Documentation Sites
5 Docusaurus sitesDocusaurus · Published
Operation Desert Hydra
Full AI-assisted CTI pipeline documentation: source gathering with review gate, procedure dataset, OpenCTI knowledge graph, detection atlas (11 detections with pseudologic and proof screenshots), validation lab architecture, coverage matrix, and production scars. One-command reproducible lab.
Docusaurus · Published
CTI Analyst Field Manual
Practitioner operating manual covering the full CTI-to-detection chain. Evidence labels, source reliability, confidence language, attribution methodology, infrastructure pivoting, AI-assisted workflows, and detection candidate mapping. 80+ pages across 10 modules. Readiness score 8.8/10.
Docusaurus · Published
Customer-Driven AI CTI Project
End-to-end methodology for delivering structured CTI engagements with AI assistance. Scoping, collection, analysis, and delivery phases. Human validation gates throughout. Includes Phase 1 Foundations, Phase 2A Execution Guide, and Phase 2B Reference Toolkit.
Docusaurus · Published
Israel Government Threat Actors CTI
Blue-team defensive CTI repository: public-source reporting on threat actors, personas, malware families, TTPs, and detection opportunities relevant to Israeli government, public-sector, critical infrastructure, and adjacent suppliers. Iranian, Palestinian, and regional activity clusters with ATT&CK mappings.
Docusaurus · Published · Lab + Training
CTI as a Code
Full CTI analyst lab and structured methodology framework on Docker Compose. Eight training assignments (reactive, proactive, full-cycle, adversary emulation) across private-sector and government scenarios. Includes published case studies, Sigma rules, evidence files, and the complete step-by-step reactive investigation methodology.
Docusaurus · Published · Self-Hosted Tool
ThreatMapper
Self-hosted AI threat intelligence platform. Upload a threat report (PDF, DOCX, or text), choose Claude / GPT-4o / Gemini, and get ATT&CK technique extraction with evidence, real-time streaming, APT group attribution via Jaccard similarity, an interactive Navigator heatmap, and PDF reports — all in one Docker Compose stack.
Git Repositories
12 reposFull CTI analyst lab — Docker Compose stack with OpenCTI, TheHive, Elastic SIEM, and Cortex. Eight structured assignments, 194 analytical files, methodology templates, and Sigma rules. Includes the published LifeTech Pharma reactive investigation case study.
AI-assisted CTI pipeline: 8 promoted public sources → OpenCTI 6.2 knowledge graph → 11 ATT&CK-mapped
detection rules → Ansible-validated Kibana screenshots. Sysmon + Winlogbeat on Vagrant Windows 10 VM.
Docusaurus documentation site. One-command deploy: bash start.sh.
Evidence-labeled cyber threat intelligence reports built for analysts, SOC leads, and detection engineers. Each report carries explicit confidence discipline — what is Observed, Reported, Assessed, or Inferred. Outputs: PDF reports, pivoting notes, detection candidates.
Detection artifacts derived from CTI reports, malware-analysis output, and threat-hunting articles. Explicit report → hypothesis → detection → validation handoff. Includes Sigma rules, YARA signatures, ATT&CK Navigator layers, IOC sets, and hunt queries.
Modular pipeline: extract public IPs from logs → enrich with VirusTotal → compute deterministic risk scores → build entity graph → load into Neo4j → run graph queries. Config-driven, per-step JSON outputs. Optional in-memory graph and browser visualization.
Model Context Protocol server implementing a 15-phase CTI production cycle inside Claude. Human validation gates after every phase; formal quality-gate sign-off at six milestones. Claude cannot silently advance the workflow — each phase returns a STOP + analyst checklist. Integrates VirusTotal and MISP.
Complete CTI learning path derived from FOR578 structure and adapted for modern AI-assisted workflows. Weekly schedule, capstone guide, and original instructional material. Does not redistribute SANS courseware — designed to complement licensed study.
