Threat Intelligence Research Engineer · XPLG · Tel Aviv, Israel
I profile adversary behavior, map TTPs to detection candidates, and build tooling to automate the mechanical parts of CTI and reverse engineering. Focus areas: attribution discipline, infrastructure pivoting, hunting hypothesis construction, detection backlog management, and AI-assisted analyst tooling with mandatory human review at every decision point.
Threat Intelligence Research Engineer at XPLG (enterprise security data platform). Formerly Head of Red Team — Israel Police Cyber Defence Unit. CTI-to-detection practitioner. Profiles adversary infrastructure, maps TTPs to ATT&CK-aligned detection candidates, and ships analyst tooling for CTI and reverse engineering workflows. Based in Tel Aviv, Israel.
Most recent articles, guides, and tools — newest first. Full lists below.
Start with the path that matches what you are evaluating. Each path keeps the top story defensive and CTI-to-detection oriented.
Workflows where candidate enrichment, summaries, mappings, and scores require analyst validation before use. AI accelerates mechanical steps — analysts own every decision gate.
Use the full Medium navigator only after the selected paths. The homepage keeps selected work visible first so the portfolio stays scannable.
Ten top-tier projects that define the main body of work, followed by supporting pieces.
Top-tier flagships
Practitioner operating manual: evidence labels, source reliability (Admiralty A-F/1-6), confidence language, attribution methodology, infrastructure pivoting, AI controls, hunting hypotheses, detection backlog, and 10 reusable analyst templates. 80 pages, 10 modules, CI-validated.
Complete CTI-to-detection pipeline on MuddyWater / Seedworm — widely reported by government and vendor sources as Iran-linked activity associated with MOIS. 71 candidate sources reviewed, 8 promoted, 10 procedure records with Observed/Reported/Assessed evidence labels, OpenCTI 6.2 knowledge graph, 11 detection records with SIEM-agnostic pseudologic, and an Ansible-provisioned Windows 10 lab validated against Kibana. 14 PASS / 1 PARTIAL / 1 FAIL across 16 rule checks. 16 of 21 ATT&CK techniques (76%) fully validated. One-command reproducible.
Sector CTI covering Iranian, Palestinian, and regional threat actors targeting Israeli government, public-sector, critical infrastructure, and adjacent suppliers. Actor profiles, ATT&CK mappings, IOC reference locations, and detection examples. Blue-team only — no binaries or exploit code.
End-to-end methodology for structured CTI engagements: scoping, collection, analysis, and delivery with human validation gates throughout. 15-phase cycle with AI assistance under analyst control. Three-part article series and full Docusaurus reference site.
OpenCTI platform with a custom Claude-powered enrichment connector: Docker Compose deployment, STIX 2.1 workflows, confidence-scored IOC enrichment, and an analyst gate before any object enters the threat intelligence graph. Sanitized env example; real credentials excluded from repo.
Full-stack APT41 pharmaceutical-sector attack simulation: Log4Shell initial access → Sliver C2 implant → Active Directory lateral movement → LSASS credential dump. Dual-layer detection with Wazuh + Zeek + Elastic. Published CTI report, lab architecture, and step-by-step attack playbook.
Reverse engineering walker for malware analysts: Capstone disassembly, FLIRT signature matching, CFG extraction, Frida-based dynamic tracing, INetSim isolation, 8 behavioral pattern detectors, and SIEM-ready JSON output. TUI interface — no sandbox required for static analysis passes.
Defender-focused guide on how AI collapses the attacker skill floor and breaks assumptions behind legacy IOC-heavy defense. Covers the old capability-tier model, the Pyramid of Pain after AI, why legacy controls fail, and what SOC teams should change in logging, behavioral detection, CTI, and response.
Self-hosted AI threat intelligence platform. Uploads a threat report (PDF, DOCX, or raw text), picks Claude / GPT-4o / Gemini, and extracts ATT&CK techniques with evidence and confidence scores in real time — streamed token by token. Built-in APT group attribution (Jaccard similarity over all 174+ groups), interactive ATT&CK Navigator heatmap, campaign overlay, named layer library, comparison modes (Groups / Campaigns / Stored Reports), and one-click PDF reports. Docker Compose, no cloud dependencies.
