Defensive security tooling and detection research - runnable Sigma rules and KQL queries, a zero-dependency CISA KEV monitor, a daily-synced KEV feed, and a single-page blue-team reference. Defensive in scope, every claim tied to a primary source.
kev-watch needs Python 3.9+ and nothing else - no packages, no install step:
git clone https://github.com/umbrasecdev/umbrasec
python3 umbrasec/tools/kev-watch/kev_watch.py --watch fortinet ivanti citrixThat prints newly-added, actively exploited CVEs from CISA's Known Exploited Vulnerabilities catalog, filtered to the vendors you actually run:
CISA KEV catalog 2026.06.11 · 1618 total entries · mode: since
CVE-2026-10520
Ivanti Sentry - Ivanti Sentry OS Command Injection Vulnerability
added 2026-06-11 remediate by 2026-06-14
action: Apply mitigations in accordance with vendor instructions ...
https://nvd.nist.gov/vuln/detail/CVE-2026-10520
1 item(s) reported.
Public data only; it reads one JSON feed and never touches a target system.
| What it is | |
|---|---|
tools/kev-watch/ |
Zero-dependency Python monitor for the CISA KEV catalog. Tracks newly added, actively exploited CVEs, filters to your stack, flags ransomware-linked entries, warns on remediation deadlines. |
tools/sigma-pack/ |
The detection rules from the research writeups as runnable files: Kerberoasting Sigma rules (T1558.003), OAuth consent-phishing KQL queries (T1528), and LiteLLM command-injection Sigma rules (CVE-2026-42271, T1190) so far, each with tuning and false-positive notes. Sigma rules are syntax-validated with sigma-cli in CI, and a per-rule ATT&CK coverage table maps every artifact to its technique. |
tools/blue-team-mapper/ |
A single-page defender reference covering the defensive lifecycle: SIEM/log-source priority, detection engineering, IR flow chains, threat hunting, identity and cloud hardening, SOAR playbooks - ATT&CK-aligned. Use it live. |
research/ |
Detection and threat writeups: Kerberoasting, OAuth consent phishing in M365, OWASP LLM Top 10 for defenders, Securing AI agents, LiteLLM command injection (CVE-2026-42271), plus threat profiles of ransomware crews active against Australian SMBs - INC Ransom and SafePay. Every rule in sigma-pack comes from one of the detection writeups. |
guide/ |
A free, staged security guide for small and mid-sized businesses - from zero to a defensible baseline, with every recommendation mapped to the ASD Essential Eight, ISO 27001:2022, and NIST CSF 2.0, and each step explained as what it is, why it matters, and what it costs. |
A GitHub Action syncs the CISA KEV catalog twice daily into a small JSON file holding the 10 most recently added actively-exploited CVEs, newest first - handy for dashboards, tickers, and "what just got exploited" checks without CORS issues or hitting cisa.gov yourself:
https://umbrasec.dev/assets/kev-latest.json
# the five most recently added actively-exploited CVEs
curl -s https://umbrasec.dev/assets/kev-latest.json |
jq -r '.vulnerabilities[:5][] | "\(.dateAdded) \(.cveID) \(.vendorProject) \(.product)"'Fields per entry: cveID, vendorProject, product, vulnerabilityName,
dateAdded, knownRansomwareCampaignUse. Top level carries catalogVersion,
synced, and count (the full catalog's entry count, not this file's). It is
deliberately a recent-entries feed, not a mirror - for the full catalog, go to
CISA or run
kev-watch, which queries CISA's feed directly. Updates daily at 06:17 UTC.
- Detection engineering - writeups with rules you can actually run (Sigma, mapped to real event IDs and MITRE ATT&CK techniques), plus tuning and false-positive notes.
- Honest threat analysis - technical breakdowns of real techniques and CVEs, every claim tied to a primary source.
- Open-source defensive tooling - small, useful tools for defenders, built in the open.
- LLM / AI security - defensive coverage of prompt injection, the OWASP LLM Top 10, and securing tool-calling AI agents as a class of risk (several writeups live).
- SMB security guidance - a free, framework-grounded guide taking a small business from zero to a defensible baseline, one stage at a time (plus a paid one-person vCISO service for businesses that want hands-on help getting there).
UMBRASEC is run by 0xdev1 - a single, independent practitioner. The research and tools here are free and open; there is also a one-person vCISO advisory service for small and mid-sized businesses, honestly labelled as exactly that. It makes no claims of a track record it doesn't have yet: it's new, and says so. The plan is the honest one - publish genuinely useful, well-sourced work, let it be checked, and let any reputation grow from there.
Everything published is defensive in scope. The research explains how attacks work so defenders can detect and stop them - no working exploits, malware, or offensive tooling ships from here.
Site: umbrasec.dev · Contact: 0xdev1@umbrasec.dev
Planned directions as the project grows - not live yet, listed honestly as intent:
- Threat intelligence - tracking and analysis of real-world campaigns and infrastructure.
The research lists - the index.html featured trio, the research/index.html grid,
feed.xml, sitemap.xml, and each article's prev/next footer nav - are generated
from research/articles.json by tools/site-build/build_indexes.py. That manifest is the
single source of truth; CI (Site build check) fails if any derived file drifts from it, or
if a research/*.html page exists that the manifest does not list (an orphan).
A tracked pre-commit hook keeps them in sync: it regenerates the derived files and stages them on every commit. Enable it once per clone:
git config core.hooksPath .githooksOr regenerate by hand any time with python3 tools/site-build/build_indexes.py (add
--check to verify without writing). When you add an article, add it to
research/articles.json - dropping an HTML file into research/ alone will not list it,
and CI (and the hook) will flag it as an orphan until you do.
This repo is also the source of umbrasec.dev. If you fork it for your own project, swap these for your own details:
- Scheduling link -
services.htmlhas aBook a scoping callbutton pointing athttps://cal.com/0xdev1. To change it, edit that one URL (marked with a<!-- SCHEDULING: ... -->comment). - Contact email -
0xdev1@umbrasec.dev, used inindex.html,services.html,about.html, and the palette inassets/umbra.js. - GitHub -
github.com/umbrasecdev/umbrasecthroughout. - Crypto tip addresses - the BTC/XMR addresses and QR SVGs live in
assets/umbra.js(COINS) andassets/btc-qr.svg/assets/xmr-qr.svg.
Found a detection that misbehaves, a wrong citation, or an analysis that's off? That feedback is welcome - open an issue. Corrections are credited.
Code and tools: MIT. Written research/content: © UMBRASEC, free to read.