Former Navy Hospital Corpsman to cybersecurity with real-world combat experience. I bring military discipline, high-pressure decision-making skills, and a systematic approach to threat detection and incident response.
Purple Team & SOC Focus — building both offensive and defensive capabilities
Operating a 22+ VM home lab for attack simulation and detection engineering
Pursuing PSAA → PSAP → Security+ → CCDL1 → PAPA → PJPT → PNPT certification path
TryHackMe Top 1% - 270+ rooms completed (Inactive)
Actively seeking SOC Analyst & Purple Team roles
- Penetration Testing & Security Research
- Red team operations & exploitation
- Active Directory & Windows exploitation
- Network security & privilege escalation
- Threat detection & incident response
- SIEM analysis & log correlation
- Threat hunting & malware analysis
- Security monitoring & alerting
All 19 tools are part of Nebula Forge — an open-source SOC platform covering the full workflow: Detect → Normalize → Hunt → Drift → Cluster → Simulate → Investigate → Respond → Report. The Detection Suite v2 9 tools run as a fully containerized stack — a single docker compose up -d starts all services with a shared Postgres backend. The dashboard (port 5010) provides live status, one-click launches, and pipeline monitoring across all 19 tools in the org.
Nebula Forge includes two automated pipelines:
- Drift-scan — scheduled Sigma rule drift analysis across your detection library
- Purple-loop — end-to-end purple team cycle: discover (VulnForge) → simulate (AtomicLoop) → detect (Wazuh/Splunk) → validate (DriftWatch) → hunt (HuntForge) | Pipeline validated end-to-end April 2026
| Tool | Description |
|---|---|
| SigmaForge | Vendor-agnostic Sigma rule generator — Splunk SPL, Elastic KQL/EQL, Sentinel KQL, Wazuh XML, QRadar AQL, Detection-as-Code JSON |
| YaraForge | YARA rule generator with ATT&CK mapping and detection dashboard |
| SnortForge | Snort 2/3 rule generator with multi-content chaining, performance scoring, and 12 detection templates |
| Azure-SOC-mini-lab | Azure cloud detection lab — 12 ATT&CK-mapped simulations, KQL detections, Sentinel playbooks |
| AWS-SOC-lab | AWS cloud detection lab — CloudTrail detections, IAM/S3/EC2 attack simulations, GuardDuty integration |
YaraForge - YARA Rule Generator & Testing Platform
Build, manage, test, and visualize YARA detection rules with MITRE ATT&CK mapping and a detection dashboard.
Python Flask YARA MITRE ATT&CK Detection Engineering
SnortForge - SnortForge - Snort IDS/IPS Rule Generator — Flask web app with multi-content chaining, Snort 2/3 syntax toggle, rule performance scoring, 12 detection templates, inline help tooltips, PCRE flag checkboxes, HTTP URI/Header matching, rule validation, and .rules file import/export. Dark-themed UI with real-time live preview. v1.2.0.
Python Flask Snort IDS/IPS Network Security
SigmaForge — Vendor-Agnostic Sigma Rule Generator
Custom conversion engine (no pySigma dependency) generating Sigma rules
to 6 SIEM backends: Splunk SPL, Elastic KQL, EQL, Sentinel KQL, Wazuh XML,
and QRadar AQL — plus Detection-as-Code JSON. MITRE ATT&CK mapping,
12 pre-built templates, rule library, and standalone CLI.
Python Flask Sigma SIEM Detection Engineering CLI
Python Flask Sigma SIEM Detection Engineering CLI
Azure-SOC-mini-lab — Azure Cloud Detection Lab
KQL detections, attack simulations (12 MITRE ATT&CK techniques mapped), and IR documentation for the Azure control plane — identity, compute, and key vault planes. Built on Microsoft Sentinel / Log Analytics with anomaly-based detection, synthetic log samples, and an automated NSG response playbook.
Azure KQL Microsoft Sentinel MITRE ATT&CK Detection Engineering Cloud Security
AWS-SOC-lab — AWS Cloud Detection Lab
CloudTrail-based detections in CloudWatch Logs Insights and Athena SQL, attack simulations for IAM privilege escalation, credential exfiltration, S3 enumeration and public exposure, CloudTrail disable, and EC2 post-exploitation via SSM RunCommand — with GuardDuty finding integration, 5 IR reports, and a Lambda auto-response playbook. AWS companion to Azure-SOC-mini-lab.
