← project lab
Featured Project · Blue Team + Automation

SOC Home Lab

A hands-on Security Operations lab that chains offense → defense → automation into one demonstrable system. This page showcases Phase 1: a dependency-free Python SOC toolkit that turns raw security telemetry into analyst-ready, MITRE ATT&CK-mapped alerts.

┌──────────────┐ attacks ┌──────────────────┐ logs ┌─────────┐ alerts ┌──────────────────┐ │ Kali attacker │ ─────────▶ │ vulnerable target │ ────────▶ │ SIEM │ ───────▶ │ Python triage / │ │ (offense) │ │ (defend & harden) │ │ (blue) │ │ automation tools │ └──────────────┘ └──────────────────┘ └─────────┘ └──────────────────┘

Brute-Force Detector LIVE

T1110.001 Brute ForceT1110.003 Password Spraying

Sliding-window analysis of SSH/auth logs. Catches password guessing, spraying across many users, and — the dangerous one — a successful login right after a failure burst (likely compromise).

$ python bruteforce_detector.py sample_logs/auth.log SOC BRUTE-FORCE DETECTOR | 35 auth events analysed [1] CRITICAL Successful login after failure burst (possible compromise) MITRE ATT&CK : T1110 Source IP : 192.0.2.99 Evidence : success as 'admin' after 9 failures >> LIKELY COMPROMISED ACCOUNT: admin [2] HIGH Brute Force T1110.001 203.0.113.66 (8 failed logins in 120s) [4] HIGH Password Spraying T1110.003 198.51.100.23 (7 distinct users)

Phishing Analyzer LIVE

SPF / DKIM / DMARCSpoofingMalicious URLs

Parses a raw .eml and scores it on real triage signals — email authentication, organizational-domain spoofing, brand impersonation, dangerous attachments. Tuned against false positives: a legit DMARC-authenticated email scores 0; a spoofed lookalike with a .exe scores 100.

$ ... real_gov_email.eml RISK: 0/100 Low risk passed: SPF, DKIM, DMARC [MED] Reply-To on diff domain (DMARC-authenticated — note only)
$ ... phish_sample.eml RISK: 100/100 PHISHING [HIGH] SPF/DKIM/DMARC failed [HIGH] Display-name impersonation [HIGH] invoice.pdf.exe attachment

IOC Enricher LIVE

Threat IntelAbuseIPDBVirusTotal

Extracts Indicators of Compromise (IPs, domains, hashes, URLs) from any text, understands defanged indicators like hxxp:// and 1.2.3[.]4, drops noise, and enriches IPs/hashes against live threat-intel reputation.

$ python ioc_enricher.py alert.txt IPV4 : 45.137.21.9 DOMAINS : malware-c2.evil.ru HASHES : e3b0c44298fc1c149afbf4c8996fb92427ae41e4... EMAILS : billing@paypa1-secure.com (refanged from hxxp / [.] )

Lab Roadmap

Phase 1 — Automation ✓

  • Brute-force / spray / compromise detector
  • Phishing .eml analyzer
  • IOC extractor + threat-intel enrichment
  • Phase 3 — Attack & Defend

  • Kali vs vulnerable target / AD
  • Attack → harden → re-test
  • Assessment + detection report
  • Principles

  • Own / self-hosted targets only
  • Every detection mapped to MITRE ATT&CK
  • Stdlib-only — clone & run anywhere
  • View source on GitHub →