This is your work, valued
Threat Detection Engineer | detection & response | automation | macOS security | awesome-detection-engineering, LOOBins, Rulehound
awesome-detection-engineering. Detection Engineering is a tactical function of a cybersecurity defense program that involves the design, implementation, and operation of detective controls with the goal of proactively identifying malicious or unauthorized activity before it negatively impacts an individual or an organization.
★ 1.3kLOOBins. Living Off the Orchard: macOS Binaries (LOOBins) is designed to provide detailed information on various built-in "living off the land" macOS binaries and how they can be used by threat actors for malicious purposes.
★ 539Rulehound. An index of publicly available and open-source threat detection rulesets.
★ 136detection-as-code. An example of how to deploy a Detection as Code pipeline using Sigma Rules, Sigmac, Gitlab CI, and Splunk.
★ 61normalize-atp-safelink. Python script that normalizes a URL that has been rewritten by Microsoft ATP SafeLink protection.
★ 7generate_attacknav_layer. A Python CLI utility for quickly converting a list or text file of MITRE ATT&CK technique IDs to a MITRE ATT&CK Navigator layer .JSON file.
★ 4auditd-ripper. Python CLI for normalizing, aggregrating, and decoding auditd logs.
★ 3detection-engineering-ai-maturity. A community framework for assessing AI/LLM use across a detection engineering program.
★ 3bluecoat-webpulsir. Check and submit Blue Coat WebPulse website classifications.
★ 2awesome. 😎 Awesome lists about all kinds of interesting topics
★ 1disable-remote-nic. A PowerShell script for remotely disabling active Windows 10/2016 device network interfaces.
★ 1awesome-threat-detection. A curated list of awesome threat detection and hunting resources
★ 1pydantic-attack. Python
★ 1atomic-red-team. Small and highly portable detection tests based on MITRE's ATT&CK.
★ 1security_content. Splunk Security Content
★ 1generative-ai-for-beginners. 12 Lessons, Get Started Building with Generative AI 🔗 https://microsoft.github.io/generative-ai-for-beginners/
★ 1infosecb.
★ 1PySPL. A lightweight Python library that allows you to run Splunk SPL (Search Processing Language) queries against Python dictionaries and lists. No Splunk installation required!
★ 1personal-claude-plugins. A marketplace of personal plugins for Claude Code and Cowork (Claude Desktop).
★ 1bumblebee. Read-only developer endpoint scanner for on-disk package, extension, and developer-tool metadata, built to check exposure to known software supply-chain compromises.
★ 4.8kHarbor. TypeScript
★ 18container. A tool for creating and running Linux containers using lightweight virtual machines on a Mac. It is written in Swift, and optimized for Apple silicon.
★ 47kpokeemerald-wasm. Pokemon Emerald in WebAssembly
★ 293agent-scan. Security scanner for AI agents, MCP servers and agent skills.
★ 2.8kOpenSpec. Spec-driven development (SDD) for AI coding assistants.
★ 60kdetection-engineering-ai-maturity. A community framework for assessing AI/LLM use across a detection engineering program.
★ 3llm-from-scratch.
★ 3.1kpersonal-claude-plugins. A marketplace of personal plugins for Claude Code and Cowork (Claude Desktop).
★ 1gstack. Use Garry Tan's exact Claude Code setup: 23 opinionated tools that serve as CEO, Designer, Eng Manager, Release Manager, Doc Engineer, and QA
★ 121kAnthropic-Cybersecurity-Skills. 817 structured cybersecurity skills for AI agents · Mapped to 6 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND, NIST AI RMF & MITRE F3 (Fight Fraud) · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platforms · 29 security domains · Apache 2.0
★ 25klolexfil.github.io. Living off the land Data Exfiltration methods
★ 60Security-Detections-MCP. MCP to help Defenders Detection Engineer Harder and Smarter
★ 458awesome-agentic-patterns. A curated catalogue of awesome agentic AI patterns
★ 4.8kvibium. The verification layer for coding agents
★ 2.9ksantamon. Lightweight macOS detection agent built on Santa’s Endpoint Security telemetry.
★ 112LifeOS. An General Purpose AI Harness for magnifying human capabilities. [CODING, BUILDING, CREATING, BUSINESS, LIFE, WORK, ...]
★ 17kspec-kit. 💫 Toolkit to help you get started with Spec-Driven Development
★ 119klanggraph. Build resilient agents.
★ 37kDetection-Engineering-Framework.
