Break in first.
Fortify everything after.
I'm Bob — I break into web and cloud systems to learn exactly how attacks work, then turn that into detections and tooling that make them harder. Red-team instincts in service of blue-team results.
Selected work
AD Recon Lite — Lightweight Active Directory enumeration and dangerous-config detector
A focused Python tool that connects to a domain controller over LDAP and flags the AD misconfigurations attackers actually target during enumeration
BlueStack — SIEM-in-a-Box for the B0bTheSkull Blue-Team Toolkit
A pre-wired ELK stack that ingests JSON from four custom blue-team tools, normalizes severity, tags events to MITRE ATT&CK techniques, and surfaces everything in Kibana — one command to stand up
Container Watch — Docker Runtime Security Monitor
A lightweight Python tool that audits running containers for dangerous misconfigurations — privileged mode, sensitive mounts, exposed sockets, and more — in real time or on demand
Cross-Verified Job Scraper (Python)
A LinkedIn job scraper with MLM/scam filtering, plus a second-pass cross-verification step that confirms each posting on the company's own careers site before flagging it as Golden.
Darkdump — Dark Web OSINT Crawler
A paste and leak intelligence extractor that pulls IOCs, credentials, API keys, and crypto wallets from raw text dumps using regex and entropy analysis
Evil Twin Attack Simulation & Rogue AP Detection
Built a rogue access point on ESP32 hardware to simulate evil twin Wi-Fi attacks — captive portal, credential harvesting, and all — then engineered the detection signatures to catch it.
HoneyNet — Modular Honeypot Framework
SSH, HTTP, and FTP decoy services that log attacker credentials, shell commands, and file probes into a single JSON stream — with real-time coordinated scan detection
LogHound — CLI Log Anomaly Detection
A Python CLI that parses auth and web server logs to surface brute force attacks, credential stuffing, privilege escalation, and scanner behavior before they become incidents
Loot CLI — Filesystem Recon for CTFs and Post-Exploitation
A Python CLI that walks a directory tree once and dispatches every path through eight specialized scanners to surface credentials, keys, SUID binaries, and CTF flags
MalDoc Scanner — Static analyzer for malicious Office docs and PDFs
A Python static analyzer that extracts and scores VBA macros, embedded JavaScript, and IOCs from Office documents and PDFs without ever opening them in a viewer
NetSentinel — Real-Time Network IDS
A Python-based network intrusion detection system that catches ARP spoofing, port scans, DNS hijacking, and ICMP floods as they happen — not after the fact
PhishKit Analyzer — Static triage for phishing HTML artifacts
A static analysis tool that fingerprints phishing kits, identifies credential harvesting forms, detects brand impersonation, and extracts blocklist-ready IOCs from a saved HTML file
Pi-hole Lab — DNS Filtering on the LAN
A Raspberry Pi 5 running Pi-hole with a local unbound recursive resolver — DNS-layer ad/tracker/malware blocking, observability via Prometheus + Grafana, and a doc set built like infrastructure.
SigmaForge — Sigma Rule Writer, Validator, and Multi-Backend Converter
A CLI tool that wraps the pySigma ecosystem to validate, inspect, and convert Sigma detection rules to SIEM query languages during the authoring loop
SubScope — Subdomain Reconnaissance
A subdomain enumeration tool that chains certificate transparency, DNS brute force, HTTP probing, and takeover detection into one clean pipeline
ThreatPulse — CLI threat intelligence aggregator & web dashboard
A Python tool that fans out IOC lookups across four free threat intel feeds simultaneously, consolidates the results, and surfaces a single threat verdict
VaultScan — Secret Scanner for Git Repositories
A CI-friendly Python tool that walks git history to surface leaked API keys, credentials, and private keys using regex pattern matching and Shannon entropy gating
WebAudit — Web Application Security Scanner
A Python scanner that audits web apps for misconfigs and common vulns, then generates a self-contained HTML report with severity ratings and remediation steps
Offense as research. Defense as the point.
The loop I run: understand the attack, then build the thing that catches it.
Offensive research
Pulling apart web apps, binaries, and cloud misconfigs to learn how attacks actually land — the input to everything else.
Detection engineering
Turning that offensive insight into resilient detections, SIEM/EDR rules, and purple-team playbooks. Where I'm focused now.
Security tooling
Automating the tedious parts — log triage, recon, secret scanning — so analysis is the only step left to do by hand.
Security+ and A+ certified — though the certs came after the obsession, not before. Most of my time goes into understanding how attacks actually land, building tools to automate the parts nobody wants to do by hand, and writing up findings so the next person doesn't start from scratch.
Python is where most of my tooling lives, C++ when speed matters, TypeScript when it needs a frontend. I build things that solve real problems — job-market scraping with fake-listing detection, dark-web OSINT crawlers, secret scanners — not demos that only look good in a README.
I grind HackTheBox and TryHackMe because there's no shortcut to learning offense, and offense is what makes my detection work actually hold up.
Stack & focus
- CompTIA Security+ / A+
- HackTheBox · TryHackMe
- Python · C++ · TypeScript
- Detection engineering
- OSINT & dark-web research