Anton Ovrutsky — #AIForBlueTeam

Anton Ovrutsky — #AIForBlueTeam#AIForBlueTeam daily tips and longform blogs on using AI for defensive security work.https://antonlovesdnb.com/Agent credential protection with fishbowlhttps://antonlovesdnb.com/blog/fishbowl/https://antonlovesdnb.com/blog/fishbowl/Building an auditing perimeter around AI agents to generate telemetry when credentials are accessed - demonstrated with a simulated malicious NPM package exfiltrating Azure tokensSun, 26 Apr 2026 00:00:00 GMTBlogDay 25: AD Deceptionhttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-share-7448112342367637504-dj_9https://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-share-7448112342367637504-dj_9Use Claude to scan your existing Active Directory environment and provision you a PowerShell script & corresponding Splunk queries for deception/honey accounts.Sun, 26 Apr 2026 00:00:00 GMT#AIForBlueTeamDay 24: AgentFence Previewhttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-share-7447750438289838080-ckdJhttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-share-7447750438289838080-ckdJPreview of my new AgentFence tool!Sat, 25 Apr 2026 00:00:00 GMT#AIForBlueTeamDay 23: ATT&CK Heatmaphttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-share-7447391669114679297-93tphttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-share-7447391669114679297-93tpHave Claude query your existing SIEM data and build you an ATT&CK Navigator heatmap.Fri, 24 Apr 2026 00:00:00 GMT#AIForBlueTeamDay 22: AI Powered Hunt Helperhttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-share-7447021615437107200-aUrPhttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-share-7447021615437107200-aUrP- Ingest a threat intel report. - Map it to ATT&CKThu, 23 Apr 2026 00:00:00 GMT#AIForBlueTeamDay 21: Detection Peer Reviewhttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-share-7446541316391346176-zauGhttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-share-7446541316391346176-zauGReads a Splunk query from Obsidian, benchmarks it, auto-converts to tstats via accelerated data models, and compares performance. 7.9x faster.Wed, 22 Apr 2026 00:00:00 GMT#AIForBlueTeamDay 20: Log Compliance Auditorhttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-share-7446225165178265601-6_fbhttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-share-7446225165178265601-6_fbMulti-agent skill that audits Linux (SSH) and Windows (WinRM) in parallel against 20 CIS Benchmark checks, mapped to NIST, PCI-DSS, and ATT&CK.Tue, 21 Apr 2026 00:00:00 GMT#AIForBlueTeamDay 19: AI Cyber Defense Ops Coursehttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-claudeforblueteam-share-7445865516042375168-E5HQhttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-claudeforblueteam-share-7445865516042375168-E5HQFull course release for using Claude in defensive security workflows. 10 modules covering MCP servers, skills, hooks, and end-to-end workflows.Mon, 20 Apr 2026 00:00:00 GMT#AIForBlueTeamDay 18: Sysmon Config Heatmaphttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-share-7445483931899957248-5_CGhttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-share-7445483931899957248-5_CGPaste Sysmon XML, get a visual ATT&CK coverage heatmap. Color-coded: green (covered), yellow (partial), red (blind spot), grey (disabled).Sun, 19 Apr 2026 00:00:00 GMT#AIForBlueTeamDay 17: Sysmon Config Reviewhttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-share-7445211989569765376-dswPhttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-share-7445211989569765376-dswPFeed any Sysmon XML config to Claude for an instant sanity check. Identifies disabled event IDs, coverage gaps, and stale exclusions.Sat, 18 Apr 2026 00:00:00 GMT#AIForBlueTeamDay 16: Supply Chain Audithttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-share-7444720513429573633--x7-https://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-share-7444720513429573633--x7-Scans dependencies with pip-audit and osv-scanner, then triages by reachability. 37 CVEs found, only 5 actually matter.Fri, 17 Apr 2026 00:00:00 GMT#AIForBlueTeamDay 15: K8s RBAC Audithttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-share-7444490310593839104-KHYGhttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-share-7444490310593839104-KHYGFull RBAC audit of a K8s cluster. Claude reasons over the RBAC graph to find escalation paths, dormant privileges, and blast radius.Thu, 16 Apr 2026 00:00:00 GMT#AIForBlueTeamDay 14: Blue Team Docker Toolkithttps://www.linkedin.com/feed/update/urn:li:activity:7444027153488261120/https://www.linkedin.com/feed/update/urn:li:activity:7444027153488261120/One prompt builds a cross-platform Docker container with 17 security tools: Hayabusa, Chainsaw, tshark, YARA, capa, Volatility3, and more.Wed, 15 Apr 2026 00:00:00 GMT#AIForBlueTeamDay 13: K8s Security