Featured image of post Tools & Resources

Tools & Resources

A curated list of tools I use across threat intelligence, security operations, detection engineering, and automation. Each entry includes a note on how I use it in practice.

Threat Intelligence Platforms

MISP Open-source threat intelligence sharing platform. I use MISP as the central IOC repository — ingesting feeds, tagging events with ATT&CK techniques, and pushing enriched indicators to SIEM and EDR via the API.

OpenCTI A knowledge graph for threat intelligence with native STIX 2.1 support. Useful for building actor profiles, tracking campaign relationships, and visualising the connections between TTPs, malware, and infrastructure.

AlienVault OTX Community-driven threat intel feed. I pull OTX pulses into the IOC enrichment pipeline for additional context on IPs, domains, and hashes — particularly useful for regional threat campaigns.

Malware Analysis & Sandboxes

Any.run Interactive sandbox for detonating suspicious files and URLs. The real-time process tree and network activity views make it invaluable for phishing analysis automation — behaviour results feed directly into verdict scoring.

VirusTotal Multi-engine file, URL, IP, and domain reputation platform. Used extensively in enrichment pipelines via the v3 API. The graph feature is underrated for visualising malware infrastructure.

Cuckoo Sandbox Self-hosted malware analysis environment. Useful when files are too sensitive to submit to public sandboxes. Integrates cleanly with SOAR playbooks via the REST API.

FLOSS FireEye/Mandiant tool for automatically extracting obfuscated strings from malware binaries — far more effective than plain strings for packed or encoded samples.

OSINT & Reconnaissance

Shodan Search engine for internet-connected devices. I use Shodan in IOC enrichment to check open ports, services, and historical data for suspicious IPs. The API integrates directly into the enrichment pipeline.

Censys Similar to Shodan but with stronger TLS certificate search. Useful for tracking threat actor infrastructure — C2 servers often reuse certificates across campaigns.

URLScan.io Automated URL scanner that captures screenshots, DOM content, and network requests. Used in phishing analysis for safe URL detonation and visual inspection without visiting the site directly.

WHOIS / DomainTools Domain registration history and WHOIS data. Checking domain age is a critical step in phishing triage — domains registered less than 30 days ago are heavily weighted in the verdict engine.

Detection & Monitoring

Splunk Primary SIEM for alert correlation, threat hunting queries, and detection engineering. SPL (Search Processing Language) is the query language I use most across hunt packages and tuning automation.

Microsoft Sentinel Cloud-native SIEM/SOAR with deep Microsoft 365 and Entra ID integration. KQL is expressive and fast — particularly strong for identity-based hunting and the compromised account playbook.

Sigma Generic detection rule format that compiles to Splunk, Sentinel, Elastic, and others. Writing detections in Sigma first prevents vendor lock-in and makes sharing with the community straightforward.

YARA Pattern-matching language for malware detection. I use YARA rules in sandbox pipelines, EDR custom detections, and MISP for classifying malware families against collected samples.

Automation & Orchestration

Palo Alto XSOAR The SOAR platform behind most of the playbooks documented in this site. Python-based playbook scripting with a large integration library covering most enterprise security tools.

n8n Self-hosted workflow automation. Useful for lighter automation tasks — webhook-triggered enrichment, scheduled report delivery, and connecting tools that don’t have a native SOAR integration.

Python 3 The primary language for all automation projects on this site. Key libraries: pymisp, vt-py, requests, pandas, jinja2, telethon, splunk-sdk.

Threat Intelligence Frameworks & References

MITRE ATT&CK The universal vocabulary for adversary behaviour. Every hunt package, detection rule, and playbook on this site maps back to ATT&CK techniques. The Navigator tool is essential for visualising coverage gaps.

MITRE D3FEND The defensive counterpart to ATT&CK — maps countermeasures to attack techniques. Useful for prioritising security controls and justifying tooling investments to management.

CISA KEV Catalog CISA’s list of vulnerabilities with confirmed in-the-wild exploitation. A CVE in this list instantly becomes a P1 remediation priority regardless of CVSS score.

FIRST EPSS Exploit Prediction Scoring System — daily probability score for whether a CVE will be exploited in the next 30 days. More operationally useful than CVSS alone for prioritising patch tickets.

Malpedia Curated malware family encyclopedia maintained by Fraunhofer FKIE. My first stop when identifying a new malware sample — family descriptions, YARA rules, and actor associations.

Missing a tool or want to discuss any of these? Reach out at contact@malsayegh.ae

Licensed under CC BY-NC-SA 4.0
© 2022 - 2026 Mohammad Al Sayegh
All rights Reserved for malsayegh.ae
Built with Hugo
Theme Stack designed by Jimmy