★ 99attack_flow_detector. Find relevant incidents, logs, events, and alerts to all of your incidents. [Attack Flows, Attack Chains, & Root Cause Discovery - NO LLMs, NO Queries, Just Explainable Machine Learning] >> Use it for free here: https://app.cypienta.io
★ 73finch. Fingerprint-aware TLS reverse proxy. Use Finch to outsmart bad traffic—collect client fingerprints (JA3, JA4 +QUIC, JA4H, HTTP/2) and act on them: block, reroute, tarpit, or deceive in real time.
★ 299NvChad. Blazing fast Neovim framework providing solid defaults and a beautiful UI, enhancing your neovim experience.
★ 28kthreat-hunting-macos-book. A companion Github repo for the book - Threat Hunting macOS by Jaron Bradley
★ 22detection-engineering-starter-pack. A starter pack of resources to help you get started in Detection Engineering.
★ 191awesome-cybersecurity-agentic-ai. Shell
★ 511memos. Open-source, self-hosted note-taking tool built for quick capture. Markdown-native, lightweight, and fully yours.
★ 61ksublime-platform. A free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing. Gain visibility and control, hunt for advanced threats, collaborate with the community, and write detections-as-code.
★ 264tunnelmole-client. Tunnelmole - Connect to local servers from anywhere
★ 1.9ksuzaku-rules.
★ 14Azure-Sentinel. Cloud-native SIEM for intelligent security analytics for your entire enterprise.
★ 6ksublime-rules. Sublime rules for email attack detection, prevention, and threat hunting.
★ 368ollama. Get up and running with Kimi-K2.6, GLM-5.1, MiniMax, DeepSeek, gpt-oss, Qwen, Gemma and other models.
★ 176kopen-webui. User-friendly AI Interface (Supports Ollama, OpenAI API, ...)
★ 145kRulehound. An index of publicly available and open-source threat detection rulesets.
★ 136hashicon. Generates a beautiful representation of any hash.
★ 199awesome-mcp-servers. A collection of MCP servers.
★ 91kclaude-code. Claude Code is an agentic coding tool that lives in your terminal, understands your codebase, and helps you code faster by executing routine tasks, explaining complex code, and handling git workflows - all through natural language commands.
★ 137kmongodb-with-fastapi. Example of using MongoDB with FastAPI
★ 353full-stack-fastapi-mongodb. Full stack, modern web application generator. Using FastAPI, MongoDB as database, Docker, automatic HTTPS and more.
★ 817Invoke-ArgFuscator. Invoke-ArgFuscator is an open-source, cross-platform PowerShell module that helps generate obfuscated command-lines for common system-native executables.
★ 279socless. The SOCless automation framework
★ 142python-training. Python training for business analysts and traders
★ 14kgrapl. Graph platform for Detection and Response
★ 698developer-roadmap. Interactive roadmaps, guides and other educational content to help developers grow in their careers.
★ 360kgrove. A Software as a Service (SaaS) log collection framework.
★ 187the-sourdough-framework. Open source book dedicated to helping you to make the best possible sourdough bread at home.
★ 3.6kcti-stix-common-objects. OASIS Cyber Threat Intelligence (CTI) TC: A repository for commonly used STIX objects in order to avoid needless duplication. https://github.com/oasis-open/cti-stix-common-objects
★ 102detection-as-code-example. A POC to implement Detection-as-Code with Terraform and Sumo Logic.
★ 32santa. A binary and file access authorization system for macOS.
★ 688framework. A static site generator for data apps, dashboards, reports, and more. Observable Framework combines JavaScript on the front-end for interactive graphics with any language on the back-end for data analysis.
★ 3.5ksigmalite. Go
★ 57grimoire. Generate datasets of cloud audit logs for common attacks
★ 242grcengineering.github.io. HTML
★ 70flask-login. Flask user session management.
★ 3.7kThe_Shelf. Retired TrustedSec Capabilities
★ 248awesome-cicd-attacks. Practical resources for offensive CI/CD security research. Curated the best resources I've seen since 2021.
★ 608awesome-detection-engineering. Detection Engineering is a tactical function of a cybersecurity defense program that involves the design, implementation, and operation of detective controls with the goal of proactively identifying malicious or unauthorized activity before it negatively impacts an individual or an organization.
★ 1.3ksubstation. Substation is a toolkit for routing, normalizing, and enriching security event and audit logs.
★ 403n8n. Fair-code workflow automation platform with native AI capabilities. Combine visual building with custom code, self-host or cloud, 400+ integrations.
