Skip to content

umbrasecdev/umbrasec

Repository files navigation

UMBRASEC logo

UMBRASEC

Defensive security tooling and detection research - runnable Sigma rules and KQL queries, a zero-dependency CISA KEV monitor, a daily-synced KEV feed, and a single-page blue-team reference. Defensive in scope, every claim tied to a primary source.

KEV sync Sigma validation License: MIT Site

Try it in 10 seconds

kev-watch needs Python 3.9+ and nothing else - no packages, no install step:

git clone https://github.com/umbrasecdev/umbrasec
python3 umbrasec/tools/kev-watch/kev_watch.py --watch fortinet ivanti citrix

That prints newly-added, actively exploited CVEs from CISA's Known Exploited Vulnerabilities catalog, filtered to the vendors you actually run:

CISA KEV catalog 2026.06.11 · 1618 total entries · mode: since

CVE-2026-10520
  Ivanti Sentry - Ivanti Sentry OS Command Injection Vulnerability
  added 2026-06-11   remediate by 2026-06-14
  action: Apply mitigations in accordance with vendor instructions ...
  https://nvd.nist.gov/vuln/detail/CVE-2026-10520

1 item(s) reported.

Public data only; it reads one JSON feed and never touches a target system.

What's inside

What it is
tools/kev-watch/ Zero-dependency Python monitor for the CISA KEV catalog. Tracks newly added, actively exploited CVEs, filters to your stack, flags ransomware-linked entries, warns on remediation deadlines.
tools/sigma-pack/ The detection rules from the research writeups as runnable files: Kerberoasting Sigma rules (T1558.003), OAuth consent-phishing KQL queries (T1528), and LiteLLM command-injection Sigma rules (CVE-2026-42271, T1190) so far, each with tuning and false-positive notes. Sigma rules are syntax-validated with sigma-cli in CI, and a per-rule ATT&CK coverage table maps every artifact to its technique.
tools/blue-team-mapper/ A single-page defender reference covering the defensive lifecycle: SIEM/log-source priority, detection engineering, IR flow chains, threat hunting, identity and cloud hardening, SOAR playbooks - ATT&CK-aligned. Use it live.
research/ Detection and threat writeups: Kerberoasting, OAuth consent phishing in M365, OWASP LLM Top 10 for defenders, Securing AI agents, LiteLLM command injection (CVE-2026-42271), plus threat profiles of ransomware crews active against Australian SMBs - INC Ransom and SafePay. Every rule in sigma-pack comes from one of the detection writeups.
guide/ A free, staged security guide for small and mid-sized businesses - from zero to a defensible baseline, with every recommendation mapped to the ASD Essential Eight, ISO 27001:2022, and NIST CSF 2.0, and each step explained as what it is, why it matters, and what it costs.

The KEV feed, as a feed

A GitHub Action syncs the CISA KEV catalog twice daily into a small JSON file holding the 10 most recently added actively-exploited CVEs, newest first - handy for dashboards, tickers, and "what just got exploited" checks without CORS issues or hitting cisa.gov yourself:

https://umbrasec.dev/assets/kev-latest.json
# the five most recently added actively-exploited CVEs
curl -s https://umbrasec.dev/assets/kev-latest.json |
  jq -r '.vulnerabilities[:5][] | "\(.dateAdded)  \(.cveID)  \(.vendorProject) \(.product)"'

Fields per entry: cveID, vendorProject, product, vulnerabilityName, dateAdded, knownRansomwareCampaignUse. Top level carries catalogVersion, synced, and count (the full catalog's entry count, not this file's). It is deliberately a recent-entries feed, not a mirror - for the full catalog, go to CISA or run kev-watch, which queries CISA's feed directly. Updates daily at 06:17 UTC.

Focus right now

  • Detection engineering - writeups with rules you can actually run (Sigma, mapped to real event IDs and MITRE ATT&CK techniques), plus tuning and false-positive notes.
  • Honest threat analysis - technical breakdowns of real techniques and CVEs, every claim tied to a primary source.
  • Open-source defensive tooling - small, useful tools for defenders, built in the open.
  • LLM / AI security - defensive coverage of prompt injection, the OWASP LLM Top 10, and securing tool-calling AI agents as a class of risk (several writeups live).
  • SMB security guidance - a free, framework-grounded guide taking a small business from zero to a defensible baseline, one stage at a time (plus a paid one-person vCISO service for businesses that want hands-on help getting there).

Who's behind it

UMBRASEC is run by 0xdev1 - a single, independent practitioner. The research and tools here are free and open; there is also a one-person vCISO advisory service for small and mid-sized businesses, honestly labelled as exactly that. It makes no claims of a track record it doesn't have yet: it's new, and says so. The plan is the honest one - publish genuinely useful, well-sourced work, let it be checked, and let any reputation grow from there.

Everything published is defensive in scope. The research explains how attacks work so defenders can detect and stop them - no working exploits, malware, or offensive tooling ships from here.

Site: umbrasec.dev · Contact: 0xdev1@umbrasec.dev

Roadmap (later)

Planned directions as the project grows - not live yet, listed honestly as intent:

  • Threat intelligence - tracking and analysis of real-world campaigns and infrastructure.

Working on this repo

The research lists - the index.html featured trio, the research/index.html grid, feed.xml, sitemap.xml, and each article's prev/next footer nav - are generated from research/articles.json by tools/site-build/build_indexes.py. That manifest is the single source of truth; CI (Site build check) fails if any derived file drifts from it, or if a research/*.html page exists that the manifest does not list (an orphan).

A tracked pre-commit hook keeps them in sync: it regenerates the derived files and stages them on every commit. Enable it once per clone:

git config core.hooksPath .githooks

Or regenerate by hand any time with python3 tools/site-build/build_indexes.py (add --check to verify without writing). When you add an article, add it to research/articles.json - dropping an HTML file into research/ alone will not list it, and CI (and the hook) will flag it as an orphan until you do.

Forking the site

This repo is also the source of umbrasec.dev. If you fork it for your own project, swap these for your own details:

  • Scheduling link - services.html has a Book a scoping call button pointing at https://cal.com/0xdev1. To change it, edit that one URL (marked with a <!-- SCHEDULING: ... --> comment).
  • Contact email - 0xdev1@umbrasec.dev, used in index.html, services.html, about.html, and the palette in assets/umbra.js.
  • GitHub - github.com/umbrasecdev/umbrasec throughout.
  • Crypto tip addresses - the BTC/XMR addresses and QR SVGs live in assets/umbra.js (COINS) and assets/btc-qr.svg / assets/xmr-qr.svg.

Corrections

Found a detection that misbehaves, a wrong citation, or an analysis that's off? That feedback is welcome - open an issue. Corrections are credited.

License

Code and tools: MIT. Written research/content: © UMBRASEC, free to read.

About

UMBRASEC is an independent research project focused on the defensive side of security - detection engineering, honest threat analysis, open-source tooling, and a free security guide for small businesses.

Resources

License

Stars

1 star

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors