OPEN TO OPPORTUNITIES · CANADA

Nathaniel
Fibonacci

ISS Diploma 2026 — Malware Analyst & Purple Team Specialist in progress. Intensive labs in malware analysis, computer forensics, web application security, and Windows Server. Two years of live production experience: WordPress hardening, WAF tuning, malware scanning, and incident documentation at a real organisation. Driven by pattern recognition, precision, and a commitment to defending what matters.

View My Work Open Terminal
0+
Security Projects
0+
Malware Lab Reports
0+
Web Audits Performed
0
Yrs Sec. Experience
Nathaniel Fibonacci — NCG
Nathaniel.Fibonacci
OPERATIVE · CANADA
THREAT SIMULATION
Simulated · demonstration only
what i offer

Services

01 / WEB SECURITY
Web Security Admin

Two years of operational WordPress security — hardening configs, tuning firewalls, governing plugins, and maintaining recovery discipline. Real work, documented.

  • WAF tuning & file permission hardening
  • Malware scanning & spam filtering
  • 2FA / CAPTCHA & plugin governance
  • Automated backups & recovery testing
02 / BLUE TEAM
Security Analysis & Triage

Building toward detection and response work — grounded in ISS lab coursework across malware analysis, forensics, OS exploitation, and secure networking.

  • Incident-style documentation & triage
  • Malware static & dynamic analysis (academic)
  • Disk & memory forensics fundamentals
  • Security baselines & access control concepts
03 / SYSTEMS
Technical Support & Documentation

Hardware troubleshooting, OS rebuilds, imaging, and migration — paired with the documentation discipline that makes security work reproducible and auditable.

  • Laptop / PC diagnosis & repair
  • OS rebuilds, imaging, data migration
  • Plain-language technical documentation
  • Customer-facing escalation & follow-through
capabilities

Skills & Tools

Core Proficiency
Web Security (WordPress / WAF)82%
Security Documentation & Triage80%
Windows Server / Active Directory74%
Network Security Fundamentals72%
Malware Analysis & Forensics68%
Python / Scripting62%
Tools & Platforms
Kali LinuxWireshark Nmap / MasscanMetasploit Burp Suitesqlmap Volatility 3Autopsy GDB + pwndbgGhidra ROPgadgetpwntools SysmonSysinternals WordPress SecurityWordfence / WAF Windows ServerActive Directory Security OnionMITRE ATT&CK TryHackMeHackTheBox PythonJavaScript / TypeScript SQLHTML/CSS GitHubCisco Packet Tracer
GitHub FoundationsGitHub · 2025 · Completed
🎯
AZ-900 · AZ-500Microsoft Azure · In Progress
🎯
CCNA 200-301Cisco · In Progress
🎯
CompTIA CySA+CompTIA · Planned
📋
SSCPISC2 · Planned
📋
GIAC GSECGIAC · Planned
work

Selected Projects

PROJECT · 01
GitHub

Network Security Audit

Academic penetration test covering network reconnaissance, open port analysis, misconfigured services, and unpatched exposure points. Delivered a prioritised remediation report with CVE references and MITRE ATT&CK mappings.

  • Enumerated exposed services using Nmap and manual verification
  • Documented findings in structured audit format
  • Proposed patching, config hardening, and access control fixes
NmapKali LinuxAudit Report ISS
PROJECT · 02
GitHub

SQL + JavaScript CRUD Web App

Full-stack interactive web application built with a security-conscious approach: input validation, parameterised queries, and clean data flow from UI to database layer.

  • Input validation preventing injection at every form field
  • SQL backend with parameterised queries (no raw string concat)
  • Clear user feedback and error handling without info leakage
JavaScriptSQLHTML/CSSInput Validation
PROJECT · 03
GitHub

WordPress Security Hardening (Operational)

Two years of weekly production security work at Music Inc.: WordPress hardening, WAF rule tuning, malware scanning, plugin CVE monitoring, and incident documentation. Real-world, not a lab. Real WAF, real malware events, real recovery drills.

  • WAF tuning, file permission reviews, plugin governance
  • Malware scanning, spam filtering, 2FA/CAPTCHA deployment
  • Automated backups + recovery checklist tested monthly
WordPressWAF2FABackup/RecoveryOperational
interface

Interactive Terminal

visitor@portfolio — bash — 80×24
visitor@portfolio:~$

Commands: help · whoami · skills · certs · projects · contact · roadmap · stack · clear

reach out

Open to the Right Opportunities

Let's work together.

Whether you need a purple team analyst, a malware analyst, a cloud security specialist, or someone who writes clear, precise incident reports — I am open to connecting. Tell me what you are defending and what your organisation values.

✉️ Email[email protected] 🔗 LinkedInComing soon GitHubgithub.com/ComingSOON
Open To

Responding to every serious inquiry within 48 hours. Based in Canada — open to remote and hybrid roles.

Junior / entry-level blue team analyst roles
SOC analyst (Tier 1 as bridge, Tier 2 target)
Web security admin & maintenance contracts
IT support with security responsibilities
MDR / Managed Detection and Response — available 10hrs/day, Mon–Fri (1pm–10pm MT)
career path

AI-Proof Cybersecurity Roadmap

A 52-week structured path designed for 2026 and beyond — cloud-native, AI-security-aware, and built around the skills that cannot be automated away. Click any phase to expand.

arsenal

Cybersecurity Tools Used & Learning

Real tools from academic labs, two years of operational security, and ongoing self-study. Colour-coded honestly — green is operational, yellow is actively learning, grey is planned. → Full Tools Lab: 65 tools with commands & cert mapping ↗

, two years of operational security, and ongoing self-study. Colour-coded honestly — green is operational, yellow is actively learning, grey is planned.

