Blog

SOC Dashboard

A PowerShell analyst console backed by a local SQLite database loaded with Sentinel-shaped sample logs. Includes a KQL translator (Invoke-KqlPS), threat-intel lookups (AbuseIPDB, urlscan.io, NIST NVD, Team Cymru, NSRL), MITRE ATT&CK lookups, and a daily-brief generator.

Source on GitHub · Module index · KQL engine in the browser

Browser Lab

The SOC Dashboard's portable pieces, ported to JavaScript and run against an in-browser SQLite. KQL playground, graded practice, a visual query builder, and a hunt template catalog.

Open the lab

Honeypot Research Network

A residential SSH honeypot that feeds the lab's dashboards with real attacker telemetry: top attackers, credentials tried, ASN and country breakdowns, and recent session activity. Indicators are reported to AbuseIPDB and AlienVault OTX.

Live Threat Feed

KQL Practice Engine

Thirty graded KQL questions with difficulty bands and persisted scores. Answers are checked against the same query engine the playground uses.

KQL Practice · KQL Playground

National Cyber League - Fall 2025

Diamond 1 Medal, 97th percentile, Fall 2025 Individual Game. Categories included OSINT, cryptography, password cracking, log analysis, network traffic, scanning, web exploitation, and forensics.

Certificate (PDF) · Performance report (PDF)

KQL Beginners Guide

KQL fundamentals: operators, scalar functions, aggregations, and the daily patterns used against Sentinel-style data.

KQL Detection Engineering - Advanced Cheatsheet

Joins, mv-expand, aggregation, and detection-engineering patterns in a printable reference with worked examples.

Hunting Cookbook

Reusable hunt queries with notes on what each one looks for and which tables it touches.

Inside Invoke-KqlPS

Why I built a KQL interpreter in PowerShell, what subset it supports today, and how it anchors the rest of the lab.

MITRE Crosswalks in the Lab

How the local ATT&CK data, CVE-to-technique mappings, and KQL tooling fit together in one offline-friendly workflow.