Sparring Partnerhttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-share-7443696120259653632-JO3Ohttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-share-7443696120259653632-JO3OAuto-provisions misconfigured pods on minikube (plaintext secrets, privileged containers, wildcard RBAC) then tutors you through fixing them.Tue, 14 Apr 2026 00:00:00 GMT#AIForBlueTeamDay 12: SIEM Health Checkhttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-share-7443399092774387712-Sigfhttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-share-7443399092774387712-Sigf5 parallel Splunk queries for host inventory, volume anomalies, ingestion delay, data model status, and internal errors. Adaptive deep-dive with cross-signal correlation.Mon, 13 Apr 2026 00:00:00 GMT#AIForBlueTeamDay 11: Log Noise Analysishttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-share-7443030111668363264-OqrEhttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-share-7443030111668363264-OqrEDrills into the noisiest SIEM events by sourcetype and event ID. Traces noise generators and provides tuning recommendations with events/sec savings.Sun, 12 Apr 2026 00:00:00 GMT#AIForBlueTeamDay 10: ATT&CK Coverage Gap Analysishttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-share-7442680089307172864-tHyihttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-share-7442680089307172864-tHyiLinks ATT&CK data sources to SIEM event IDs, shows technique coverage with TUI bar charts, and ranks priority gaps by bang-for-buck.Sat, 11 Apr 2026 00:00:00 GMT#AIForBlueTeamDay 9: PCAP Analysis with tsharkhttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-share-7442315915901251584-oPMkhttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-share-7442315915901251584-oPMkClaude + tshark analyzes PCAPs, maps findings to ATT&CK, and writes an Obsidian note with all tshark commands for verification.Fri, 10 Apr 2026 00:00:00 GMT#AIForBlueTeamDay 8: AD Security Briefing Hookhttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-share-7441941454748409856-3Ofzhttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-share-7441941454748409856-3OfzA SessionStart hook that queries Splunk for AD account changes, group membership, logon events, and failures. Claude reasons over the data and flags what matters.Thu, 09 Apr 2026 00:00:00 GMT#AIForBlueTeamDay 7: Host Software Inventoryhttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-activity-7441507618206060544-64Fxhttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-activity-7441507618206060544-64FxQueries Sysmon Event IDs 1, 3, 6, 7, 22 from Splunk and categorizes third-party software with framework detection via DLL analysis.Wed, 08 Apr 2026 00:00:00 GMT#AIForBlueTeamDay 6: splunk-run Slash Commandhttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-activity-7441121804884131840-AVxohttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-activity-7441121804884131840-AVxoReads a Splunk query from an Obsidian note, runs it via REST API, builds a Sysmon process tree, and appends results.Tue, 07 Apr 2026 00:00:00 GMT#AIForBlueTeamDay 5: Threat Report Pipelinehttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-activity-7440862677863817216-ijV-https://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-activity-7440862677863817216-ijV-URL to defensive playbook in one command. ATT&CK mapping, data sources, and Atomic Red Team tests.Mon, 06 Apr 2026 00:00:00 GMT#AIForBlueTeamDay 4: attack-note Slash Commandhttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-activity-7440497257281552384-arHmhttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-activity-7440497257281552384-arHmA slash command that builds ATT&CK notes with frontmatter, backlinks, and relationships via Obsidian CLI.Sun, 05 Apr 2026 00:00:00 GMT#AIForBlueTeamDay 3: ATT&CK Obsidian Vaulthttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-activity-7440138486013136896-IlFThttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-activity-7440138486013136896-IlFTGenerated 2,396 interlinked notes covering Tactics, Techniques, and Data Components with graph view.Sat, 04 Apr 2026 00:00:00 GMT#AIForBlueTeamDay 2: MITRE ATT&CK MCP Serverhttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-activity-7439780669049688064-64fOhttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-activity-7439780669049688064-64fOBuilt an MCP server with 10 tools for querying ATT&CK data. Packaged as .mcpb for Claude Desktop.Fri, 03 Apr 2026 00:00:00 GMT#AIForBlueTeamDay 1: ATT&CK as JSONhttps://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-activity-7439425696059289601-WjG7https://www.linkedin.com/posts/antonovrutsky_claudeforblueteam-activity-7439425696059289601-WjG7Downloaded enterprise-attack.json and used Claude to analyze data sources. Process Creation alone covers 65% of ATT&CK techniques.Thu, 02 Apr 2026 00:00:00 GMT#AIForBlueTeam