★ 196kDAC-use-cases. Use cases for end to end implementations of detection-as-code (DAC) for security rules
★ 4munki. Managed software installation for macOS —
★ 3.4kn8n-kubernetes-hosting.
★ 120cyberchef-recipes. A list of cyber-chef recipes and curated links
★ 2.2kkube-prometheus. Use Prometheus to monitor Kubernetes and applications running on Kubernetes
★ 7.7kFastUI. Build better UIs faster.
★ 9kpql. Pipelined Query Language
★ 704python-pkl. Python library for Apple's PKL format
★ 17LoFP. Living off the False Positive!
★ 42lolcerts. A repository of code signing certificates known to have been leaked or stolen, then abused by threat actors
★ 412pkl. A configuration as code language with rich validation and tooling.
★ 11kChista. Chista | Open Threat Intelligence Framework
★ 62detection. Detection in the form of Yara, Snort and ClamAV signatures.
★ 254galah. Galah: An LLM-powered web honeypot.
★ 656mac-dev-playbook. Mac setup and configuration via Ansible.
★ 7kauditd-ripper. Python CLI for normalizing, aggregrating, and decoding auditd logs.
★ 3Yara-Rules. Repository of Yara Rules
★ 146eng-practices. Google's Engineering Practices documentation
★ 23kawesome-data-engineering. A curated list of data engineering tools for software developers
★ 8.9kdata-engineering-zoomcamp. Data Engineering Zoomcamp is a free 9-week course on building production-ready data pipelines. The next cohort starts in January 2026. Join the course here 👇🏼
★ 43kgod-mode-rules. God Mode Detection Rules
★ 135osx-password-dumper. A tool to dump users's .plist on a Mac OS system and to convert them into a crackable hash
★ 53data-engineer-handbook. This is a repo with links to everything you'd ever want to learn about data engineering
★ 42kRoota. Roota is a public-domain language of threat detection and response that combines native queries from a SIEM, EDR, XDR, or Data Lake with standardized metadata and threat intelligence to enable automated translation into other languages
★ 139coreruleset. OWASP CRS (Official Repository)
★ 3.2kModSecurity. ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
★ 9.7kAwesome-GPT-Agents. A curated list of GPT agents for cybersecurity
★ 6.5kanomaly-detection-resources. Anomaly detection related books, papers, videos, and toolboxes. Last update late 2025 for LLM and VLM works!
★ 9.3kpanther_analysis_tool. Command line tool for working with Panther rules and policies
★ 49awesome-compose. Awesome Docker Compose samples
★ 46kfindspark. Python
★ 525Beyond-All-Reason. Main game repository for Beyond All Reason.
★ 4.1kdotfiles_old. A collection of my configuration files. Mainly intended for configuring Arch Linux and Neovim (Lua).
★ 85horcrux. Split your file into encrypted fragments so that you don't need to remember a passcode
★ 5.1ksigconverter.io. An opensource sigma conversion tool built using pysigma
★ 171LOLDrivers. Living Off The Land Drivers
★ 1.7kAPT-OpenIOC-Detection-Rules. This repository contains OpenIOC rules to aid in hunting for indicators of compromise and TTPs focused on Advanced Persistent Threat groups.
★ 26attackgen. AttackGen is a cybersecurity incident response testing tool that leverages the power of large language models and the comprehensive MITRE ATT&CK framework. The tool generates tailored incident response scenarios based on user-selected threat actor groups and your organisation's details.
★ 1.2kkeyboard. ⌨ Toward a more useful keyboard
★ 2.2kllama-gpt. A self-hosted, offline, ChatGPT-like chatbot. Powered by Llama 2. 100% private, with no data leaving your device. New: Code Llama support!
★ 11kTTPForge. The TTPForge is a Cybersecurity Framework for developing, automating, and executing attacker Tactics, Techniques, and Procedures (TTPs).
★ 433atomic-red-team. Small and highly portable detection tests based on MITRE's ATT&CK.
★ 12kLOOBins. Living Off the Orchard: macOS Binaries (LOOBins) is designed to provide detailed information on various built-in "living off the land" macOS binaries and how they can be used by threat actors for malicious purposes.
★ 539lazydocker. The lazier way to manage everything docker
★ 52kjekyll-theme-serial-programmer. A Jekyll theme for serial programmers (-.-)
★ 209gpt-prompt-engineer. Jupyter Notebook
★ 9.7kdetection-and-response-pipeline. ✨ A compilation of suggested tools/services for each component in a detection and response pipeline, along with real-world examples. The purpose is to create a reference hub for designing effective threat detection and response pipelines. 👷 🏗
★ 296NimBlackout. Kill AV/EDR leveraging BYOVD attack
★ 406Spartacus. Spartacus DLL/COM Hijacking Toolkit
★ 1.1kYara-rules. Collection of private Yara rules.