🔍Offense & Recon8
Nmap Kali Linux Metasploit Burp Suite Aircrack-ng Gobuster Nikto Cobalt Strike (theory)
🛡️Defense & Monitoring7
Wireshark Wordfence / WAF Security Onion Snort / Suricata Sysinternals Suite MITRE ATT&CK Navigator Microsoft Sentinel
🔬Malware Analysis & Forensics9
PEStudio x64dbg Ghidra Volatility 3 Autopsy FTK Imager ANY.RUN Sandbox VirusTotal CAPE Sandbox
🌐Networking & Infrastructure7
Cisco Packet Tracer Windows Server 2022 Active Directory Microsoft 365 tcpdump pfSense (lab) Azure Portal
💻Development & Scripting8
HTML/CSS/JavaScript Python SQL Git / GitHub Bash PowerShell VS Code TypeScript
🎯CTF & Practice Platforms5
TryHackMe HackTheBox PicoCTF SANS NetWars INE Skill Dive
Operational
Actively Learning
Planned
beyond the terminal

Hobbies & Interests

🎮
Retro Gaming

Oregon Trail taught resource management and risk assessment before those terms existed in my vocabulary. Games where decisions had permanent consequences — no respawns, limited supplies, a long road ahead. That exact mindset transfers to incident response and threat modelling.

Oregon TrailClassic StrategyRisk Management
🎵
Music & The Industry

Two years managing web security for a live music company put me inside the creative industry — real artists, real stakes, real malware events. Music is a constant backdrop to late-night lab sessions and log analysis. Lo-fi keeps the focus when everything else is noise.

Music IndustryOperationsLate Night Labs
🌌
Hiking

Hiking in the mountains and forests, observing patterns in the natural world — the Fibonacci sequence in leaf spirals, fractals in mountain ridges. The same pattern-recognition instinct that makes a good analyst.

Urban PhotographyMonochromePattern Recognition
📡
Threat Intel & Research

Beyond the coursework — DEFCON archives, MalwareTech write-ups, 13Cubed forensics walkthroughs, Detection Engineering Weekly. The field moves fast. Genuine curiosity keeps the learning going when credentials alone would plateau.

DEFCONMalwareTech13CubedTI Blogs
interactive

The Cyber Trail v4.0 ⬡ VESSEL

Open-world cybersecurity teaching platform — built on real threat intelligence, not textbook theory. 9 operative classes · 11 threat zones · 35 missions · 4-tier progression · Real 2025–2026 attack techniques including ROP chains, supply chain compromise, process injection, and LotL/LOLBins — mapped to MITRE ATT&CK v18 and NIST NICE Workforce Framework. Live CVE feed from CISA KEV · XP system · skill tree · tool arsenal · 21 player profiles. Three modes: Professional terminal · Security Awareness with full security tool guide · Senior / Consumer Awareness with GrapheneOS recommendations and consumer app guide. Plus Industry Threats — sector-specific threat intelligence for Healthcare, Finance, Retail, and Education with real breach case studies.

SELECT YOUR OPERATIVE PROFILE
0 / 21 slots used 📖 Game Guide
intel feed

News & Intelligence Sources

The feeds I actually follow. Keeping up with the threat landscape isn't optional — it's part of the job. These are the sources that matter.

🔴r/cybersecurity
Community

The largest practitioner-run cybersecurity community. Real discussions on tools, incidents, career advice, and breaking news — unfiltered.

reddit.com/r/cybersecurity
📡Wired Security
Investigative

Long-form investigative journalism on state-sponsored attacks, zero-days, and the policy implications of major breaches. Kim Zetter-tier writing.

wired.com/security
📰Cybernews
Daily News

Fast-moving daily coverage of data breaches, ransomware, and threat actor activity. Good for staying current on the velocity of incidents.

cybernews.com
🕵️The Hacker News
Threat Intel

High-volume threat intelligence and CVE coverage. Essential for keeping up with active exploits, new malware families, and vulnerability disclosures.

thehackernews.com
🔎Krebs on Security
Investigative

Brian Krebs — the gold standard in cybercrime investigation. Deep dives into fraud rings, botnet operators, and criminal infrastructure. Required reading.

krebsonsecurity.com
🖥️BleepingComputer
Technical

Best technical coverage of ransomware campaigns, malware analysis, and Windows security. Practitioners write for practitioners.

bleepingcomputer.com
🎓SANS Internet Storm Center
Technical Research

Daily threat diaries from SANS instructors. Technical, dense, and current. The closest thing to a daily briefing written by analysts who actually defend networks.

isc.sans.edu
🌑Dark Reading
Enterprise Security

Enterprise-level threat intelligence, vendor research, and practitioner features. Good for understanding the business side of security alongside the technical.

darkreading.com
◈ OPERATIVE ARSENAL — v4.0

Cybersecurity Tools Lab

Professional-grade tools across network security, application testing, cloud defence, incident response, threat intelligence, and OT/IoT. Every tool a working security engineer actually uses.

65
Tools
8
Categories
41
Open Source
12
Cert-Mapped
CATEGORY:
LICENSE:
◈ NO TOOLS MATCH — ADJUST FILTERS
📡 Network Security NETWORK 12 tools
Wireshark OSS

The world's most widely-used network protocol analyser. Captures and dissects traffic in real time across 3000+ protocols. Essential for SOC analysts, network forensics, and incident response.

Packet CaptureProtocol AnalysisNetwork Forensics
KEY FILTERS / COMMANDS
ip.addr == 192.168.1.5 && tcp.flags.syn == 1 http.request.method == "POST" tshark -i eth0 -w capture.pcap dns.qry.name contains "malicious"
Security+CySA+GCIH
↗ SITE
Nmap / Zenmap OSS

The definitive network scanner. Discovers hosts, open ports, running services, OS fingerprints, and vulnerabilities via NSE scripts. Core tool for every penetration test and network audit.

Port ScanningService DetectionReconNSE Scripts
ESSENTIAL COMMANDS
nmap -sC -sV -oN scan.txt 10.10.10.5 nmap -p- --min-rate 5000 -T4 target nmap -sU --top-ports 20 target nmap --script vuln target
OSCPCEHSecurity+
↗ SITE
Snort 3 OSS

Cisco's open-source IDS/IPS with real-time traffic analysis and packet logging. Uses signature-based detection with a vast community ruleset. Deploy inline (IPS) or passive (IDS).

IDS/IPSSignature RulesReal-time
CONFIG / RULES
snort -c /etc/snort/snort.conf -i eth0 alert tcp any any -> $HOME_NET 22 (msg:"SSH"; sid:1001;) snort -r capture.pcap -c snort.conf
CySA+GCIA
↗ SITE
Suricata OSS

High-performance multi-threaded IDS/IPS/NSM engine. Compatible with Snort rules, adds protocol detection, file extraction, TLS certificate logging, and EVE JSON output for SIEM ingestion.

IDS/IPSNSMMulti-threadedEVE JSON
KEY COMMANDS
suricata -c /etc/suricata/suricata.yaml -i eth0 suricata-update # update rulesets jq '.alert' /var/log/suricata/eve.json
GCIACySA+
↗ SITE
SolarWinds NPM Commercial

Enterprise network performance monitoring. Automated topology mapping, SNMP-based device polling, bandwidth analysis, and alerting. Widely deployed in large enterprises. Note: Supply chain compromise in 2020 (SUNBURST/SolarWinds hack).

Network MonitoringSNMPTopology MapAlerting
KEY FEATURES
SNMP polling · NetFlow · sFlow · jFlow Orion SDK — REST API for automation NCM — network configuration management
Network+CCNA
↗ SITE
Zeek (Bro) OSS

Network analysis framework that generates rich log files (conn.log, dns.log, http.log, ssl.log, files.log) rather than raw packet captures. Essential for threat hunting and security monitoring pipelines.

NSM FrameworkLog GenerationThreat Hunting
LOG ANALYSIS
zeek -C -r capture.pcap cat conn.log | zeek-cut id.orig_h id.resp_h cat dns.log | zeek-cut query | sort | uniq -c
GCIAGNFA
↗ SITE
tcpdump OSS

Lightweight CLI packet analyser built into every Unix/Linux system. No GUI — pure terminal power. Essential for remote capture when Wireshark isn't available, and for quick on-box triage.

CLIPacket CaptureRemote
COMMON USAGE
tcpdump -i eth0 -w output.pcap tcpdump -nn -i eth0 host 10.0.1.5 tcpdump port 443 -A -s0
OSCPSecurity+
↗ SITE
PRTG Network Monitor Freemium

Comprehensive infrastructure monitoring covering servers, VMs, networks, and IoT devices. Free up to 100 sensors. Supports SNMP, WMI, REST, packet sniffer, and custom scripts.

Infrastructure MonitoringSNMP/WMIDashboards
KEY FEATURES
Auto-discovery of network devices via SNMP Custom sensors: PowerShell, Python, EXE Alerting: email, SMS, push, webhooks
Network+
↗ SITE
Masscan OSS

Scans the entire internet in under 6 minutes. Asynchronous transmission — up to 10M packets/sec. Use for large-scale asset discovery, attack surface mapping, and finding exposed services at scale.

Mass ScanningAsset DiscoveryHigh Speed
USAGE
masscan -p80,443,8080 10.0.0.0/8 --rate=10000 masscan -p0-65535 192.168.1.0/24 -oJ out.json
OSCP
↗ SITE
pfSense / OPNsense OSS

Open-source firewall/router platform based on FreeBSD. Full stateful firewall, VPN (OpenVPN/WireGuard/IPsec), IDS/IPS via Suricata plugin, traffic shaping, and VLAN segmentation. Used in home labs to enterprise networks.

FirewallVPNVLANIDS Plugin
KEY CAPABILITIES
Stateful packet filtering + NAT rules OpenVPN / WireGuard / IPsec tunnels Suricata IDS/IPS package integration
Network+Security+
↗ SITE
NetworkMiner Freemium

Passive network forensic analysis tool. Reconstructs files, images, emails, and credentials from pcap files. Excellent for CTF challenges and incident response pcap analysis. GUI-based.

PCAP AnalysisFile ReconstructionCredential Extraction
KEY FEATURES
Extracts files/images from HTTP sessions Reconstructs credentials from cleartext OS fingerprinting from TCP/IP stack
GCFEGCIH
↗ SITE
ntopng Freemium

High-speed web-based traffic analysis. Monitors network flows in real time with geo-location, protocol breakdown, and security alerts. Integrates with Suricata for IDS alerts overlay on traffic view.

Flow AnalysisGeo-locationReal-time
KEY FEATURES
ntopng -i eth0 -w 3000 # web UI port 3000 NetFlow/sFlow/IPFIX collector support REST API for SIEM integration
Network+
↗ SITE
🕷️ Application Security APPSEC 11 tools
Burp Suite Freemium

The industry-standard web application security testing platform. Intercepts, modifies, and replays HTTP/S requests. Proxy, Scanner, Repeater, Intruder, Decoder — the complete web pentest toolkit. Community edition is free; Pro adds active scanner.

Web ProxyActive ScannerOWASP Top 10BApp Store
CORE MODULES
Proxy → intercept & modify live requests Intruder → payload fuzzing (brute force, fuzzing) Repeater → manual request manipulation Scanner → automated vuln detection (Pro)
OSCPBSCPCEH
↗ SITE
OWASP ZAP OSS

OWASP's free web application scanner. Automated active/passive scanning, spider, fuzzer, and API testing. Excellent for CI/CD pipeline integration (headless mode). The free alternative to Burp Pro for automated scanning.

