Main portfolio hub: anpa1200.github.io — start here for CTI-to-detection work, Docusaurus field guides, security tooling, Medium research, and contact links.
Cybersecurity researcher and CTI-to-detection practitioner focused on turning threat intelligence, adversary behavior, log/security telemetry, and AI-assisted workflows into detection-ready, SOC-usable, evidence-based security outputs.
| CTI tradecraft | Detection handoff | Security research depth |
|---|---|---|
| Evidence discipline, source reliability, confidence language, attribution caution. | ATT&CK candidate mapping, hunting hypotheses, detection backlog, SOC handoff. | Malware analysis, cloud/Kubernetes security, offensive-informed labs, analyst tooling. |
Medium and GitHub are my public proof-of-work. The Docusaurus sites are the structured versions of the work: field manuals, repeatable CTI-to-detection methods, sector CTI, platform notes, and practitioner guides.
| Project | Why review it | Links |
|---|---|---|
| CTI Analyst Field Manual | Primary flagship. Practical CTI tradecraft manual covering evidence discipline, source reliability, confidence language, attribution, infrastructure pivoting, ATT&CK usage, hunting hypotheses, detection backlog, SOC handoff, and reusable analyst templates. | Site · Repo |
| Operation Desert Hydra | Complete CTI-to-detection pipeline. 71 source candidates reviewed, 8 promoted (CISA, INCD, vendor), 10 procedure records with Observed/Reported/Assessed evidence labels, OpenCTI 6.2 knowledge graph, 11 detection records with SIEM-agnostic pseudologic, Ansible-provisioned Windows 10 lab. 14 PASS / 1 PARTIAL / 1 FAIL across 16 rule checks. 16 of 21 ATT&CK techniques (76%) fully lab-validated. One-command reproducible. MuddyWater / Seedworm — widely reported by government and vendor sources as Iran-linked activity associated with MOIS. | Site · Repo · Detection Atlas · Validation Results · Coverage Matrix · Article |
| Israel Government Threat Actors CTI | Applied sector/actor CTI. Public-source defensive knowledge base for threat actors, personas, malware families, TTPs, detection opportunities, and Israeli public-sector / critical-infrastructure exposure. | Site · Repo · Reports |
| Customer-Driven AI CTI Project | Delivery methodology. Gate-controlled CTI-to-detection workflow from customer requirements, PIRs/SIRs, source evaluation, and evidence handling to detection backlogs, SOC handoff, executive reporting, and measurable defensive outcomes. | Site · Repo · Article |
| OpenCTI Intelligent Shield | CTI platform engineering. OpenCTI deployment and analyst-reviewed enrichment workflow covering platform operations, connector design, STIX-oriented workflows, review gates, enrichment limitations, and practical CTI infrastructure. | Repo · Article |
| CVSS v4.0 Field Guide | Practical guide for vulnerability prioritization, scoring logic, exploitability context, and decision support. | Guide · Tool repo · Article |
| HexStrike AI Guide | AI-assisted authorized security research guide. Supporting offensive-informed defensive work, not the main professional identity. | Guide · Repo |
Related supporting CTI assets: CTI reports, autoWF, Customer-Driven AI CTI Template.
- CTI Analyst
- Threat Intelligence Researcher
- CTI-to-Detection Engineer
- Threat Detection Researcher
- Security Research Engineer
- Intel delivery / customer-facing CTI
- SOC enablement / detection-content role
- OpenCTI / CTI platform-oriented security role
| Skill area | Evidence in portfolio |
|---|---|
| CTI tradecraft | Evidence labeling, confidence language, source reliability, assumptions, gaps, and analytic caution. |
| Attribution caution | Attribution methodology that separates infrastructure, malware, TTPs, claims, and assessment language. |
| ATT&CK usage | Candidate mapping used to structure behavior and detection opportunities, not as attribution proof. |
| Infrastructure pivoting | IOC expansion through passive DNS, reverse IP, ASN/hosting reuse, TLS certificates, subdomains, internet search, and WHOIS. |
| CTI-to-detection | Hunting hypotheses, detection backlog, SOC handoff, detection content, and operational summaries. |
| AI-assisted CTI | Decision-support workflows where AI output is untrusted until analyst-reviewed. |
| Malware analysis | YARA, IOC extraction, function context, APK triage, Frida hooks, and ATT&CK candidate mapping. |
| Security research | Cloud/Kubernetes research, vulnerability prioritization, OpenCTI platform work, and lab-backed analysis. |
- CTI Kill Chain: An Analyst Guide With Real-World Evidence
- Attribution Methodology
- Infrastructure Pivoting
- ATT&CK as a Working Tool
- Manual CTI vs. AI-Assisted CTI
- CTI Research: Kubernetes & Cloud-Native Threat Landscape
These projects support the CTI-to-detection story. They are not the headline.
| Area | Projects |
|---|---|
| CTI methodology and training | CTI as a Code — lab stack (OpenCTI · TheHive · Elastic SIEM) + 8 structured analyst assignments across all four modes · Repo |
| Malware analysis | AIDebug, Android-Malware-Analysis, Static-malware-Analysis-Orchestrator, Unpacker, PE-Import-Analyzer, String-Analyzer |
| Vulnerability prioritization | cvss_4.0, CVSS v4.0 Field Guide, CVSS article |
| Cloud and Kubernetes security | stratus-ai, vulnerable-cloud-lab, Kubernetes CTI article |
| Offensive-informed labs | HexStrike-AI Guide, Passwords, RTSP credential-testing tool |
- ATT&CK mapping is not attribution evidence.
- AI output is untrusted until analyst-reviewed.
- Shared tooling does not prove actor identity.
- Confidence reflects evidence quality, corroboration, source access, and analytic consistency.
- CTI output should identify evidence, gaps, assumptions, confidence, and operational use.
- Site: https://anpa1200.github.io
- Medium: https://medium.com/@1200km
- GitHub: https://github.com/anpa1200
- LinkedIn: https://www.linkedin.com/in/andrey-pautov/
- PayPal: https://www.paypal.com/donate/?business=W3XDKS7J9XTCG&no_recurring=0&item_name=Buy+me+a+coffee+%28PayPal%29+%E2%80%94+Keep+the+lab+running¤cy_code=USD
I write CTI so the next defender can hunt, validate, prioritize, and hand useful work to the SOC.