Security researcher and blue team builder. I spend my time breaking things to understand how to defend them — HackTheBox, TryHackMe, bug bounty, and a growing set of tools I've built for real-world use.
CompTIA Security+ | CompTIA A+ | Active on HackTheBox & TryHackMe
| Repo | What it does |
|---|---|
| SigmaForge | Sigma rule writer, validator, and converter — pySigma-powered CLI that translates portable detection rules to Splunk SPL and Elastic Lucene |
| LogHound | CLI log anomaly detector — finds brute force, privilege escalation, and scanner behavior in auth and web server logs (every detection mapped to MITRE ATT&CK) |
| NetSentinel | Real-time network monitor using Scapy — detects ARP spoofing, port scans, DNS hijacking, ICMP floods, and DNS tunneling |
| HoneyNet | Modular honeypot framework — SSH, HTTP, and FTP decoys with centralized logging and coordinated scan detection |
| ThreatPulse | Threat intel aggregator — CLI IOC lookup + web dashboard across URLhaus, MalwareBazaar, Feodo Tracker, and OTX |
| pihole-lab | Pi-hole + unbound deployment with a DNS-layer detection toolkit (DoH/DoT bypass, canary domains, DGA scoring, Suricata correlation) and Prometheus/Grafana/Loki observability |
| Repo | What it does |
|---|---|
| WebAudit | Web app security scanner — checks headers, exposed files, SSL, cookies, XSS reflection, generates HTML reports |
| SubScope | Subdomain enumeration — DNS brute force + cert transparency + HTTP probing + takeover detection |
| Repo | What it does |
|---|---|
| MalDoc Scanner | Static analyzer for malicious Office docs and PDFs — extracts VBA macros and PDF actions, scores 34 indicators (auto-execute, shell exec, downloaders, process injection, persistence, /Launch, /EmbeddedFile) |
| PhishKit Analyzer | Static analyzer for suspected phishing pages — detects credential forms, kit fingerprints (16shop, Telegram/Discord exfil), brand impersonation, hidden iframes, and embedded IOCs |
| vault-scan | Secret scanner for git repositories — ~30 vendor-specific patterns + entropy detection, JSON output, CI-friendly exit codes |
| darkdump_crawl | Paste & leak extractor — pulls credentials, emails, API keys, crypto wallets, and IOCs from paste dumps |
| Cybersecurity-projects | Collection of smaller tools: password strength + breach checker (HIBP), web metadata scraper, ESP32 evil twin demo |
| Repo | What it does |
|---|---|
| ADRecon-Lite | Lightweight Active Directory enumeration — finds AS-REP roastable, Kerberoastable, unconstrained / constrained / RBCD delegation, password-not-required accounts. Live LDAP + offline JSON modes |
| ContainerWatch | Docker runtime security monitor — alerts on privileged containers, sensitive host mounts, host networking, dangerous capabilities, and exposed Docker API. Audit + real-time monitor modes |
| Repo | What it does |
|---|---|
| job-scraper | LinkedIn job scraper with fake-job detection and cross-verification |
28+ writeups across TryHackMe and HackTheBox — solving challenges and documenting the process for anyone stuck on the same problem.
→ All writeups | TryHackMe | HackTheBox
Longer writeups and project breakdowns live on BobTheSkull.org.
If something I built is useful to you, star it. If something's broken, open an issue.