Web ScannerCI/CD IntegrationAPI Testing
AUTOMATION
zap-cli quick-scan --self-contained https://target.com docker run -t owasp/zap2docker-stable zap-full-scan.py -t https://target.com
CEHSecurity+
↗ SITE
Checkmarx SAST Commercial

Enterprise-grade Static Application Security Testing. Analyses source code for vulnerabilities without execution. Supports 25+ languages. Deep data-flow analysis finds SQLi, XSS, path traversal across complex codebases. Integrates with Azure DevOps, Jenkins, GitHub Actions.

SASTSource Code25+ LanguagesCI/CD
KEY CAPABILITIES
Data-flow analysis across function boundaries OWASP Top 10 / SANS 25 coverage IDE plugins: VS Code, IntelliJ, Eclipse
CSSLPCISSP
↗ SITE
Veracode Commercial

Cloud-based AppSec platform covering SAST, DAST, SCA (open-source), and manual penetration testing. Provides eLearning to fix found vulnerabilities. Widely used for compliance (FedRAMP, PCI-DSS). Policy-based gates in CI/CD pipelines.

SAST/DAST/SCACloud-basedComplianceFedRAMP
SCAN TYPES
Static (SAST) — binary + source upload Dynamic (DAST) — authenticated web crawl Software Composition Analysis (SCA)
CSSLPPCI-DSS
↗ SITE
sqlmap OSS

Automatic SQL injection detection and exploitation tool. Supports all major databases (MySQL, Oracle, MSSQL, PostgreSQL). Can dump databases, crack hashes, read/write files, and execute OS commands via SQLi.

SQL InjectionDB ExploitationAutomated
COMMON FLAGS
sqlmap -u "http://site.com/?id=1" --dbs sqlmap -u URL -D dbname -T users --dump sqlmap --level=5 --risk=3 --tamper=space2comment
OSCPCEH
↗ SITE
Snyk Freemium

Developer-first security platform for finding and fixing vulnerabilities in open-source dependencies, containers, IaC, and code. Deep integration with GitHub/GitLab/Bitbucket. SCA leader — tracks CVEs in npm, PyPI, Maven, etc.

SCAContainersIaCDevSecOps
CLI USAGE
snyk test # scan project dependencies snyk container test nginx:latest snyk iac test ./terraform/
CSSLP
↗ SITE
Semgrep Freemium

Fast, lightweight SAST with a simple rule syntax that matches code patterns. 3000+ community rules for finding security bugs in 30+ languages. Used in CI/CD pipelines for shift-left security. Rules as YAML — security teams write custom detections easily.

SASTPattern MatchingCI/CDCustom Rules
USAGE
semgrep --config=auto ./src semgrep --config=p/owasp-top-ten ./ semgrep --config=p/python-security ./
CSSLP
↗ SITE
Nikto OSS

Web server scanner detecting dangerous files, outdated software, server misconfigurations, and common vulnerabilities. Tests 6700+ items. Noisy — detected by IDS. Best used in authorised engagements for quick server hardening checks.

Web ScannerMisconfigurationsOutdated Software
USAGE
nikto -h https://target.com -o report.txt nikto -h target.com -port 8080,8443
CEH
↗ SITE
Gobuster / ffuf OSS

Fast web content discovery via wordlist-based directory/file fuzzing. Gobuster is Go-based and concurrent; ffuf is ultra-fast with advanced filtering. Find hidden paths, admin panels, backup files, and subdomains.

Directory FuzzingContent DiscoverySubdomain Enum
COMMANDS
gobuster dir -u http://target -w /usr/share/seclists/... ffuf -u http://target/FUZZ -w wordlist.txt -fc 404 ffuf -u http://FUZZ.target.com -w subdomains.txt
OSCPCEH
↗ SITE
SonarQube Freemium

Continuous code quality and security analysis. Tracks security hotspots, bugs, vulnerabilities, and code smells across 30 languages. Community edition free. Gate builds on quality/security criteria. Used by 300K+ organisations globally.

SASTCode QualityQuality GatesCI/CD
INTEGRATION
sonar-scanner -Dsonar.projectKey=myproject GitHub Actions: SonarCloud action (free for OSS)
CSSLPDevSecOps
↗ SITE
Acunetix (Invicti) Commercial

Automated web vulnerability scanner with deep-crawl engine. Finds SQLi, XSS, XXE, SSRF, misconfigurations in web apps and APIs. Proof-based scanning verifies exploitability. Integrates with Jira, GitHub, and CI/CD pipelines.

DASTDeep CrawlProof-basedAPI Scanning
KEY FEATURES
AcuSensor (IAST) agent for deeper coverage OpenAPI/Swagger/WSDL API auto-discovery Compliance reports: PCI-DSS, HIPAA, ISO27001
PCI-DSSCISSP
↗ SITE
☁️ Cloud Security CLOUD 10 tools
Prisma CloudCommercial

Palo Alto's CNAPP (Cloud Native Application Protection Platform). Combines CSPM, CWPP, CIEM, DSPM and container/Kubernetes security. Covers AWS, Azure, GCP. Real-time compliance posture against CIS Benchmarks, SOC2, PCI-DSS.

CSPMCNAPPCIEMMulti-Cloud
KEY MODULES
Cloud Security Posture Management (CSPM) Cloud Workload Protection (CWPP) — runtime CIEM — Identity entitlement management
CCSPAWS-SAA
↗ SITE
AWS Security HubCommercial

Centralised AWS security findings aggregator. Consolidates alerts from GuardDuty, Inspector, Macie, IAM Access Analyzer, and third-party tools. Automated compliance checks against CIS AWS Foundations, PCI-DSS, and NIST.

