Security tooling, detection labs, and defensive experiments.

Visual incident replay dashboard — turns safe sample logs into an attack timeline, attack path view, GeoIP map, and incident summary.

Ingests Linux auth and nginx access logs, builds a chronological timeline, groups events into attack paths per source IP, scores risk, applies MITRE-style tactic labels, and emits JSON + Markdown reports for triage. CLI now; FastAPI + React dashboard scaffolded under apps/ for future work.

Dependency vulnerability scanner and upgrade planner — scans package.json, requirements.txt, and Dockerfile base images, flags risky pins, produces PR-preview output.

Audits dependency manifests for known vulnerabilities, unpinned versions, and 'latest' tag usage. Generates a structured upgrade plan with priority/severity/confidence metadata, plus a reviewer-friendly risk report and PR preview ready for handoff.

Detects periodic outbound callback (C2 beacon) behavior from timestamped network logs by scoring inter-arrival timing consistency per source/destination pair.

Parses CSV network logs, groups repeated outbound traffic by source/destination/port, scores 'periodicity' of each pattern. High-confidence periodic callbacks — the signature of command-and-control beaconing — are flagged with a risk level and timing-window context. Markdown reports, source-risk JSON, interval profiles, analyst triage handoff.

Website security header and iframe policy analyzer — inspects CSP, X-Frame-Options, cookies, CORS, and HSTS to flag clickjacking, XSS, and framing risks.

Fetches a URL's response headers, parses CSP directives, evaluates iframe posture, and produces a risk-scored report with remediation hints. Useful for auditing security headers on production sites, kiosks, signage, and embedded webviews. (Python — see also RustCSPGuardian for the faster CLI variant.)

Lightweight rule-based Linux intrusion detection — evaluates YAML rules against auth.log, syslog, and shell history to emit terminal, Markdown, and JSON alerts.

Loads YAML rule files describing detection patterns (failed logins, suspicious commands, new user creation, sudo abuse) and applies them to log lines, producing actionable alerts with timestamps and recommended response actions. Targeted at small Linux servers, kiosks, and lab environments.

Security and health monitoring agent for Linux devices, kiosks, signage players, and edge systems — captures CPU, memory, network, processes, and USB telemetry.

Runs locally on a Linux device and captures a security-relevant snapshot: CPU/memory pressure, network connections, running processes, USB device list, and OS metadata. Snapshot is written as JSON for downstream analysis or shipped to a central collector. Built for fleet operators managing unattended Linux devices.

Detection engineering lab — compares expected attack signals against collected logs to surface visibility gaps and prioritize new detection rules.

Describe expected attack signals in YAML scenarios (e.g. what events should fire when a brute-force or privilege-escalation runs), feed in collected logs, and the tool reports which signals were covered and which are missing. Outputs include a coverage report, gap score per missing signal, and an analyst triage handoff prioritized by impact.

Detection tuning lab — measures false-positive rate, precision, and noise grade per detection rule, then suggests tuning improvements based on labeled log samples.

Provide YAML rule definitions plus labeled log samples (noisy + clean), and the tool evaluates each rule's precision, false-positive rate, and noise grade. Suggests concrete tuning improvements (narrower regex, time-window adjustments, suppression filters) prioritized by impact.

Endpoint threat hunting agent for Linux devices, kiosks, and edge systems — detects stealth persistence, baseline drift, suspicious outbound behavior, and silent attacker tradecraft.

Captures a security-relevant snapshot of a Linux host (processes, services, cron jobs, SSH keys, outbound connections) and compares it to an approved baseline to detect drift. Runs anomaly, beaconing, and persistence detectors on the live snapshot for immediate alerts. Built for Linux kiosks, signage players, IoT/edge devices, and unattended servers where silent backdoors are the primary threat.

Builds a normal traffic baseline from a sample of network logs, then flags unusual source IPs, destination ports, and connection volume spikes in observed traffic.

Takes a 'normal' sample of network connections, learns typical source IPs, destination ports, and per-host volume, then compares against an 'observed' sample to detect anomalies. Outputs severity-scored anomalies, per-source risk tables, and an analyst triage handoff.

Phishing email analyzer — parses .eml files, checks headers, link risk, sender spoofing, and language indicators, then explains findings in plain English.

