Skip to content
cyberknight / 91
ES
Available for new engagements

Mario Martín.

Cybersecurity consultant specialised in offensive simulation and detection engineering — the purple side of the room.

Defence is only real once a real attack validates it.

Get in touch Explore projects
5+
years in security
15
public repos
14
certifications
cyberknight91 ~ profile
v0.1.0 · deployed on cloudflare online
Featured work · 04 / 7

Where offence meets detection.

Each lab ships both the attack and the detection that catches it. No isolated demos — the full chain, end-to-end.

./projects/ purple-lab flagship

Adversary simulation paired with detection engineering.

Every MITRE ATT&CK technique (T1059, T1566, T1548…) ships with the Sigma rule that catches it, the expected SIEM events and a 72-hour false-positive baseline.

40+
Techniques
60+
Sigma rules
atomic-red-teamsigmamitre-att&ckwazuh
github.com/cyberknight91/purple-lab cd ./purple-lab ↵
./projects/ ad-attack-detection

Active Directory attacks and the detections that catch them.

Kerberoasting, AS-REP Roasting, Pass-the-Hash and DCSync executed end-to-end in a lab AD. Every step ships with Sigma + Elastic EQL detections and a hardening playbook.

active-directoryimpacketrubeuselastic
github.com/cyberknight91/ad-attack-detection cd ./ad-attack-detection ↵
./projects/ siem-homelab

Dockerised SOC. One docker compose up and you have a working detection stack.

Wazuh 4.8 + OpenSearch + Suricata + Filebeat — the full ingestion, parsing and dashboard chain ready to spin up a SOC in minutes.

dockerwazuhopensearchsuricata
github.com/cyberknight91/siem-homelab cd ./siem-homelab ↵
./projects/ detection-engineering

Sigma and YARA rule library built for production, not demos.

Full MITRE ATT&CK mapping, test cases, real false-positive notes and baselines tuned on office traffic.

sigmayaramitre-att&ck
github.com/cyberknight91/detection-engineering cd ./detection-engineering ↵
See all projects
Philosophy

Detection without simulation is theatre.

Simulation without detection is posing. Every offensive test in my labs ships with its blue counterpart: the Sigma rule, the hunting query, the runbook. Or it does not ship.

That overlap — the purple side of the room — is where the best work happens. Where the attack teaches you to defend, and the defence forces you to attack better.

detection-engineering ~ T1003.001.yml
Stack · 6 areas

Tools I work with every day.

No decorative badges: only what I actually use in production and the lab.

01 · Offensive
12 tools
Web Pentesting · OWASP Top 10 · SQLi / XSS / CSRF · LFI · RFI · SSTI · IDOR
02 · SOC & detection
10 tools
Wazuh · TheHive · Cortex · MISP · Elastic Security
03 · Network & systems
8 tools
Fortinet · Sophos (Silver Partner) · VLAN segmentation · SSL VPN · IPsec
04 · Cloud & infrastructure
6 tools
AWS (EC2, CLI) · Azure · Cloudflare Pages · Workers · Docker
05 · Scripting & code
7 tools
Python 3 · Bash · PowerShell · n8n
06 · Compliance
6 tools
ISO/IEC 27001:2022 · NIS2 · ENS · NIST CSF
$ contact

Got an infrastructure that needs defending or attacking with care?

Audits, adversary simulation, detection engineering, and NIS2 / ENS consulting for companies that take security seriously.

mariomf.0891@proton.me More ways to reach me