Public work.
Every repository follows the same rule: if I publish the attack, I publish the detection. No labs without a blue-team counterpart.
Active Directory attacks and the detections that catch them.
Kerberoasting, AS-REP Roasting, Pass-the-Hash and DCSync executed end-to-end in a lab AD. Every step ships with Sigma + Elastic EQL detections and a hardening playbook.
Dockerised SOC. One docker compose up and you have a working detection stack.
Wazuh 4.8 + OpenSearch + Suricata + Filebeat — the full ingestion, parsing and dashboard chain ready to spin up a SOC in minutes.
Sigma and YARA rule library built for production, not demos.
Full MITRE ATT&CK mapping, test cases, real false-positive notes and baselines tuned on office traffic.
HTB and TryHackMe through a purple-team lens.
Every writeup ships with the exploit chain (CVE-2007-2447, MS17-010…) and the detection you would deploy in a real SOC.
Unified passive reconnaissance in a single Python tool.
Subdomains, exposure surface and technology fingerprinting. JSON output ready to feed reporting pipelines.
Automated technical report pipeline in LaTeX.
JSON input → delivery-ready PDF output, with corporate identity and professional layout. Built for audit reports at scale.