Defensive security engineering, detection content, and operational data systems.
| Principle |
|---|
| Build practical tools for authorized security review. |
| Turn evidence, logs, and telemetry into measurable defensive action. |
| Keep security work reproducible, auditable, and grounded in artifacts. |
| Track | Status | Focus | Next |
|---|---|---|---|
| Lithium |  |
Evidence-linked operational analytics, normalized records, dashboard search, and privacy-aware review flows. | Validate fresh records, searchable drilldowns, viewer gates, and source-linked summaries. |
| Speculum | |
Authorized public-surface review utilities and security audit workflows. | Expand tests, reporting, documentation, and safe input validation. |
| Detection Engineering |  |
Sigma, KQL, SPL, Elastic, structured indicators, and defensive validation scripts. | Convert repeatable incident patterns into tested detection content. |
| Infrastructure Hardening | |
Inventory, configuration review, service exposure checks, and rollback-safe automation. | Keep scripts small, auditable, reversible, and evidence-producing. |
| 🤖 |
Lithium bot status: Active build Current read: SQLite-backed normalized evidence records Next proof: Fresh record timestamps |
| Area | Details |
|---|---|
| Status |  |
| Current focus | SQLite-backed normalized evidence records Readable relationship and operational signal dashboards Search-first drilldown views Viewer-aware access controls Evidence references attached to every claim |
| Validation targets | Fresh record timestamps Non-empty message text where expected Stable profile identity mapping Permission-filtered dashboard responses No raw file dependency in runtime dashboard views |
| Pattern | Severity | Defender Focus | Signals | Build Response |
|---|---|---|---|---|
| Credential phishing and token replay |  |
Identity telemetry, mailbox rules, OAuth grants, session anomalies, and account recovery evidence. | New consent grant Impossible travel Unexpected mailbox rule Suspicious successful login |
Identity review scripts, detection logic, and incident evidence checklists. |
| Infostealer-driven account takeover | |
Endpoint evidence, browser token exposure, password reuse, and post-compromise cleanup. | Credential reuse New device login Password reset activity Unusual data access |
Host review commands, account reset workflow, and detection content. |
| Repository secret exposure |  |
Git history, exposed tokens, stale credentials, and unsafe config files. | Secret-like filenames Token-shaped strings Committed environment files Suspicious workflow permissions |
Repo audit scripts, rotation checklist, and pre-commit scanning guidance. |
| Suspicious PowerShell persistence | |
Scheduled tasks, services, startup entries, encoded commands, and userland persistence. | Encoded command usage Unknown scheduled task Unexpected service binary path Run key modification |
Windows inventory scripts, persistence review, and safe-disable workflows. |
| Cloud key exposure and over-permissioning | |
Access keys, IAM policies, public buckets, logging gaps, and unused privileges. | Unused access key Overbroad policy Public storage object Missing audit trail |
Cloud inventory checks, least-privilege review, and exposure reports. |
| Public surface scraping and impersonation risk |  |
Public metadata, profile visibility, brand impersonation, and exposed contact paths. | New lookalike account Public metadata drift Unexpected indexed asset Unauthorized brand reuse |
Public-surface audit tooling, reporting templates, and evidence capture. |
| Adversary Behavior | Telemetry | Defensive Control | Zeid Data Build |
|---|---|---|---|
| Account takeover | Authentication logs Mailbox rules OAuth grants Device history |
MFA review Session revocation Rule cleanup Login anomaly detection |
Identity incident checklist and account review scripts |
| Secret harvesting | Git history Workflow files Environment files Token inventory |
Secret scanning Token rotation Least-privilege review Protected branches |
Repository exposure audit workflow |
| Endpoint persistence | Services Scheduled tasks Startup folders Run keys PowerShell logs |
Persistence inventory Safe-disable process Script block logging Change audit |
Windows cleanup and persistence review toolkit |
| Data exposure | Public assets Storage permissions Application logs Repository metadata |
Exposure inventory Access review Evidence capture Remediation tracking |
Public-surface and data exposure review workflows |
| Repository | Description | Language | Stars | Updated |
|---|---|---|---|---|
| .github | Zeid Data organization profile and dynamic threat intel radar | Python | 0 | 2026-05-17T04:46:21Z |
| dominos_source | Python bindings for the Domino APIs | Python | 0 | 2026-05-13T13:46:20Z |
| Rule |
|---|
| Authorized testing only. |
| Evidence before conclusions. |
| Telemetry over vibes. |
| Rollback paths before risky changes. |
| Readable outputs beat clever outputs. |
Last generated: 2026-05-17 04:46:25 UTC
