FevMac

Available for Work

Open to security analyst and detection engineering roles — threat hunting and penetration testing.

github linkedin email resume

Security analyst with a builder's mindset. I research threats to find gaps in modern tooling, then write the code to close them. I maintain over 10 open-source tools spanning network forensics to automated exploitation. By combining hands-on penetration testing with defensive operations like SIEM tuning and incident triage, I learn by dissecting attacks and building the infrastructure to detect them.

10+ Open Source Tools
Approach

I build to identify detection gaps. My approach connects offensive research and defensive engineering by turning lab-dissected attacks into automated detection logic. By building the tools myself, I gain a practical understanding of how threats bypass current defenses. These projects correlate findings against live vulnerability data and are grouped below by phase: discovery, exploitation, detection, attribution, and defensive operations.

Recent Highlights
Shrike — eBPF network forensics maps encrypted-era traffic to processes without payload decryption, with 25+ detectors, beaconing and fingerprinting analytics, and live CISA KEV correlation.
Lure — Chrome MV3 phishing defense and Python email CLI: 49 real-time detectors, 1,400+ automated tests, and triage signals mapped to MITRE ATT&CK and NIST SP 800-61r3.
Vigil — Browser-native Windows log DFIR with a 12-module EVTX pipeline, 31 Sigma rules on ATT&CK v15, and exportable KQL, SPL, EQL, and VQL.
Certifications
ISC² CC: Certified in Cybersecurity
TryHackMe: Security Analyst Level 1 (In Progress)
Development
Languages Python, TypeScript, JavaScript
Workflow Cursor & Claude Code
Featured: Network forensics

Shrike

eBPF network forensics: map live traffic to originating PIDs and binaries without decrypting TLS 1.3 payloads — behavioral detection for HTTP/2 and WebSocket/mTLS C2, DNS rebinding (FFT beaconing), and n-gram perplexity for LLM-style DGAs.

Packaged as SARIF, JSON, CLI, and interactive HTML so findings slot into SIEM, CI, and case review.

eBPF flow telemetry tied to process lineage — evidence-first view of encrypted-era traffic
Beaconing and tunneling: FFT regularity, entropy, DGA perplexity; HTTP/2, WebSockets, QUIC/HTTP3 C2 patterns
Outputs: HTML, JSON, CLI — SARIF 2.1.0 for CI and handoff
eBPF / Scapy MITRE ATT&CK SARIF
Featured: Phishing defense

Lure

Browser-native phishing defense: Chrome MV3 extension (49 detectors) and Python CLI for .eml/.msg — 1,400+ tests across delivery through persistence.

Signal engine: additive scoring for AiTM, OAuth abuse, FIDO downgrades, WebSocket exfil, canvas harvesting — mapped to NIST SP 800-61r3 triage and MITRE ATT&CK.

CLI: RFC 5322 / .msg, YARA-X, SPF/DKIM/DMARC, weighted verdicts
Canvas LURE dashboard for live severity; ThreatIntelSync for intel feeds
Vitest + CLI pytest — OAuth, AiTM, WebRTC, WebTransport, EtherHiding
Phishing Chrome MV3 YARA-X

Recon

Automated attack surface discovery — map targets fast, find weaknesses before adversaries do.

Dockyard 001

Async port scanner: CVE sigs, fingerprints, passive recon (Shodan), QUIC, Nmap pipe, script hooks — HTML / Nmap XML / Nuclei JSON.

Throughput and timing profiles for authorized scopes; audit logging and machine-readable exports.

async cve reconnaissance
Python
Argus 002

Default-cred scanner across 8 protocols with NVD + KEV enrichment, FastAPI REST, SIEM export, notifications.

Weak logins plus CVE context for triage; async mode for faster sweeps.

async cve fastapi
Python
Specter 003

Subdomain takeover + takeover-style risks: 40+ provider fingerprints, CT/DNS/RDAP, DoH, second-order CNAME chains.

Discovery → verification before dangling assets get claimed.

dns doh enumeration
Python
ShadowHunter 004

OSINT + dark-web pipeline: Tor/clearnet ingest, Neo4j graph, STIX 2.1, NL → Cypher — attribution-first.

