Day 1
ATT&CK as JSON
Downloaded enterprise-attack.json and used Claude to analyze data sources. Process Creation alone covers 65% of ATT&CK techniques.
#AIForBlueTeam
Daily practical tips for using AI in defensive security work. Skills, hooks, prompts, and workflows for blue teams.
Blogs
Day 2
MITRE ATT&CK MCP Server
Built an MCP server with 10 tools for querying ATT&CK data. Packaged as .mcpb for Claude Desktop.
Day 3
ATT&CK Obsidian Vault
Generated 2,396 interlinked notes covering Tactics, Techniques, and Data Components with graph view.
Day 4
attack-note Slash Command
A slash command that builds ATT&CK notes with frontmatter, backlinks, and relationships via Obsidian CLI.
Day 5
Threat Report Pipeline
URL to defensive playbook in one command. ATT&CK mapping, data sources, and Atomic Red Team tests.
Day 6
splunk-run Slash Command
Reads a Splunk query from an Obsidian note, runs it via REST API, builds a Sysmon process tree, and appends results.
Day 7
Host Software Inventory
Queries Sysmon Event IDs 1, 3, 6, 7, 22 from Splunk and categorizes third-party software with framework detection via DLL analysis.
Day 8
AD Security Briefing Hook
A SessionStart hook that queries Splunk for AD account changes, group membership, logon events, and failures. Claude reasons over the data and flags what matters.
Day 9
PCAP Analysis with tshark
Claude + tshark analyzes PCAPs, maps findings to ATT&CK, and writes an Obsidian note with all tshark commands for verification.
Day 10
ATT&CK Coverage Gap Analysis
Links ATT&CK data sources to SIEM event IDs, shows technique coverage with TUI bar charts, and ranks priority gaps by bang-for-buck.
Day 11
Log Noise Analysis
Drills into the noisiest SIEM events by sourcetype and event ID. Traces noise generators and provides tuning recommendations with events/sec savings.
Day 12
SIEM Health Check
5 parallel Splunk queries for host inventory, volume anomalies, ingestion delay, data model status, and internal errors. Adaptive deep-dive with cross-signal correlation.
Day 13
K8s Security Sparring Partner
Auto-provisions misconfigured pods on minikube (plaintext secrets, privileged containers, wildcard RBAC) then tutors you through fixing them.
Day 14
Blue Team Docker Toolkit
One prompt builds a cross-platform Docker container with 17 security tools: Hayabusa, Chainsaw, tshark, YARA, capa, Volatility3, and more.
Day 15
K8s RBAC Audit
Full RBAC audit of a K8s cluster. Claude reasons over the RBAC graph to find escalation paths, dormant privileges, and blast radius.
Day 16
Supply Chain Audit
Scans dependencies with pip-audit and osv-scanner, then triages by reachability. 37 CVEs found, only 5 actually matter.
Day 17
Sysmon Config Review
Feed any Sysmon XML config to Claude for an instant sanity check. Identifies disabled event IDs, coverage gaps, and stale exclusions.
Day 18
Sysmon Config Heatmap
Paste Sysmon XML, get a visual ATT&CK coverage heatmap. Color-coded: green (covered), yellow (partial), red (blind spot), grey (disabled).
Day 19
AI Cyber Defense Ops Course
Full course release for using Claude in defensive security workflows. 10 modules covering MCP servers, skills, hooks, and end-to-end workflows.
Day 20
Log Compliance Auditor
Multi-agent skill that audits Linux (SSH) and Windows (WinRM) in parallel against 20 CIS Benchmark checks, mapped to NIST, PCI-DSS, and ATT&CK.
Day 21
Detection Peer Review
Reads a Splunk query from Obsidian, benchmarks it, auto-converts to tstats via accelerated data models, and compares performance. 7.9x faster.
Day 22
AI Powered Hunt Helper
- Ingest a threat intel report. - Map it to ATT&CK
Day 23
ATT&CK Heatmap
Have Claude query your existing SIEM data and build you an ATT&CK Navigator heatmap.
Day 24
AgentFence Preview
Preview of my new AgentFence tool!
Day 25
AD Deception
Use Claude to scan your existing Active Directory environment and provision you a PowerShell script & corresponding Splunk queries for deception/honey accounts.