A hands-on Security Operations lab that chains offense → defense → automation into one
demonstrable system. This page showcases Phase 1: a dependency-free Python SOC toolkit that turns raw
security telemetry into analyst-ready, MITRE ATT&CK-mapped alerts.
Sliding-window analysis of SSH/auth logs. Catches password guessing, spraying across many
users, and — the dangerous one — a successful login right after a failure burst (likely compromise).
$ python bruteforce_detector.py sample_logs/auth.log SOC BRUTE-FORCE DETECTOR | 35 auth events analysed[1] CRITICAL Successful login after failure burst (possible compromise)
MITRE ATT&CK : T1110 Source IP : 192.0.2.99
Evidence : success as 'admin' after 9 failures
>> LIKELY COMPROMISED ACCOUNT: admin[2] HIGH Brute Force T1110.001 203.0.113.66 (8 failed logins in 120s)
[4] HIGH Password Spraying T1110.003 198.51.100.23 (7 distinct users)
Phishing Analyzer LIVE
SPF / DKIM / DMARCSpoofingMalicious URLs
Parses a raw .eml and scores it on real triage signals — email authentication,
organizational-domain spoofing, brand impersonation, dangerous attachments. Tuned against false positives:
a legit DMARC-authenticated email scores 0; a spoofed lookalike with a .exe scores 100.
Extracts Indicators of Compromise (IPs, domains, hashes, URLs) from any text, understands
defanged indicators like hxxp:// and 1.2.3[.]4, drops noise, and enriches
IPs/hashes against live threat-intel reputation.