AWS NativeFindings AggregationCompliance
INTEGRATIONS
GuardDuty · Inspector · Macie · IAM Analyzer aws securityhub get-findings --filters ... EventBridge → Lambda auto-remediation
AWS-SAAAWS-SCS
↗ SITE
Microsoft Defender for CloudFreemium

Microsoft's CSPM and cloud workload protection for Azure, AWS, and GCP. Secure Score dashboard, threat protection for VMs/containers/databases/App Service. Defender for Servers includes Microsoft Defender for Endpoint integration.

CSPMMulti-CloudSecure ScoreCWPP
KEY FEATURES
Secure Score — posture benchmark 0-100% Just-in-time VM access (reduces attack surface) Defender CSPM (free tier) covers basic posture
AZ-500CCSP
↗ SITE
LaceworkCommercial

Polygraph-based anomaly detection for cloud environments. Builds behavioural baselines and alerts on deviations — accounts, processes, file changes, network connections. Excellent for detecting novel attacks that signature tools miss.

Anomaly DetectionPolygraphCWPPCSPM
KEY DIFFERENTIATORS
Polygraph: maps normal behaviour automatically No rules to write — ML-based baselining Composite alerts reduce alert fatigue
CCSPAWS-SCS
↗ SITE
ProwlerOSS

Open-source cloud security auditing tool supporting AWS, Azure, and GCP. Runs 400+ security checks against CIS Benchmarks, NIST, GDPR, HIPAA, PCI-DSS. CLI-based — ideal for quick posture assessment or CI/CD integration.

Multi-Cloud AuditCIS BenchmarksCLIOSS
COMMANDS
prowler aws --compliance cis_level2_aws_2.0.0 prowler azure --az-cli-auth -M html prowler gcp --project-id myproject
AWS-SCSCCSP
↗ SITE
TrivyOSS

Aqua Security's comprehensive vulnerability scanner for containers, Kubernetes, IaC (Terraform/CloudFormation/Helm), filesystems, and git repositories. The go-to shift-left tool for container security in CI/CD pipelines.

Container ScanningIaCKubernetesCI/CD
SCAN TARGETS
trivy image nginx:latest trivy fs --scanners vuln,secret,misconfig ./ trivy k8s --report=summary cluster
CKSCCSP
↗ SITE
FalcoOSS

CNCF runtime security engine for containers and Kubernetes. Detects anomalous behaviour in real time using kernel syscall tracing (eBPF). Rules detect shell spawned in container, privilege escalation, sensitive file reads, crypto mining, and more.

Runtime SecurityKuberneteseBPFReal-time
DETECTION RULES
Terminal shell in container → alert Write to /etc in running container → alert Outbound connection to non-allowed IP → alert
CKSCCSP
↗ SITE
ScoutSuiteOSS

Multi-cloud security auditing tool by NCC Group. Collects configuration data across AWS/Azure/GCP/OCI/Alibaba and presents a risk-scored HTML report with findings grouped by service and severity.

Multi-CloudAuditHTML ReportOSS
USAGE
python scout.py aws --report-dir ./report python scout.py azure --tenant-id <id> python scout.py gcp --project <project>
CCSPOSCP
↗ SITE
AWS GuardDutyCommercial

AWS-native threat detection service. Analyses CloudTrail, VPC Flow Logs, DNS logs, and EKS audit logs using ML and threat intel. Detects crypto mining, credential compromise, C2 traffic, unusual API calls, and data exfiltration patterns.

AWS NativeML DetectionThreat IntelNo Agent
FINDING TYPES
UnauthorizedAccess:EC2/SSHBruteForce Backdoor:EC2/C&CActivity.B!DNS Exfiltration:S3/MaliciousIPCaller.Custom
AWS-SCSAWS-SAA
↗ SITE
CheckovOSS

Infrastructure-as-Code (IaC) static analysis tool. Scans Terraform, CloudFormation, Kubernetes YAML, ARM templates, Dockerfile, and Helm charts for security misconfigurations before deployment. 2000+ built-in checks.

IaC SecurityTerraformKubernetesShift-Left
SCANNING
checkov -d ./terraform --output json checkov -f kubernetes-deployment.yaml checkov --framework dockerfile -f Dockerfile
CKAAWS-SCS
↗ SITE
🚨 Incident Response INCIDENT RESPONSE 8 tools
TheHiveOSS

Open-source Security Incident Response Platform (SIRP). Case management, task assignment, observables tracking, and timeline reconstruction. Integrates with MISP for threat intelligence and Cortex for automated analysis. GDPR-compliant evidence handling.

Case ManagementSIRPSOCTimeline
CAPABILITIES
Cases → Tasks → Observables → Reports MISP integration: import IoCs as observables Cortex: automated enrichment (VirusTotal, etc.)
GCIHGCFA
↗ SITE
SANS SIFT WorkstationFree

SANS Institute's free DFIR workstation — an Ubuntu VM pre-loaded with 200+ forensic tools. Volatility, Autopsy, Plaso, log2timeline, bulk_extractor, Rekall, and more. The standard reference environment for digital forensics and incident response.

DFIR DistroPre-loaded ToolsUbuntu VM
INCLUDED TOOLS
Volatility 3 · Plaso · log2timeline Autopsy · Sleuth Kit · bulk_extractor RegRipper · EVTXtract · Chainsaw
GCFEGCFAGCIH
↗ SITE
MISPOSS

Malware Information Sharing Platform — the open standard for threat intelligence sharing. Stores, correlates, and distributes IoCs (IPs, domains, hashes, CVEs). Syncs with global threat intel communities. Integrates with TheHive, Splunk, and SIEM tools.

