversary/index.html b/opsec/cloud_provider_adversary/index.html
index 7684730..70caa34 100644
--- a/opsec/cloud_provider_adversary/index.html
+++ b/opsec/cloud_provider_adversary/index.html
@@ -200,8 +200,11 @@ in this post we are going to do a threat modelling exercise:<br><br>
                     <h3>Countermeasures</h3>
                     This attack has the same issue as the previous one and could be deployed during a schedule maintenance at Bob's datacenter even if Alice was using a baremetal. If she were to migrate to such a setup, then ensuring a TPM is present on the motheboard and only signed firmware updates are accepted would be a first step. This wouldn't protect her from a malicious update signed with a legitimate key as some government agency could deploy.
 
-
-
+                    <h2><b>Evil Maid Attack</b></h2>
+                    <h3>Attack</h3>
+                    With physical access to the server, a rogue technician could inject a rootkit into the UEFI to mainain persistance, running their code before the OS loads.
+                    <h3>Countermeasures</h3>
+                    A baremetal server in a physically locked enclosure such as ones used by payment processors in their datacenters would greatly reduce the likelihood of this attack. Again, Alice deems the current sensitivity of her data not sufficient to justify the costs.
 
           
 	       </div>