INDEPENDENT RESEARCH • EST. 2026

Attackers improve.
Defenders should too.

UMBRASEC is a new, independent research project focused on the defensive side of security - detection engineering, honest threat analysis, and open-source tooling that helps defenders spot real techniques in their own logs.

Read the first guide Discuss your detection challenges
NEW & BUILDING IN THE OPEN
An independent, one-person research project.
Started 2026. No company, no clients, no track record to inflate - just published work you can check.
SCOPE
Defensive research only - detection, analysis, and mitigation. No offensive tooling, exploits, or malware published here.
01 · RESEARCH

Research.

This is where writeups land. Three published so far - the honest starting point for a project that's only days old. Each piece is technical, sourced, and reproducible against your own data.

AI & LLM SECURITY
Prompt Injection and the OWASP LLM Top 10: A Field Guide for Defenders
The OWASP LLM Top 10 read as a defender's checklist: why prompt injection has no patch, the "lethal trifecta" behind incidents like EchoLeak (CVE-2025-32711), and the canary, egress, and behavioral detections that work against LLM-integrated apps today.
Jun 2026 · ~13 min read Read →
DETECTION ENGINEERING
Detecting OAuth Consent Phishing in Microsoft 365
The phishing class that never asks for a password and sails through MFA - illicit OAuth consent grants (MITRE ATT&CK T1528) in Entra ID, the audit-log artifacts they leave, and KQL detections with tuning notes.
Jun 2026 · ~12 min read Read →
DETECTION ENGINEERING
Detecting Kerberoasting: A Practical Walkthrough with Sigma
A defender-focused breakdown of Kerberoasting (MITRE ATT&CK T1558.003): how the technique works, why RC4 service tickets give it away, and a set of Sigma rules - with tuning notes - you can drop into your SIEM today.
Jun 2026 · ~14 min read Read →
More writeups in progress. See the research index →
02 · APPROACH

How this project works.

Sourced, not asserted

Every technical claim links back to primary sources - vendor advisories, MITRE ATT&CK, CVE records, and reputable reporting. If it isn't cited, it isn't stated.

Defensive by scope

The work explains how attacks function so defenders can catch them - detection logic, log artifacts, mitigations. No weaponized exploits, jailbreak libraries, or malware ship from here.

Reproducible

Detections come as rules you can run, mapped to real event IDs and ATT&CK techniques, with false-positive and tuning notes - so you can verify them against your own environment.

On honesty: UMBRASEC is brand new. You won't find report counts, disclosure tallies, or claims of a long history on this site, because there isn't one yet. The reputation, if it comes, will come from work you can read and check.

03 · OPEN SOURCE

Defensive tooling.

Small, useful, open-source tools for defenders - built in the open on GitHub. Honest status labels; nothing here claims to be more finished than it is.

kev-watch
WORKING

A zero-dependency Python monitor for the CISA Known Exploited Vulnerabilities (KEV) catalog. Tracks newly added, actively-exploited CVEs and flags ones that match products you care about. Public data only.

View on GitHub →
sigma-pack
EARLY

The Sigma rules and KQL queries from the research writeups, shipped as runnable files - three Kerberoasting detections and three OAuth consent-phishing queries so far. Grows one writeup at a time.

View on GitHub →
Blue Team Mapper
LIVE

A comprehensive, single-page defender reference - the full defensive lifecycle mapped end to end: SIEM and log-source priority, detection engineering, incident-response flow chains, threat hunting, identity and cloud hardening, SOAR playbooks, and LLM-app defense. ATT&CK-aligned, built for analysts who need actionable depth.

Open the mapper →
04 · CONTACT

Get in touch.

Corrections, source suggestions, or a detection that didn't behave the way the writeup said it would? That's exactly the feedback this project wants. Open an issue on GitHub or send an email.

github.com/atraxsrc/umbrasec Start a scoping conversation

Everything here is free to read - no paywall, no email gate. Optional crypto tips live in the footer.