★ 385apple-internals. information and tools to understand the internals of Apple’s operating systems
★ 202tmux-powerline. ⚡️ A tmux plugin giving you a hackable status bar consisting of dynamic & beautiful looking powerline segments, written purely in bash.
★ 3.8kSwiftLiverpool. Enumerate Location Services using CoreLocation API on macOS
★ 19swift. The Swift Programming Language
★ 70kMachoBins.
★ 15mac-monitor. "The missing ProcMon for macOS": Mac Monitor records Endpoint Security events and displays them for analysis.
★ 1.4kVirtualBuddy. Virtualize macOS 12 and later on Apple Silicon, VirtualBuddy is a virtual machine GUI for macOS M1, M2, M3, M4
★ 8.3kmacOS-cheatsheet. CLI commands cheat sheet for mac OS users
★ 7macOS-Security-and-Privacy-Guide. Community guide to securing and improving privacy on macOS.
★ 22kFalconForge. This repository is used by FalconForce to release parts of the internal tools used for maintaining, validating and automatically deploying a repository of use-cases for the Sentinel and Microsoft 365 Defender products.
★ 17KQLAnalyzer. REST server that can analyze Kusto KQL queries against the Sentinel and Microsoft 365 Defender schemas.
★ 55GenAI-Security-Adventures. Jupyter Notebook
★ 108Kavita. Kavita is a fast, feature rich, cross platform reading server. Built with the goal of being a full solution for all your reading needs. Setup your own server and share your reading collection with your friends and family.
★ 11kevilginx2. Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication
★ 15kSigma-Rules. A repository of my own Sigma detection rules.
★ 165DetectionLab. Automate the creation of a lab environment complete with security tooling and logging best practices
★ 5kpySigma-backend-crowdstrike. SigmaHQ pySigma CrowdStrike processing pipeline
★ 32detection-rules. Python
★ 2.7kpydantic. Data validation using Python type hints
★ 28kkickstart.nvim. A launch point for your personal nvim configuration
★ 31kblue-sky. A clean and blue BSPWM setup
★ 365vscodium. binary releases of VS Code without MS branding/telemetry/licensing
★ 32kmac-setup. Installing Development environment on macOS
★ 7.4kEDR-Telemetry. This project aims to compare and evaluate the telemetry of various EDR products.
★ 2kPowerShell-Obfuscation-Bible. A collection of techniques, examples and a little bit of theory for manually obfuscating PowerShell scripts to achieve AV evasion, compiled for educational purposes. The contents of this repository are the result of personal research, including reading materials online and conducting trial-and-error attempts in labs and pentests.
★ 1.2kFedoraDots. New repo for my dotfiles
★ 19polybar-themes. A huge collection of polybar themes with different styles, colors and variants.
★ 6.2kschemastore. A collection of JSON schema files including full API
★ 3.8kdolly. Databricks’ Dolly, a large language model trained on the Databricks Machine Learning Platform
★ 11kmodelscope. ModelScope: bring the notion of Model-as-a-Service to life.
★ 9kbspwm. A tiling window manager based on binary space partitioning
★ 8.3kRed-Teaming-Toolkit. This repository contains cutting-edge open-source security tools (OST) for a red teamer and threat hunter.
★ 10kmacos_app_structure.
★ 47t480. notes and configs for linux on t480
★ 104gpt4all. GPT4All: Run Local LLMs on Any Device. Open-source and available for commercial use.
★ 77kChatGPT-4-Splunk. Splunk TA for sending completion requests to ChatGPT
★ 27chatblade. A CLI Swiss Army Knife for ChatGPT
★ 2.6kmountpoint-s3. A simple, high-throughput file client for mounting an Amazon S3 bucket as a local file system.
★ 5.7kawesome-detection-rules. This is a collection of threat detection rules / rules engines that I have come across.
★ 300Security-Datasets. Re-play Security Events
★ 1.8kDataSurgeon. Quickly Extracts IP's, Email Addresses, Hashes, Files, Credit Cards, Social Security Numbers and a lot More From Text
★ 903awesome-kubernetes-threat-detection. A curated list of resources about detecting threats and defending Kubernetes systems.