Threat IntelIoC SharingSTIX/TAXIICommunities
INTEGRATIONS
STIX 2.0 / TAXII 2.x support REST API: push/pull IoC feeds PyMISP: Python library for automation
GCTIeCTHP
↗ SITE
XplicoOSS

Network forensics analysis tool that reconstructs application data (emails, HTTP sessions, VoIP calls, FTP transfers) from pcap files. Web-based GUI. Useful for reconstructing what happened during an incident from network captures.

Network ForensicsPCAP ReconstructionEmail/VoIP
RECONSTRUCTS
HTTP sessions (URLs, cookies, POST data) Emails from SMTP/IMAP/POP3 streams VoIP calls from RTP streams → audio files
GCFEGCIH
↗ SITE
VelociraptorOSS

Advanced digital forensics and incident response platform. Deploys agents to endpoints for live forensics, threat hunting, and evidence collection at scale. Uses VQL (Velociraptor Query Language) for custom hunts. Rapidly triage thousands of endpoints simultaneously.

Live ForensicsEDRThreat HuntingScale
VQL EXAMPLES
SELECT * FROM pslist() WHERE Exe =~ "suspicious" SELECT * FROM yara_scan_proc() WHERE Rule Hunt: collect artifacts from 10,000 endpoints
GCFAGCFE
↗ SITE
Cortex XSOARCommercial

Palo Alto's SOAR platform — automates incident response via playbooks. 900+ integrations with SIEM, EDR, ticketing, and threat intel tools. Warroom collaboration, automated triage, and case management. Reduces MTTR from hours to minutes.

SOARPlaybooksAutomation900+ Integrations
AUTOMATION EXAMPLES
Phishing triage: extract IoCs → check VT → block Alert enrichment: IP/domain → geo/ASN/reputation Automated containment via EDR playbook
GCIHPCCSE
↗ SITE
CyberChefFree

GCHQ's "cyber Swiss Army knife" — browser-based tool for encoding/decoding, encryption, compression, data analysis, and format conversion. 400+ operations chainable via drag-and-drop. Essential for malware analysis and CTF challenges.

Encoding/DecodingData AnalysisBrowser-basedCTF
OPERATIONS
Base64 Decode → Gunzip → Extract URLs From Hex → XOR (key) → From Base64 Magic: auto-detect and decode unknown data
GREMGCFE
↗ SITE
Plaso / log2timelineOSS

Creates forensic super-timelines from disk images, filesystem artefacts, browser history, registry hives, event logs, and more. Produces a single CSV timeline of all artefact timestamps for incident reconstruction. Used in SANS FOR508.

Super-timelineDisk ForensicsEvent LogsRegistry
WORKFLOW
log2timeline.py --storage-file out.plaso image.dd psort.py -o l2tcsv out.plaso > timeline.csv pinfo.py out.plaso # storage stats
GCFAGCFE
↗ SITE
🖥️ SIEM / SOC Platforms SIEM 7 tools
Splunk Enterprise / SIEMCommercial

The market-leading SIEM and log analytics platform. Indexes machine data at scale, enables ad-hoc search with SPL (Search Processing Language), and builds dashboards, alerts, and correlation rules. Splunk ES adds security analytics on top.

SIEMSPLDashboardsCorrelation Rules
SPL EXAMPLES
index=windows EventCode=4625 | stats count by src_ip index=proxy | rex "(?P<domain>[^/]+)" | rare domain | tstats summariesonly=t count WHERE index=* BY _time
Splunk CoreGCDA
↗ SITE
Microsoft SentinelCommercial

Cloud-native SIEM/SOAR on Azure. Uses KQL (Kusto Query Language) for analytics, built-in threat intelligence, UEBA, and automated playbooks via Azure Logic Apps. Pay-per-GB ingestion. 150+ connectors for Microsoft and third-party sources.

Cloud SIEMKQLSOARUEBA
KQL EXAMPLES
SecurityEvent | where EventID == 4625 | summarize count() by Account SigninLogs | where ResultType == "50126" ThreatIntelligenceIndicator | where Active == true
SC-200AZ-500
↗ SITE
Elastic Security (ELK SIEM)Freemium

SIEM built on the Elastic Stack (Elasticsearch + Kibana). Free tier includes detection engine with MITRE ATT&CK-mapped prebuilt rules, timeline investigation, and case management. EQL (Event Query Language) for complex behavioural detections.

ELK StackEQLATT&CK RulesSelf-hosted
EQL DETECTION
sequence by pid [process where name=="cmd.exe"] [network where true] any where file.path : "C:\\Temp\\*.exe"
GCEDCySA+
↗ SITE
WazuhOSS

Open-source XDR and SIEM. Combines HIDS (host intrusion detection), log analysis, vulnerability detection, file integrity monitoring, and compliance (PCI-DSS, HIPAA, GDPR). Free alternative to commercial SIEMs for smaller organisations.

OSS SIEMXDRHIDSFIMCompliance
CAPABILITIES
File Integrity Monitoring on critical paths Rootkit detection · vulnerability scanner Active response: auto-block on brute-force
Security+CySA+
↗ SITE
Security OnionOSS

Free open-source Linux distro bundling Suricata IDS, Zeek NSM, Elastic SIEM, TheHive, Fleet (osquery), and Kibana dashboards. Deploys as a full SOC platform. Used in university cybersecurity labs and SMB security teams worldwide.

SOC PlatformAll-in-OneLinux DistroIDS+NSM+SIEM
BUNDLED STACK
Suricata IDS + Zeek NSM + osquery Elasticsearch + Kibana + TheHive so-allow / so-status management CLI
GCIAGCIH
↗ SITE
IBM QRadar SIEMCommercial

Enterprise SIEM with network flow analytics, log management, and behavioural analytics. Uses "Offenses" for prioritised incident management. Deep integration with IBM X-Force threat intelligence. QRadar SOAR adds automated playbooks.