AWS CloudTrail GuardDuty CloudWatch Logs Insights Athena MITRE ATT&CK Detection Engineering Cloud Security
| Tool | Port | Description |
|---|---|---|
| LogNorm | 5006 | ECS-lite log normalizer for disparate SIEM sources |
| HuntForge | 5007 | ATT&CK-mapped threat hunt playbook generator |
| DriftWatch | 5008 | Sigma rule drift analyzer — feeds the drift-scan pipeline |
| ClusterIQ | 5009 | Behavioral alert clustering engine for SOC triage noise reduction |
| AtomicLoop | 5011 | Atomic Red Team runner — feeds the purple-loop pipeline |
| VulnForge | 5012 | Exploit intel aggregator → ATT&CK mapping → pipeline trigger |
| WifiForge | 5013 | 802.11 threat detector with deauth/rogue AP detection → LogNorm export |
LogNorm - Log Source Normalizer (port 5006)
Normalizes log sources from disparate inputs into a consistent ECS-lite schema for downstream detection and analysis pipelines.
Python Flask Log Normalization ECS SIEM
HuntForge - MITRE ATT&CK Hunt Playbook Generator (port 5007)
Generates structured threat hunting playbooks mapped to MITRE ATT&CK techniques, providing analyst-ready queries and investigation checklists.
Python Flask MITRE ATT&CK Threat Hunting Detection Engineering
DriftWatch - Sigma Rule Drift Analyzer (port 5008)
Analyzes Sigma rule libraries for drift — identifying stale, misconfigured, or coverage-gapped rules over time. Feeds the drift-scan pipeline.
Python Flask Sigma Detection Engineering Rule Management
ClusterIQ - Contextual Alert Clustering Engine (port 5009)
Groups and contextualizes alerts using behavioral clustering to reduce noise and surface high-fidelity incident signals for SOC triage.
Python Flask Alert Clustering SOC Incident Response
AtomicLoop — Atomic Red Team Test Runner (port 5011)
Executes Atomic Red Team tests in controlled loops for purple team validation, feeding results into the purple-loop pipeline for detection coverage measurement. Dedicated purple loop target: Win10x2 (Wazuh agent 005, AtomicLoop-Test).
Python Flask Atomic Red Team Purple Team MITRE ATT&CK
VulnForge - Vulnerability & Exploit Intelligence Tool (port 5012)
Aggregates exploit intelligence from ExploitDB, NVD, and Metasploit, maps findings to MITRE ATT&CK techniques, and feeds results into the purple team pipeline — generating hunt playbooks, LogNorm-ready exports, and AtomicLoop simulation triggers from a single search.
Python Flask MITRE ATT&CK Vulnerability Intelligence Purple Team
WifiForge - Wireless Network Security Analyzer (port 5013)
Passively scans wireless networks, assesses security posture, detects deauth attacks and rogue configurations, maps findings to MITRE ATT&CK techniques, and exports results to the Nebula Forge LogNorm pipeline.
Python Flask Scapy Wireless Security MITRE ATT&CK
| Tool | Description |
|---|---|
| EndpointForge | Cross-platform HIDS — process, FIM, network, registry, autoruns with Wazuh NDJSON export |
| EndpointTriage | PowerShell IR artifact collector — processes, persistence, event logs, Sysmon, HTML report output |
EndpointForge - Cross-Platform Endpoint Security Monitor
Host-based intrusion detection and endpoint triage across 5 modules: process execution, file integrity (SHA-256 FIM), network connections, registry persistence (Windows), and autoruns — all MITRE ATT&CK mapped. Includes Wazuh export integration: POST /api/wazuh/export writes NDJSON picked up by the Wazuh agent using bundled decoder and rules (IDs 100200–100265) with ATT&CK technique tags — no manual log shipping. Markdown/JSON report generation for IR workflows.
Python Flask MITRE ATT&CK HIDS Endpoint Security Wazuh
EndpointTriage - Windows Endpoint Forensic Artifact Collector
Automated PowerShell-based IR triage script that collects volatile and non-volatile forensic artifacts — running processes with hashes, network connections, registry persistence checks, scheduled tasks, event log extraction (Security, Sysmon, PowerShell, Defender), named pipe enumeration, and suspicious indicator flagging. Outputs a structured triage package with HTML summary report.
PowerShell Incident Response Forensics DFIR Endpoint Security
| Tool | Description |
|---|---|
| Log-Analyzer | SOC-focused log analysis with pattern matching and anomaly detection |
| Phishing-Analyzer | Email header and content analysis for phishing campaign identification |
| SIREN | NIST 800-61 incident report generator with severity scoring, IOC tracking, and timeline management |
| Threat-Intel-Dashboard | Real-time IOC tracking, feed aggregation, and visual analytics |
| Security-Awareness-Training | Phishing simulation and training platform |
Log-Analyzer - Security Log Analyzer
Python-based log analysis tool designed for SOC analysts with pattern matching and anomaly detection.