Hunters + crypto tracing + stealer logs on a FastAPI + Next.js stack.

neo4j osint dark-web
Python

Exploitation

Targeted vulnerability exploitation — CVE-informed, adaptive, and WAF-aware.

ClaimJumper 005

JWT toolkit: 15+ checks, large wordlist cracking, CVE-specific chains (alg confusion, kid/JKU/X5U, null sig, JWKS spoofing).

One audit path from secret testing to forged tokens and exploit validation.

jwt cve authentication
Python
Stiletto 006

SQLi scanner: WAF-aware YAMLs, Trickest CVE sync, SARIF/JSONL for CI — GraphQL, OOB, second-order modes.

Batch URLs + CI exit codes; optional payload learning from failures.

sqli waf sarif
Python

Detection

Passive security scanning — identify misconfigurations, exposed secrets, and emerging threats without triggering alerts.

GitExpose 007

Repo deep scan: React2Shell, ML/pickle abuse, LLM exposure, GlassWorm Unicode, cloud/CI secrets — 100+ patterns + MCP server.

Targets classes typical SAST skips; tuned for lower noise.

ai-ml mcp analysis
Python
Prizm 008

MV3 extension: storage, WebSockets, SW caches, GraphQL — 157 patterns, ML classification, live secret verification.

In-browser surface other scanners rarely touch.

extension ml analysis
JavaScript
Corsair 009

Header auditor: 60+ checks, large fingerprint set, KEV linkage, OWASP/PCI/SOC mapping, drift history, MCP remediation hints.

Letter grades + CVE tie-in; SARIF for GitHub Code Scanning.

headers compliance audit
Python
Restless 010

REST + GraphQL tester: OWASP API Top 10 (2023) checks, CVE-sourced payloads, SARIF, dashboard, Docker.

Single async pass for SSRF, BOLA, auth, GraphQL, rate limits — CI-ready.

owasp graphql api
Python

Defensive

Blue-team tooling — PCAP forensics, Windows log analysis, browser phishing defense, and behavioral privacy — without trading away operator control or data sovereignty.

Shrike 011

Run live or on PCAP: eBPF flow + PID/binary tie-in, 25+ detectors — HTML (multi-tab), JSON, CLI, SARIF 2.1.0.

Timelines, IOC extraction, MITRE-mapped output for IR handoff.

pcap dfir mitre
Python
Vigil 012

Browser EVTX: Hayabusa, Chainsaw, or raw logs — 31 Sigma rules, PowerShell decode, 12 tabs, KQL/SPL/EQL/VQL export, no backend.

Logs stay local; heatmaps, lineage, and LOLBin radar for LotL-style cases.

react sigma evtx dfir
JavaScript
Lure 013

MV3 + Python CLI: additive scoring, YARA-X on .eml/.msg, intel sync — NIST/MITRE-aligned triage.

Canvas LURE for live severity across the kill chain.

mv3 phishing soc
JavaScript
Kala 014

MV3 anti–behavioral biometrics: 22 modules (keys, pointer, motion, timing noise) — React 18 + TS; nothing leaves the browser.

Three privacy levels; sub-2ms overhead target.

react privacy biometrics
TypeScript
Core Competencies

Defensive

SOC & SIEM (Splunk, SPL, alert triage, log ingestion)
Detection Engineering (Sigma, cross-SIEM queries, MITRE mapping, FP reduction)
Incident Response & DFIR (EVTX, timelines, IOC enrichment, YARA)
Network Traffic Analysis (PCAP, beaconing, TLS fingerprints)

Offensive

Penetration Testing & Red Team Operations
Attack Surface & Vulnerability Assessment (recon, creds, secrets, CVE prioritization)
Web Application Security (OWASP Top 10, WAF & header abuse)
API Security Testing (REST, GraphQL, OWASP API Top 10)

Intel & client

Threat Intelligence & OSINT (graph correlation, attribution)
Phishing Defense & Browser Security (MV3, .eml forensics)
Privacy & Client-Side Security