Enterprise SIEMOffensesX-Force TINetwork Flow
KEY CONCEPTS
Offenses = prioritised correlated incidents AQL (Ariel Query Language) for custom searches DSM Editor: custom log source parsing
QRadar AnalystCISSP
↗ SITE
GraylogFreemium

Centralised log management with security analytics. Open-source core with commercial Operations tier. GELF format, pipeline processing rules, streams for real-time log routing. Lighter alternative to ELK for mid-size organisations.

Log ManagementGELFStreamsPipelines
QUERIES
source:firewall AND action:DENY http_response_code:500 AND _exists_:user Pipeline rule: parse CEF syslog → structured fields
CySA+
↗ SITE
🌐 Threat Intelligence THREAT INTEL 6 tools
OpenCTIOSS

Open-source Cyber Threat Intelligence platform using STIX 2.1 data model. Manages threat actors, campaigns, malware, indicators, TTPs, and relationships. Graph-based knowledge management. Integrates with MISP, TheHive, and SIEMs via connectors.

CTI PlatformSTIX 2.1Knowledge GraphATT&CK
CAPABILITIES
Entity types: Threat Actor, Campaign, Malware, IoC Connectors: MISP, VirusTotal, AlienVault OTX TAXII server: share intel with partners
GCTIeCTHP
↗ SITE
MaltegoFreemium

OSINT and link analysis platform. Visually maps relationships between people, organisations, domains, IPs, emails, and social media via automated "transforms". Used for threat actor attribution, attack surface mapping, and fraud investigations.

OSINTLink AnalysisGraphAttribution
TRANSFORMS
Domain → IP → ASN → related domains Email → leaked passwords → related accounts Person → LinkedIn → employer → infrastructure
GCTIOSCP
↗ SITE
ShodanFreemium

Search engine for internet-connected devices. Indexes banners from servers, cameras, industrial control systems, and IoT devices worldwide. Essential for attack surface management, finding exposed services, and threat actor infrastructure tracking.

Attack SurfaceIoT DiscoveryOSINTMonitoring
SEARCH QUERIES
org:"Acme Corp" port:22 country:US product:"Hikvision IP Camera" vuln:CVE-2021-36260 shodan domain example.com # CLI
CEHOSCP
↗ SITE
YARAOSS

The pattern-matching tool for malware researchers. Write rules describing malware families by strings, byte patterns, or conditions. Scan files, memory, and processes. Used by every major threat intel team and AV vendor to detect and classify malware.

Malware DetectionPattern RulesMemory Scanning
RULE SYNTAX
rule Ransomware { strings: $a = "YOUR FILES" condition: $a } yara rules.yar /path/to/scan -r yara rules.yar -p 4 suspicious_proc # process scan
GREMGCTI
↗ SITE
VirusTotalFreemium

Multi-AV scanner aggregating 70+ AV engine results for files, URLs, domains, and IPs. Community comments, behavioral analysis (sandbox), and relationship graphs between samples. Essential first-check for any suspicious file or indicator.

Multi-AVHash LookupURL/IP ReputationSandbox
API USAGE
curl -X POST "https://www.virustotal.com/api/v3/files" --file vt file <sha256> # CLI lookup VT Graph: visualise relationships between IoCs
GREMGCIH
↗ SITE
Sigma RulesOSS

Generic SIEM detection rule format — write rules once, convert to Splunk SPL, KQL, EQL, QRadar AQL, etc. 3000+ community rules on GitHub covering MITRE ATT&CK TTPs. The Snort/YARA equivalent for log-based detection.

Detection RulesSIEM-agnosticATT&CK MappedCommunity
CONVERSION
sigma convert -t splunk rule.yml sigma convert -t microsoft365defender rule.yml sigma convert -t elasticsearch-eql rule.yml
GCTIGCDA
↗ SITE
🔬 Forensics & Malware Analysis FORENSICS 6 tools
Volatility 3OSS

The leading memory forensics framework. Analyses RAM dumps from Windows, Linux, and macOS. Extracts processes, network connections, DLL injection evidence, registry hives, and passwords from memory. Critical for malware analysis and incident response.

Memory ForensicsRAM AnalysisMalwareMulti-OS
CORE PLUGINS
vol -f mem.raw windows.pslist # process list vol -f mem.raw windows.malfind # injected code vol -f mem.raw windows.netscan # network conns vol -f mem.raw windows.hashdump # NTLM hashes
GCFEGCFAGREM
↗ SITE
AutopsyFree

GUI frontend for The Sleuth Kit disk forensics framework. Analyses disk images, filesystem artefacts, browser history, email, registry, and deleted files. Extensible with plugins. The go-to free forensic tool for Windows disk analysis in law enforcement and DFIR.

Disk ForensicsGUIBrowser HistoryRegistry
MODULES
File System Analysis — MFT, deleted files Keyword Search — across entire image Timeline — all filesystem events chronologically
GCFEGCFA
↗ SITE
GhidraFree (NSA)

NSA's open-source reverse engineering suite. Disassembles, decompiles, and analyses binary code across x86, ARM, MIPS, and 50+ architectures. Script-extensible with Java/Python. The free alternative to IDA Pro — used by malware analysts worldwide.

Reverse EngineeringDecompilerMulti-archScripting
KEY FEATURES
Decompiler: ASM → pseudo-C code GhidraScript: automate analysis with Python Collaboration: shared project for team analysis
GREMGXPN
↗ SITE
PEStudioFreemium

First-look malware analysis tool for Windows executables. Displays imports, exports, strings, entropy, VirusTotal results, and indicators of compromise — all statically without executing the file. Gold standard for initial malware triage.