Ingests a raw email (.eml) and produces a phishing risk assessment. Checks SPF/DKIM/DMARC alignment, sender display-name spoofing, suspicious link patterns, urgency/coercion language cues, and risky attachment indicators. Generates a plain-English explanation suitable for security awareness training and analyst handoff.

Detection lab for identifying Nmap-style port scan and reconnaissance activity from firewall logs.

Parses firewall logs, groups connection attempts by source IP, and detects port scanning patterns: wide port sweeps, mixed-service reconnaissance, and rapid scan windows. Outputs scan findings, per-source risk tables, a Markdown timeline report, and analyst triage handoff.

Security test runner for AI applications — probes prompt injection, system prompt leakage, role-bypass, and unsafe-response patterns to find weaknesses before attackers do.

Loads an attack prompt library, runs each attack against a configured target (or against a captured response set), and analyzes responses for leaked system prompts, sensitive data, role-bypass behavior, and unsafe outputs. Outputs findings, risk-scored summary, and an engineer-friendly remediation report.

Repository security reviewer — scans a local clone for secrets, insecure configs, vulnerable dependencies, risky Dockerfiles, and surfaces PR-style fix suggestions.

Audits a local repository for security issues before code review. Detects hard-coded secrets, dangerous configuration patterns, vulnerable dependency pins, insecure Dockerfile practices, and produces a PR-comment-style risk report ready for handoff to a reviewer.

Safe lab metadata analyzer for suspicious outbound reverse-shell-like network behavior — pcap metadata only, no payloads.

Reads pcap metadata (connection records only, no packet content), analyzes outbound connections to suspicious destinations and ports, and flags interactive-session indicators (low data, long duration, persistent unidirectional flow to a non-standard port). Findings, risk-scored summary, Markdown report, timeline, and analyst triage handoff.

End-to-end SOC workflow simulator — maps attack scenarios to collected logs, runs detections, identifies visibility gaps to practice analyst triage and detection engineering.

Describe attack scenarios in YAML (what an attacker did, what telemetry should appear), feed in collected logs, and the lab runs login / scan / shell detection modules against them. Output is an end-to-end SOC scorecard: which scenarios were detected, which slipped through, and where coverage is weakest.

Linux auth log detector for repeated SSH failed-login attacks — scores brute-force activity per source IP and emits actionable alerts.

Reads Linux SSH auth logs and detects brute-force patterns: high-volume failed logins, fast attack windows, and successful logins immediately after a string of failures. Markdown reports, JSON summaries, IP timelines, triage handoff for analysts.

Security auditing tool for digital signage and kiosk fleets — audits signage URLs, kiosk configurations, public playlists, CSP, and browser-version risks across unattended screens.

Scans configured signage URLs and kiosk configs to flag insecure URLs, missing security headers, outdated browser versions, and exposed admin interfaces. Targeted at operators of digital signage and kiosk fleets in lobbies, retail, and public spaces. Findings, risk-scored summary, Markdown report, triage handoff.

Attack surface monitoring tool — scans domains, subdomains, SSL certificates, open ports, exposed admin paths, and security headers to surface external-facing risk.

Builds an external attack surface picture for a domain you own. Enumerates subdomains, checks SSL certificate validity and expiry, scans known ports, flags exposed admin paths and dev endpoints, and audits security headers. Prioritized risk-scored inventory plus analyst handoff report.

AI-style log investigation assistant — parses Linux auth, nginx access, and Docker container logs, highlights suspicious IPs, exposed secrets, and produces a structured incident summary.

Ingests common log formats and produces an investigation-style report. Parses auth.log, nginx access logs, and Docker container logs, correlates suspicious IPs, flags accidentally logged secrets, and assembles a Markdown incident report ready for analyst review. (Python — see also RustThreatLensAI for the faster CLI variant.)

Web log detection lab — flags SQL injection, XSS, suspicious user agents, scanner activity, and risk-scored request summaries from nginx access logs.

Parses nginx combined access logs and flags common web attacks: SQL injection patterns, XSS payloads, scanner-style user agents, sensitive path probing, and high-rate request bursts. JSON findings, IP risk table, Markdown report, triage handoff.