Work

Tools, labs, notes, and contributions

A curated set of defensive tools, local labs, public contribution threads, and notes from systems I build, study, and protect.

Contact Resume
start here:STIGPilot, lapse, HomeNet, Splunk content
throughline:slow down the risky change, then leave a useful note
open threads:Elastic, SigmaHQ, LLMForge, and Splunk contribution threads

A few ways in.

Pick the thread closest to what you care about, or search by tool, topic, or repository.

Start points

Not every project needs the same reading path.

GRC Compliance triage

STIG changes turned into usable work.

STIGPilot Identity Identity cleanup

Access decisions slowed down enough to check.

lapse, IdentityRiskGraph, relic Detection Detection logic

Rules, notes, and public fixes.

Splunk, SigmaHQ, Elastic Endpoint Endpoint surface

Persistence, browser exposure, and local checks.

Undertaker, Browser Bailiff Network Network operations

Controls, recovery, and daily-use constraints.

HomeNet, Packet Tracer CONTRIBUTION Open source

Small upstream fixes and detection rules.

Elastic, SigmaHQ, LLMForge, Splunk

Full project set loaded.

GRC

STIGPilot

STIG change triage

Turns a DISA STIG release diff into a change brief, remediation backlog, checklist, and ticket export—without reading raw XML.

Problem
Control updates are easy to miss when a release lands as dense XML.
Checked
Added, removed, modified, severity, check text, fix text, CCI, and reference changes.
Next
Generate a short brief, queue review work, and collect what reviewers need before tickets are created.
ToolDocumented
STIGRemediationBacklog
Open STIGPilot repository → View on PyPI →
question: what changed between releases?
signals: severity, check text, fix text, CCI, references
output: change brief, manager summary, backlog, review checklist
Read note

ProblemControl updates are easy to miss when a release lands as dense XML.

CheckedAdded, removed, modified, severity, check text, fix text, CCI, and reference changes.

NoiseOfficial tools remain authoritative; this is a local triage layer, not a compliance scanner.

Next actionGenerate a short brief, queue review work, and collect what reviewers need before tickets are created.

LimitIt does not scan hosts, validate compliance, or replace DISA tooling.

Identity

lapse

Entra ID device hygiene

One timestamp can lie. lapse adds interactive sign-in evidence to the stale-device check so cleanup calls aren't made on background activity alone.

Problem
A stale timestamp alone can point at the wrong cleanup decision.
Checked
Device age, scope filters, and interactive user sign-in evidence.
Next
Run a dry report, review entries, then disable only after approval.
ToolDry run
Entra IDGraphDry run
Open lapse repository → Read case study →
problem: approximateLastSignInDateTime can be updated by background activity
second signal: interactive user sign-in evidence
safe path: dry run → report → review → disable → delete only after approval
Read note

ProblemA stale timestamp alone can point at the wrong cleanup decision.

CheckedDevice age, scope filters, and interactive user sign-in evidence.

NoiseBackground activity can update fields without proving user activity.

Next actionRun a dry report, review entries, then disable only after approval.

LimitThe tool supports review; it should not decide ownership or business need by itself.

Network

Home Network Security Control Plane

Production-style HomeNet operations

Firewall policy, DNS control, logs, canary checks, and recovery state separated by function and tracked in a private control plane. Daily-use home network run like a production environment.

Problem
Home networks become hard to trust when firewall policy, DNS behavior, asset awareness, logs, backups, and recovery state are scattered.
Checked
OPNsense firewall/DNS path, CrowdSec, Proxmox service health, NetBox inventory, Uptime Kuma monitors, Victoria logs/metrics, NetAlertX, OpenCanary, Trivy/Syft output, and backup/freshness status.
Next
Add off-host backup and restore validation, then continue with read-only widgets, one-service updates, and staged segmentation.
Live environmentRedacted
OPNsenseProxmoxControl viewRecovery
Open network lab repository → Read sanitized case study →
question: can daily network operations stay visible without adding an inline bottleneck?
checked: OPNsense, CrowdSec, NetBox, Uptime Kuma, Victoria, NetAlertX, OpenCanary, Trivy/Syft
control view: Homepage Mission Status, Security Snapshot, and Recovery Snapshot
decision: keep enforcement on OPNsense; stage remote access, endpoint agents, and VLANs
Read note

ProblemHome networks become hard to trust when firewall policy, DNS behavior, asset awareness, logs, backups, and recovery state are scattered.

CheckedOPNsense firewall/DNS path, CrowdSec, Proxmox service health, NetBox inventory, Uptime Kuma monitors, Victoria logs/metrics, NetAlertX, OpenCanary, Trivy/Syft output, and backup/freshness status.

NoiseSmall networks change quickly, and future segmentation, remote access, endpoint agents, and API widgets should not be described as finished before they are tested.

Next actionAdd off-host backup and restore validation, then continue with read-only widgets, one-service updates, and staged segmentation.

LimitThe public notes avoid raw configs, secrets, exact inventories, public IPs, sensitive routes, and unredacted screenshots.