Detection reference covering 14 documented insider threat cases (Manning → Barile) with structured detection engineering across 4 tiers — deterministic rules, behavioural heuristics, UEBA, and deception. 30 pages, 32 infographics, 4-phase implementation programme, telemetry requirements, and legal constraints. Built from CERT/CMU research, DOJ case records, and regulatory findings.
Strong supporting work
CVSS v4.0 enrichment CLI (BTE scoring) that turns CVEs into prioritized vulnerability-management work using NVD, CISA KEV, EPSS, and configurable asset profiles. Companion Docusaurus field guide site with scoring explanations and practitioner decision frameworks.
Multi-cloud security scanner: 9 AWS modules + 7 GCP modules, 125-test suite, ECS Fargate / Cloud Run deployment. Multi-LLM finding analysis with attack-chain synthesis and severity classification in 2–4 minutes per scan.
Android APK analysis toolkit: AI-powered static analysis from the terminal, OWASP Mobile Top 10 coverage, decompilation, manifest inspection, permission risk scoring, and output formatted for mobile security assessment reports.
Intentionally vulnerable AI security training lab — DVWA/WebGoat for modern AI systems. Pre-built OWASP LLM Top 10 2025 scenarios: prompt injection, RAG poisoning, tool-call manipulation, and data exfiltration via LLM agents in a realistic RAG pipeline.
Docusaurus navigation layer for 200+ Medium articles — organized by topic, difficulty, and content cluster. Makes cross-article research and topic discovery practical at scale without relying on Medium's own recommendation engine.
Start here before opening the full article library.
Kill chain, attribution, infrastructure pivoting, ATT&CK usage, and public-source actor research.
Threat hunting, atomic detections, correlation rules, detection backlog thinking, and telemetry coverage gap analysis.
Malware analysis tools, APK analysis, YARA-related work, file triage, import analysis, strings, and unpacking utilities.
Cloud-native threat research, cloud scanning, vulnerable cloud labs, audit-log thinking, and prioritization support.
AI-assisted CTI tooling, enrichment source confidence management, OpenCTI operations, and structured analyst workflows.
Authorized offensive security research and adversary simulation: red-team labs, attack playbooks, and AI-assisted lab workflows used for defensive context.
Real screenshots from published research — tool outputs, malware analysis, infrastructure pivots, and attack simulations. Click any image to open the source article.
Direct Medium links only. The blog navigator is listed separately as an index resource, not used as a substitute article link.
Meta map of the full ecosystem: main site, Medium, GitHub, and Docusaurus as one structured cybersecurity knowledge base.
Technical kill chain analysis, detection engineering, and defensive architecture for cloud-native threats.
OpenCTI deployment, connector engineering, STIX workflows, enrichment source confidence management, and platform operations.
Evidence-labeled assessment, technical timeline, defensive priorities, and SOC guidance.
Threat persona and cluster analysis with evidence labels, IOC handling, and defensive guidance.
Field manual for passive DNS, reverse IP, ASN reuse, TLS certificates, internet search, and WHOIS pivots.
How to build, defend, and challenge attribution claims without overstating the evidence.
Hands-on ATT&CK use for mapping, gap analysis, Sigma thinking, hunting, and adversary emulation.
Kill-chain thinking for analysts who need evidence, not generic phase labels.
Step-by-step comparison of where AI compresses CTI work and where analyst judgment remains non-negotiable.
End-to-end CTI-to-detection methodology and project workflow overview.
Foundations and methodology for a customer-driven CTI lifecycle.
Phase-by-phase execution guide from requirements to hunts and detections.
Reference toolkit for artifacts, gates, delivery materials, and validation.
14 documented cases, detection tiers 1–4, CERT kill chain, UEBA, deception controls, legal constraints, and a 4-phase implementation programme.
Telemetry, artifacts, MITRE ATT&CK tactics, and practical playbooks for endpoint hunting.
Wireshark-centric guide to IOCs, protocol anomalies, C2 signals, and packet-level hunting.
How to move defenders from brittle IOCs toward artifacts and TTPs that cost attackers more.
Atomic detection rules for SIEM, XDR, and log-based detection platforms.
Multi-event analytics, temporal logic, and behavioral detection across SIEM and XDR.
Practitioner compendium for single-event threat detection and rule design.
Defending CI/CD systems from targeted attacks with concrete controls and detection ideas.
AI-assisted static APK malware analysis with YARA, VirusTotal context, candidate MITRE mapping, and Frida hooks.
