Small, useful, open-source tools for defenders - built in the open on GitHub. Honest status labels; nothing here claims to be more finished than it is.
A zero-dependency Python monitor for the CISA Known Exploited Vulnerabilities (KEV) catalog. Tracks newly added, actively-exploited CVEs and flags ones that match products you care about. Public data only.
View on GitHub →The Sigma rules and KQL queries from the research writeups, shipped as runnable files - three Kerberoasting detections and three OAuth consent-phishing queries so far. Grows one writeup at a time.
View on GitHub →A comprehensive, single-page defender reference - the full defensive lifecycle mapped end to end: SIEM and log-source priority, detection engineering, incident-response flow chains, threat hunting, identity and cloud hardening, SOAR playbooks, and LLM-app defense. ATT&CK-aligned, built for analysts who need actionable depth.
Open the mapper →Everything here lives in the public repository, issues and all. Found a bug, or want to suggest a tool? Open an issue →