Structured hunting hypotheses extracted from CTI and threat-hunting research. Each hypothesis carries data sources, query logic (Splunk SPL + KQL), false-positive notes, and ATT&CK technique mapping.
Reproducible detection engineering research for cloud identity and SaaS intrusions. Uses fully synthetic telemetry — no real tenants, tokens, or users. Each scenario: problem → real-world CTI evidence (Mandiant, IBM X-Force, Unit 42, CISA) → synthetic lab scenario + detection rules.
Source repository for the deployed Docusaurus site. Actor and persona profiles, ATT&CK mappings, IOC reference locations, and detection examples. Intentionally blue-team only — no binaries, leaked data, or exploit code. GitHub Actions CI validates links and structure.
Source repository for the Customer-Driven AI CTI Project Docusaurus site. Contains the full methodology, article series content, and cross-links to the CTI Analyst Field Manual. Published entry point: Medium series overview + Docusaurus documentation site.
Source repository for the CTI Analyst Field Manual Docusaurus site. 80 source markdown files across 10 modules: foundations, analytic discipline, frameworks, attribution, infrastructure pivoting, actor research, sector CTI, CTI-to-detection, AI-assisted CTI, and templates. CI: GitHub Actions link check + build.
Actor Research & Profiles
5 articlesFull actor profile — aliases, attribution, claimed operations, TTPs, malware families, and detection opportunities for the Handala Hack Team hacktivist cluster.
Profile of Sandworm (APT44 / FROZENBARENTS): destructive operations, wiper malware families, ICS/OT targeting, and Ukraine conflict-related activity.
Profile of MuddyWater: MOIS-linked actor, RMM tool abuse, spear-phishing tradecraft, persistent access methodology, and detection candidates.
Structured threat landscape assessment for container and Kubernetes environments: tracked actor activity, common TTPs, and detection priorities.
CTI report underpinning Operation DragonRx: APT41 initial access via Log4Shell, lateral movement to Active Directory, credential harvesting, and detection hypotheses.
CTI Tradecraft & Methodology
8 articlesEnd-to-end reactive and proactive CTI methodology: version-controlled investigations, evidence-traced claims, ATT&CK gap mapping, and Sigma rule derivation. From first alert to deployed detection.
Worked case study: dual-entry pharmaceutical IP theft — AiTM credential theft, DCSync, 381 MB formula exfiltration, 0/12 detection coverage. Full VS Code investigation walkthrough with real RBQL queries and Cobalt Strike sandbox analysis.
Full tradecraft reference: evidence labeling, source reliability, confidence tiering, attribution methodology, infrastructure pivoting, and detection candidate mapping.
Applying kill chain analysis to real adversary behavior — evidence labeling at each stage with worked examples drawn from public reporting.
Moving beyond the matrix: technique selection, sub-technique context, ATT&CK Navigator usage, and detection hypothesis construction from real reports.
Tool-to-technique mapping reference: which adversary tools map to which ATT&CK techniques, how to use this for detection prioritization.
Structured approach to attribution: evidence strength ladder, false-flag considerations, confidence levels, and how to defend attribution claims under scrutiny.
Passive DNS, certificate transparency, ASN/hosting pivots, and JARM/JA3 fingerprinting — turning one IOC into a defensible infrastructure cluster.
Words of estimative probability, source critique, assumption tracking, and cognitive bias mitigation applied to practical CTI production.
Side-by-side workflow timing: same CTI task completed manually vs. with AI assistance — where time is saved, where analyst judgment remains irreplaceable.
Detection Engineering
7 articlesEnd-to-end workflow: actor assessment → TTP extraction → detection candidate → hunting hypothesis → backlog item → production rule.
Practitioner reference for building and evaluating atomic detection rules — coverage gaps, noise thresholds, and the tradeoffs between specificity and recall.
When and how to write single-event rules: signal strength requirements, false-positive budgets, and integration with correlation layers.
Stacking atomic signals into behavioral patterns — temporal windows, entity pivots, and MITRE ATT&CK tactic-level correlation logic.