AIDebug walkthrough: FLIRT, patterns, CFGs, Frida, unpacking detection, YARA, and reports.
AWS and GCP scanner architecture, multi-LLM routing, Terraform deployment, and test coverage.
Evidence-based research on attacker AI use, TTPs, incidents, confidence, and forecast judgments.
CVSS-BTE, KEV, EPSS, environmental scoring, examples, scanner triage, and automation.
Repositories are grouped by defender output, not by programming language.
AIDebug, Android-Malware-Analysis, Static Malware Orchestrator, Unpacker, PE Import Analyzer, String Analyzer, and file triage.
Reports, pivoting automations, detection packs, and hunting hypotheses that move intelligence into operational use.
CVSS-BTE enrichment, cloud scanning, and vulnerable cloud labs for realistic prioritization and testing.
Docusaurus knowledge bases, field manuals, and structured references. 52+ step-by-step guides on Medium.
Version-controlled CTI methodology, evidence-traced investigation workflow, OpenCTI/TheHive/Elastic lab stack, and eight structured training assignments.
Analytic judgment, evidence discipline, hunting hypotheses, and ATT&CK-mapped detection candidates.
14 documented cases, 4-tier detection taxonomy, deterministic rules, UEBA, deception controls, 4-phase implementation programme, telemetry requirements, and legal constraints. 32 infographics.
End-to-end CTI-to-detection pipeline: source review gate → procedure dataset → OpenCTI knowledge graph → 11 detection records → benign lab simulation → Kibana proof screenshots. 14 PASS / 1 PARTIAL / 1 FAIL across 16 rule checks.
Defensive CTI knowledge base for Israeli public sector, critical infrastructure, municipal, and supplier exposure.
End-to-end methodology for turning intelligence requirements into hunts, detections, and delivery artifacts.
Reusable templates for requirements, hunts, detections, evidence packs, and customer delivery.
Practical CVSS v4.0 scoring, environmental profiles, scanner triage, and prioritization guidance.
Authorized AI-assisted security lab workflows used as operator-context evidence for CTI work.
Separate index for browsing the full Medium library by topic, depth, and role. Article cards above use direct article links.
OpenCTI operations and security-team workflows for enrichment source confidence management and threat-intelligence platform work.
Docusaurus guide on how AI changes the attacker skill floor and what SOC teams must change in logging, detection, and response.
Defender audit of public detection content robustness, focused on brittle IOC-heavy content and detection assumptions that fail under attacker adaptation.
Vendor-neutral reference connecting statistical anomalies, ATT&CK-aligned activities, and the security log sources that surface them — a lookup layer between detection ideas and the telemetry needed to build them.
Authorized, controlled environments built to understand attacker behavior, validate detection assumptions, and practice the full attack-to-defend cycle.
APT41 pharmaceutical-sector attack simulation. Log4Shell initial access → Sliver C2 → Active Directory lateral movement. Dual-layer detection with Wazuh + Zeek + Elastic.
Vulnerable cloud infra for cloud pentest practice: GCP + AWS Terraform deployments, 25-issue Kubernetes misconfiguration lab, and IIS / SharePoint / Fluent Bit environment.
Reproducible Windows / AD pentest environments: vulnerable Windows 10, full AD domain with GPOs, Kerberoasting, Pass-the-Hash, and LSASS dump paths. Manual and one-prompt Cursor AI deployments.
Android analysis lab on Ubuntu (Androguard + Frida toolchain). Deliberately vulnerable Android app covering all OWASP Mobile Top 10 classes. Autonomous mobile PT walkthrough.
Intentionally vulnerable AI application lab — like DVWA but for modern AI: RAG assistants, tool-calling agents, LLM-powered copilots. Covers prompt injection, data exfiltration, and agent manipulation.
Vulnerable Ubuntu 24.04 server with full HexStrike pentest walkthrough. DVWA deployment automated with Ansible for reproducible web-app attack-and-detect practice.
I profile adversary behavior, map TTPs to ATT&CK-aligned detection candidates, and ship tools that automate the mechanical parts of CTI and reverse engineering work. Current role: Threat Intelligence Research Engineer at XPLG. Formerly Head of Red Team at Israel Police Cyber Defence Unit. All tooling ships with mandatory analyst review built into the workflow — AI assists with throughput, not with judgment.
Use the profiles below for code, writing, and professional contact.