/ projects · 08 shipped
Tools the team needed.
Each one started as a workflow gap on a real shift. All built on personal time; all run without cloud dependencies.
#
Name
Description
Stack
Status
- 01
BASTION
KQL investigation toolkit that ends the rebuild-from-scratch loop20+ KQL hunt templates · 7 detection categories · Single-file HTML deploy
HTML JavaScript Python FastAPI KQL Microsoft SentinelActive - 02
CARL
Offline SOC knowledge base that captures what lives in analysts' heads500+ knowledge entries · 8 dispatch engines · 11 alert playbooks
HTML JavaScript Python FastAPIActive - 03
KQL Sentinel Lab
Synthetic Sentinel environment for analysts to practice on real attack data55 attack scenarios · 14 MITRE techniques · 6 tactic groups
HTML JavaScript Python FastAPI KQL Docker Microsoft SentinelActive - 04
ThreatWatch
Curated threat intel delivery from RSS feeds to Slack, automated daily30-min poll cycle · 3-layer dedup engine · Severity-scored daily digest
HTML JavaScript Python FastAPI SQLite SlackActive - 05
PowerShell Analyzer
Paste a PowerShell command, get a plain-English breakdown for triage34 LOLBins cataloged · UTF-16LE Base64 decoder · 0 network calls
HTML JavaScriptActive - 06
Prompt Forge
Generate structured Claude system prompts for SOC analyst workflows8 SOC task templates · 2 editions (general + SOC) · Single-file HTML deploy
HTML JavaScriptActive - 07
PostMortemForge
Client-facing incident post-mortem reports, generated from a structured schema42 kill-chain stage blocks · ATT&CK coverage grid · Self-contained HTML output
Python FastAPI Jinja2 JSON SchemaActive - 08
GLaDOS
Local-LLM writing assistant for daily home use, no cloud, no subscription70B local LLM (Hermes 4) · 0 cloud calls · Single Podman container
Python FastAPI React TypeScript PodmanActive