Practitioner analysis: how AI-augmented offensive operations change attacker tempo, tradecraft diversity, and the assumptions underlying existing detection coverage.
Framing detection as statistical inference — baseline construction, drift detection, and reducing false-positive rates in anomaly-based rules.
Data source requirements, behavioral baselines, and detection logic for identifying malicious insider patterns across endpoint, identity, and data-access telemetry.
Threat Hunting
3 articlesUsing the Pyramid of Pain to prioritize hunt targets — moving from hash-based detection toward behavioral and TTP-level hunting with practical examples.
Wireshark-driven hunt methodology: protocol anomalies, C2 communication patterns, DNS tunneling indicators, and SSL/TLS fingerprinting in captured traffic.
Platform-specific hunt playbooks: process genealogy analysis, persistence mechanism review, and lateral movement artifacts across Windows, Linux, and macOS endpoints.
Threat Landscape & Sector Intelligence
6 articlesProtocol-level threat mapping for 4G/LTE infrastructure: GTP exploitation, SS7 abuse, and defensive controls for cellular network operators.
5G-specific threat landscape: network slicing attacks, SBA exposure, O-RAN security considerations, and detection priorities for 5G operators.
Applied case study: translating telecom threat intelligence into a prioritized defensive roadmap for a cellular provider — from threat model to detection backlog.
Container and Kubernetes threat landscape: supply chain risks, runtime attacks, lateral movement in ephemeral environments, and cloud-native detection approaches.
Evidence-based assessment of AI adoption in offensive tradecraft: phishing automation, malware generation, reconnaissance acceleration, and the detection implications.
Prompt injection, data exfiltration via LLM agents, tool-call manipulation, and the emerging attack surface introduced by agentic AI deployments.
Operation Desert Hydra
MuddyWater CTI pipeline · 1 article · 1 site · 1 repoFull end-to-end pipeline: 8 promoted public sources on MuddyWater (Iranian MOIS) → AI-deduplicated source register (71 → 8) → OpenCTI 6.2 knowledge graph → 11 ATT&CK-mapped detection rules → Ansible-validated Kibana proof screenshots. 13 PASS / 1 PARTIAL / 1 FAIL across 16 rule checks.
Full pipeline documentation: Phase 1 source gathering with review gate, Phase 2 procedure dataset, Phase 3 OpenCTI graph, Phase 4 detection atlas (all 11 detections with pseudologic), Phase 5 validation lab with lab architecture, Phase 6 coverage matrix, and production scars.
AI-assisted CTI pipeline — public-source MuddyWater intelligence through OpenCTI knowledge graph
to 11 validated Kibana detections. Vagrant Windows 10 VM + Ansible + Sysmon + Winlogbeat.
One-command reproducible lab: bash start.sh.
Operation DragonRx
APT41 simulation · 2 articles · 1 repoInfrastructure design for the APT41 simulation: target network topology, Sliver C2 setup, Wazuh + Zeek + Elastic detection stack, and isolation controls.
Step-by-step attack execution: Log4Shell initial access → Sliver C2 implant → AD lateral movement → LSASS dump → detection trigger analysis.
Full-stack APT41 pharmaceutical-sector simulation lab. Log4Shell (CVE-2021-44228) initial access, Sliver C2, Active Directory lateral movement, LSASS credential dump, dual detection layer with Wazuh + Zeek + Elastic. Includes attack playbook and CTI report.
Customer-Driven AI CTI Project Series
4 articlesIntroduction to the methodology: what a structured client-facing CTI engagement looks like, and how AI tooling fits inside a controlled analyst workflow.
Project charter, scope definition, stakeholder requirements, and the evidence and confidence framework that governs the entire engagement.
Phase-by-phase walkthrough: collection, enrichment, analysis, and reporting with explicit human validation checkpoints at each stage.
Templates, prompt library, quality gates, output artifact formats, and the cross-reference map tying the methodology to the CTI Analyst Field Manual.