PE AnalysisStatic TriageIoC ExtractionVirusTotal
ANALYSIS AREAS
Imports: suspicious API calls (CreateRemoteThread) Strings: embedded URLs, IPs, registry keys Entropy: >7.0 = likely packed/encrypted
GREM
↗ SITE
ANY.RUNFreemium

Interactive online malware sandbox. Execute suspicious files/URLs in a real Windows VM and watch network activity, process tree, registry changes, and API calls in real time. Shareable reports. Free public submissions.

Dynamic AnalysisInteractiveNetwork AnalysisCloud Sandbox
ANALYSIS OUTPUT
Process tree with injections highlighted Network: DNS, HTTP, HTTPS, DNS-over-HTTPS MITRE ATT&CK techniques auto-mapped
GREMGCIH
↗ SITE
BinwalkOSS

Firmware analysis and extraction tool. Identifies embedded file systems, compression formats, and executable code inside binary blobs. Essential for IoT/embedded device security research — extract squashfs, jffs2, and other filesystems from firmware images.

Firmware AnalysisIoT SecurityFile ExtractionEmbedded
COMMANDS
binwalk firmware.bin # identify signatures binwalk -e firmware.bin # extract all binwalk -A firmware.bin # find CPU arch
GICSPGREM
↗ SITE
⚙️ OT / IoT / ICS Security OT/IoT 8 tools
Dragos PlatformCommercial

The leading ICS/OT threat detection and response platform. Understands industrial protocols (Modbus, DNP3, EtherNet/IP, BACnet, IEC 104). Identifies asset inventory, network segmentation gaps, and threat behaviour specific to ICS environments. Used in energy, water, manufacturing.

ICS DetectionOT ProtocolsAsset InventoryThreat Intel
CAPABILITIES
Protocol decoding: Modbus/DNP3/IEC104/BACnet Activity Groups: named ICS threat actor tracking WorldView: ICS-specific threat intelligence feed
GICSPICS-CERT
↗ SITE
ClarotyCommercial

Extended IoT (XIoT) security platform covering OT, IoT, IoMT (medical devices), and IT/OT convergence. Passive discovery of all connected assets, vulnerability management, network segmentation policy, and anomaly detection without disrupting operations.

XIoTAsset VisibilityIoMTPassive Discovery
KEY FEATURES
Passive OT protocol dissection (no traffic injection) CVE mapping to discovered OT asset versions Segmentation assessment: IT/OT firewall gap analysis
GICSPCCSP
↗ SITE
Nozomi NetworksCommercial

OT and IoT security and visibility platform. Guardian sensor provides passive network monitoring of industrial and IoT environments. AI-powered anomaly detection learns normal OT behaviour. Vantage cloud management provides enterprise-wide OT visibility.

OT/IoT VisibilityAI AnomalyGuardian SensorSCADA
KEY FEATURES
AI baseline: learns normal Modbus setpoint ranges Remote access monitoring: Purdue Model visibility Threat intel: industrial malware IoC integration
GICSP
↗ SITE
Greenbone / OpenVASFreemium

Full-featured vulnerability scanner — the open-source alternative to Nessus. Daily updated NVT (Network Vulnerability Tests) feed covering 80,000+ CVEs. Scans network devices, servers, and OT equipment. Greenbone Community Edition is free; Enterprise adds compliance reports.

Vulnerability ScannerCVE MappingNetworkOT/ICS
USAGE
docker run -d -p 9392:9392 greenbone/community-edition GVM CLI: gvm-cli socket --gmp-username admin 80,000+ NVTs updated daily from Greenbone feed
Security+CySA+
↗ SITE
Tenable OT SecurityCommercial

Converged IT/OT vulnerability management. Passively discovers all OT assets and maps CVEs to specific firmware versions. Integrates with Tenable.sc for unified IT+OT risk view. Detects Modbus/DNP3 anomalies and known ICS attack patterns.

OT Vuln MgmtIT/OT ConvergenceAsset DiscoveryICS Protocols
KEY FEATURES
Passive asset discovery — no scanning impact on OT CVE mapping to PLC firmware versions Unified risk score: IT + OT assets in one dashboard
GICSPICS-CERT
↗ SITE
FirmwalkerOSS

Post-binwalk firmware filesystem analysis script. Hunts extracted firmware for hardcoded passwords, private keys, SSL certificates, email addresses, IP addresses, and common IoT backdoor patterns. Fast automated triage of IoT firmware security.

Firmware TriageHardcoded CredsIoTSecrets Hunt
USAGE
./firmwalker.sh /extracted/firmware/ Hunts: /etc/passwd · /etc/shadow · *.pem · *.key Finds: hardcoded IPs, telnet/SSH backdoors
GICSP
↗ SITE
ArmisCommercial

Agentless IoT/OT device security platform. Discovers and classifies every connected device (managed, unmanaged, IoT, OT, IoMT) without requiring agents or network changes. 500M+ device behaviour profiles for anomaly detection. Used in healthcare, manufacturing, and enterprise.

IoT VisibilityAgentlessDevice BehaviourIoMT
KEY FEATURES
Passive device discovery — no agents required 500M+ device knowledge base for classification Automated quarantine via NAC integration
GICSPCCSP
↗ SITE
PLCScan / RedpointOSS

Nmap NSE scripts and standalone tools for scanning ICS/SCADA devices. Redpoint identifies Modbus, BACnet, EtherNet/IP, DNP3, and Siemens S7 devices. PLCScan identifies specific PLC models and firmware. Essential for ICS penetration testing and asset discovery.

ICS ScanningPLC DiscoveryModbus/BACnetNmap NSE
COMMANDS
nmap --script modbus-discover -p 502 target nmap --script bacnet-info -p 47808 -sU target nmap --script s7-info -p 102 target (Siemens S7)
GICSP
↗ SITE