Python Flask SIEM Log Analysis SOC
Phishing-Analyzer - Phishing Email Analyzer
Email header and content analysis tool for identifying phishing campaigns and malicious indicators.
Python Email Security Phishing Detection Blue Team
Security-Awareness-Training - Security Awareness Platform
Enterprise-style platform with phishing simulations, training modules, and progress tracking.
Python Flask Security Training Phishing Simulation
| Tool | Description |
|---|---|
| Threat-Intel-Dashboard | Real-time IOC tracking, feed aggregation, and visual analytics for SOC operations |
Threat-Intel-Dashboard - Threat Intelligence Dashboard
Real-time threat intelligence platform with IOC tracking, feed aggregation, and visual analytics for SOC operations.
HTML JavaScript Threat Intelligence OSINT SOC
| Tool | Description |
|---|---|
| SIREN | NIST 800-61 incident report generator with severity scoring, IOC tracking, and timeline management |
SIREN - Security Incident Response Engine & Notation
Professional incident report generator following NIST 800-61 framework with severity scoring, IOC tracking, timeline management, and Markdown/JSON export.
Python Flask NIST 800-61 Incident Response SOC
| Tool | Description |
|---|---|
| Hidden-Rogue-AP-Detector | Rogue AP detection via RSSI analysis with whitelist management |
| Wi-Fi-Probe-Request-Sniffer | 802.11 probe request capture with MAC vendor ID and CSV/JSON export |
Hidden-Rogue-AP-Detector - Rogue Access Point Detector
Python-based wireless security tool for detecting unauthorized access points using RSSI signal strength analysis, whitelist management, and active/passive scanning modes.
Python Scapy Wireless Security Network Monitoring Rogue AP Detection
Wi-Fi-Probe-Request-Sniffer - Wi-Fi Probe Request Analyzer
Captures and analyzes wireless probe requests from nearby devices with SSID extraction, MAC vendor identification, and CSV/JSON export for network visibility and device enumeration.
Python Scapy 802.11 Network Security Device Enumeration
| Tool | Description |
|---|---|
| SMB-RDP-Exploitation-Scanner | SMB/RDP vulnerability scanner — EternalBlue, SMBGhost, BlueKeep, credential brute force |
| Network-Security-Toolkit | PathFinder (attack path mapping) + PathGuard (defensive hardening) on shared NetworkMapper core |
SMB-RDP-Exploitation-Scanner — SMB & RDP Vulnerability Scanner
Python-based exploitation scanner for authorized penetration testing. Detects and validates SMB vulnerabilities (EternalBlue MS17-010, SMBGhost CVE-2020-0796, null session enumeration) and RDP vulnerabilities (BlueKeep CVE-2019-0708) with credential brute forcing, multi-format reporting (JSON/CSV/TXT), and threaded subnet scanning. Designed for Kali Linux.
Python Penetration Testing SMB RDP Network Security Vulnerability Assessment
Network-Security-Toolkit — PathFinder & PathGuard
Unified red/blue team network security toolkit built on a shared core library (NetworkMapper). PathFinder maps attack paths, lateral movement routes, and exfiltration channels with Shodan integration and MITRE ATT&CK coverage. PathGuard provides defensive choke point analysis, CIS/NIST-mapped hardening recommendations, baseline change detection, and a prioritized remediation roadmap.
Python Red Team Blue Team Network Security MITRE ATT&CK Shodan PathFinder PathGuard
- Nebula Forge Detection Suite v2 — 9 tools containerized and live (LogNorm, HuntForge, DriftWatch, ClusterIQ, AtomicLoop, VulnForge, WifiForge + dashboard + Postgres) — single
docker compose up -d - Purple team automation pipelines: drift-scan and purple-loop validated end-to-end April 2026
- PSAP 2026 — SOC analyst and detection engineering roles, Tampa Bay market
- Expanding Wazuh SIEM detections and Splunk correlation rules
In Progress:
- 🔹 PSAA (Practical Junior Security Awareness Analyst) - 2026*
- 🔹 PSAP (Practical SOC Analyst Professional) - Scheduled Q4 2026
Certification Roadmap: PSAA → PSAP → Sec+ → CCDL1 → PAPA → PJPT + PNPT
22+ VM Purple Team Lab:
- Active Directory lab (attack & defense)
- Snort IDS/IPS network monitoring
- Web vulnerability testing environment
- Malware analysis sandbox
- WiFi penetration testing lab
- Flipper Zero / Pwnagotchi
- Wazuh SIEM with Sysmon integration & MITRE ATT&CK-mapped detections (5 agents: Windows, Linux)
- Splunk Free on Ubuntu for detection and hunt workflows
Breaking to Build. Defending to Endure.