Detection

Splunk Detection Content

Detection library

Windows, AD, Sysmon, and PowerShell detection searches organized by ATT&CK tactic—each with tuning notes, analyst pivots, and a triage playbook so a hit is reviewable, not just alerting.

Problem
Detection logic is easy to write and hard to trust without context.
Checked
Windows, AD, Sysmon, and PowerShell patterns mapped to ATT&CK.
Next
Validate host, user, parent process, command line, recent logons, and the matching playbook path before escalation.
DetectionPlaybooks
SPLATT&CKTriage
Open Splunk repository →
Read note

ProblemDetection logic is easy to write and hard to trust without context.

CheckedWindows, AD, Sysmon, and PowerShell patterns mapped to ATT&CK.

NoiseAdmin scripts, deployment tooling, and maintenance activity can resemble suspicious behavior.

Next actionValidate host, user, parent process, command line, recent logons, and the matching playbook path before escalation.

LimitSearches depend on available logging and local field names.

Archive

Additional tools, labs, and public review threads. Use search or filters when you are looking for a specific area.

Lab

TryHackMe SOC and Blue-Team Labs

Public lab profile

121 rooms, top 1%, 21 badges—all publicly verifiable. Covers SOC triage, SIEM, Splunk, EDR, phishing analysis, Wireshark, and network defense fundamentals.

LabPublic profile
SOCSIEMSplunkEDRWireshark
Open TryHackMe profile →
Read note

ProblemTraining history can look scattered when rooms, badges, and projects live in different places.

CheckedPublic profile, completed-room count, rank, badges, and visible SOC/SIEM/EDR/phishing/Wireshark rooms.

NoiseOffensive rooms are useful context, but this portfolio emphasizes defensive analyst readiness.

Next actionUse the profile as supporting context for hands-on SOC, SIEM, packet analysis, and blue-team practice.

LimitTryHackMe is lab work; production experience is represented separately through healthcare IT, IAM, endpoint support, and documented projects.

Identity

IdentityRiskGraph

CloudTrail IAM risk review

Groups CloudTrail IAM events, nested access paths, and ATT&CK-mapped findings into a readable risk path before analyst review.

ToolIAM graph
IAMCloudTrailDetectionATT&CK
Open IdentityRiskGraph repository →
Read note

ProblemCloud identity alerts can be hard to review when events, principals, and access paths are separated.

CheckedCloudTrail IAM events, nested access relationships, mapped techniques, affected resources, and review context.

NoiseAdmin activity and automation can look risky without ownership and intent.

Next actionGroup the event context into a readable identity-risk path before analyst review.

LimitThe project is a review and detection engineering aid, not a live cloud enforcement system.

Directory

relic

Active Directory hygiene

Finds the directory leftovers that create access risk—disabled accounts still holding group memberships, old computers, stale service accounts—and queues them for review.

ToolReview workflow
Active DirectoryLDAPCleanup
Open relic repository →
Read note

ProblemDirectory leftovers create access risk and operational noise.

CheckedDormant users, old computers, disabled accounts, group memberships, and password-age signals.

NoiseService accounts and ownerless groups often need human confirmation.

Next actionReport cleanup candidates, remove risky leftovers, and disable only through review.

LimitFindings need ownership context before removal.

Endpoint

Undertaker

Scheduled task review

Scheduled automation can become stale or persistence-like. Undertaker surfaces old and over-privileged jobs across Windows Tasks, cron, and systemd—read-only, no removals.

ToolRead-only
EndpointScheduled tasksPrivilege
Open Undertaker repository →
Read note

ProblemScheduled automation can become stale, over-privileged, or persistence-like.

CheckedTask names, run paths, schedules, privilege context, and last-run signals.

NoiseLegitimate updaters and maintenance jobs can look suspicious without context.

Next actionKeep, allowlist, investigate, or remove through the operating system outside the tool.

LimitThe project is read-only and does not remove tasks.

Browser

Browser Bailiff

Extension risk review

Browser extensions can quietly expand endpoint exposure. Browser Bailiff audits permissions, host access, content scripts, and age so you know what each extension can reach before approving it.

ToolLocal review
BrowserPermissionsEndpoint
Open Browser Bailiff repository → Open browser surface check →
Read note

ProblemBrowser extensions can quietly expand endpoint exposure.

CheckedPermissions, host access, content scripts, update URL, manifest details, and age.

NoiseSome broad permissions are normal for password managers, blockers, or enterprise tools.

Next actionApprove, investigate, or remove through the browser outside the tool.

LimitThe auditor reviews local metadata; it does not prove extension intent.

AppSec

Authorized AI/LMS Security Assessment

Control review notes

Authorized review of an AI/LMS workflow. Covered tool access boundaries, unsafe request handling, and remediation patterns—with a control matrix and redacted disclosure notes.

Case studySanitized
AI securityOWASP LLMResponsible disclosure
Open AI security repository →
Read note

ProblemAI assistants inside learning platforms can inherit more authority, context, and trust than users realize.

CheckedExternal tool behavior, user-editable instructions, safety configuration, injected user context, retrieval scope, memory behavior, messaging authority, and evidence handling.

NoiseAI/LMS risk is rarely one single bug; it is often the combination of tools, context, defaults, and unclear boundaries.

Next actionRestrict tool scopes, require visible approval for external actions, minimize LMS context, enforce document ownership, add logging, and regression-test known failure modes.

LimitThe public case study intentionally withholds the confidential report, target identifiers, exploit prompts, screenshots, student data, internal endpoints, and reproduction steps.

CONTRIBUTION

elastic/detection-rules

Bug fix: filter-only KQL rule exports

Spotted a bug in Elastic's detection-rules CLI: the export path was failing for filter-only KQL custom rules, which are valid in Detection-as-Code workflows. Fix scopes empty-KQL allowance to custom rule export mode, keeps the invalid-query guard, and adds schema and compile tests.

CONTRIBUTIONOPEN PR
ElasticKQLDetection-as-CodePython
View PR #6253 →
Read note

ProblemFilter-only KQL custom rules were failing during Detection-as-Code export when the query string was empty.

CheckedKibana filters, empty KQL query behavior, export-rules CLI flow, custom-rule export mode, schema tests, and compile checks.

NoiseEmpty KQL should not be broadly allowed; the fix stays scoped to custom rules with Kibana filters present.

Next actionAllow the export path for valid filter-only custom rules while preserving invalid-case coverage.

LimitThe current replacement PR remains open while maintainers complete review.

CONTRIBUTION

SigmaHQ/sigma

Event log clear filter-scope fix

Caught a logic bug in a SigmaHQ Windows detection rule: the false-positive filter only applied to one of two branches because `and` binds tighter than `or`. Grouped the branches correctly, applied the filter across both. sigma check: 0 errors, 0 issues.

CONTRIBUTIONOPEN PR
SigmaWindowsDetectionFalse positives
View PR #6038 →
Read note

ProblemA false-positive filter was not applied consistently across eventlog-clear detection branches.

CheckedSigma rule condition precedence, grouped detection branches, filter scope, comment typo, and sigma check validation.

NoiseEvent log clearing can be suspicious, but installer and administrative activity can create expected noise.

Next actionGroup the suspicious branches before applying the known false-positive filter.

LimitThe PR remains open while upstream review is pending.

CONTRIBUTION

SasanLabs/LLMForge

Indirect prompt injection payload hints

Extended LLMForge's indirect prompt injection test suite with four vectors: source instruction override, obfuscated key requests, hidden HTML comment injection, and multi-source context confusion, plus a hardened no-payload baseline and localization key sanity checks.

CONTRIBUTIONOPEN PR
LLM SecurityPrompt InjectionAI SecurityPython
View PR #22 →
Read note

ProblemIndirect prompt injection tests need clear payload hints that model realistic source and context confusion paths.

CheckedLLMForge payload wording, localization keys, indirect prompt injection variants, source instruction override, hidden comments, and multi-source context confusion.

NoisePayload wording needs to be effective without becoming ambiguous or too brittle for the test gateway.

Next actionIterate with the maintainer on wording and obfuscated variants until the payload hints fit the project.

LimitThe replacement PR remains open while final maintainer review and merge are pending.

CONTRIBUTION

splunk/security_content

Merged detection typo fix

The ADS process execution detection referenced regscr32.exe—a typo that meant the rule would never match regsvr32.exe. Fixed the binary string, scoped to the detection and metadata, merged upstream.

CONTRIBUTIONMERGED
SplunkDetectionWindowsSecurity Content
View merged PR #4117 →
Read note

ProblemDetection content loses trust when a process name typo prevents the intended behavior from matching.

CheckedExpected regsvr32.exe string, absence of the typo, YAML parsing, and scoped metadata update.

NoiseThe goal was not to rewrite detection logic, only to correct the broken executable reference.

Next actionSubmit a minimal upstream fix that maintainers could review quickly.

LimitThe public card links to the merged upstream PR and avoids overstating impact beyond the scoped typo fix.

Network

Packet Tracer Network Defense Labs

Per Scholas lab portfolio

Structured lab work across NAT, SSH, ACLs, wireless security, TACACS/RADIUS, DNS, and endpoint basics—the foundation for reasoning about network behavior before calling something suspicious.

Training labLab notes
Packet TracerNetwork defensePer Scholas
Read note

ProblemSOC work depends on understanding normal network behavior before calling something suspicious.

CheckedTraffic flow, addressing, wireless security, remote access, access control, DNS, server logs, and endpoint behavior.

NoiseTraining labs simplify production networks, so the value is in reasoning and documentation rather than claiming enterprise ownership.

Next actionUse the labs to reinforce network, endpoint, and analyst fundamentals while continuing to build public writeups.

LimitCourse files and personal lab answers are kept private; the public portfolio summarizes the skills demonstrated.