★ 40830-Days-Of-Python. The 30 Days of Python programming challenge is a step-by-step guide to learn the Python programming language in 30 days. This challenge may take more than 100 days. Follow your own pace. These videos may help too: https://www.youtube.com/channel/UC7PNRuno1rzYPb1xLa4yktw
★ 68kawesome-security-newsletters. Periodic cyber security newsletters that capture the latest news, summaries of conference talks, research, best practices, tools, events, vulnerabilities, and analysis of trending threats and attacks
★ 1.3kmatano. Open source security data lake for threat hunting, detection & response, and cybersecurity analytics at petabyte scale on AWS
★ 1.7kbinaries-issues. Issues for macosbin.com
★ 53GTFOBins.github.io. GTFOBins is a curated list of Unix-like executables that can be used to bypass local security restrictions in misconfigured systems.
★ 13kLOLBAS. Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts)
★ 8.7kpa. a simple password manager. encryption via age, written in portable posix shell
★ 564traefikv2-docker-gitlab. Gitlab with Lets Encrypt via Docker + Traefik v2
★ 28python-sdk. Python library used to integrate with Descope
★ 71ml-stable-diffusion. Stable Diffusion with Core ML on Apple Silicon
★ 18kawesome-lint. awesome-lint as a GitHub Action
★ 20awesome-cto. A curated and opinionated list of resources for Chief Technology Officers, with the emphasis on startups
★ 35kGCTI. YARA
★ 553detection-rules. Collection of example YARA-L rules for use within Google Security Operations
★ 505splunk. The Splunk schema extension repository
★ 11samplemod. Python
★ 4.9kcookiecutter-hypermodern-python. Hypermodern Python Cookiecutter
★ 1.9kmitre-attack-mapping. Mapping your datasources and detections to the MITRE ATT&CK Navigator framework.
★ 61falco. Cloud Native Runtime Security
★ 9.1kawesome-soc. A curated knowledge base to build, run and mature a SOC (including CSIRT).
★ 1.8kAdGuardHome. Network-wide ads & trackers blocking DNS server
★ 35kfull-stack-fastapi-template. Full stack, modern web application template. Using FastAPI, React, SQLModel, PostgreSQL, Docker, GitHub Actions, automatic HTTPS and more.
★ 44kShuffle. Shuffle: A general purpose security automation platform. Our focus is on collaboration and resource sharing.
★ 2.3kVCDB. VERIS Community Database
★ 663Mythic. A collaborative, multi-platform, red teaming framework
★ 4.6kAPI. Documentation and Samples for the Official HN API
★ 13kthreatest. Threatest is a CLI and Go framework for end-to-end testing threat detection rules.
★ 344ocsf-schema. OCSF Schema
★ 847DNSMonitor. A DNS Monitor, leveraging Apple's NEDNSProxyProvider/Network Extension Framework
★ 217pamspy. Credentials Dumper for Linux using eBPF
★ 1.2kphishcatch. A browser extension and API server for detecting corporate password use on external websites
★ 97matplotlib-tutorial. Matplotlib tutorial for beginner
★ 3.2kpython-patterns. A collection of design patterns/idioms in Python
★ 43kDeepLog. PyTorch implementation of Deeplog: Anomaly detection and diagnosis from system logs through deep learning
★ 289loghub. A large collection of system log datasets for AI-driven log analytics [ISSRE'23]
★ 2.8kmarkdoc. A powerful, flexible, Markdown-based authoring framework.
★ 8.1kOpenRA. Open Source real-time strategy game engine for early Westwood games such as Command & Conquer: Red Alert written in C# using SDL and OpenGL. Runs on Windows, Linux, *BSD and Mac OS X.
★ 17kgitignore. A collection of useful .gitignore templates
★ 175kuia-3e. all the projects from Unity in Action 3rd edition
★ 95game-programmer. A Study Path for Game Programmer
★ 19kpixelfoosball. An arcade foosball (table football) game
★ 56unity-pong-tutorial. 🏓💥 Learn to make Pong in Unity.
★ 50auditd. Best Practice Auditd Configuration
★ 1.9kblue-team-wiki. Tools, techniques, cheat sheets, and other resources to assist those defending organizations and detecting adversaries
★ 462ProcessMonitor. Process Monitor Library (based on Apple's new Endpoint Security Framework)
★ 501rich. Rich is a Python library for rich text and beautiful formatting in the terminal.
★ 57ksecurity-stack-mappings. 🚨ATTENTION🚨 The Security Stack Mappings have migrated to the Center’s Mappings Explorer project. See README below. This repository is kept here as an archive.
★ 387pytudes. Python programs, usually short, of considerable difficulty, to perfect particular skills.
★ 24k