TryHackMeTop 1%, 121 roomsHands-on rooms, practice notes, and steady repetition.Published toolSTIGPilot on PyPIOpen sourceAtomic Red Team, Splunk, SigmaHQ, Elastic PRs
AvailableSecurity operations, detection, IAM, and analyst work.

Best fit: careful investigation, useful automation, and trustworthy notes.

Track record

Built, shipped, reviewed.

Tools you can install. Merged fixes in security projects teams rely on. Hands-on practice, all public.

  1. 01Builddefensive tools
  2. 02Contributeupstream fixes
  3. 03Detectqueries and fixes
  4. 04Documenthandoffs teams can trust
TryHackMeTop 1%

121 hands-on rooms across SOC, SIEM, EDR, and blue-team practice.

View TryHackMe
Upstream PRs7

Merged and open fixes across Atomic Red Team, Splunk security_content, SigmaHQ, Elastic, and LLMForge.

View PRs
Public work18

Public tools, labs, case studies, and contribution notes, including STIGPilot on PyPI.

View work
Identity cleanupDo not remove access from one stale timestamp.
STIGPilotTurn dense compliance changes into work people can assign.
Detection handoffMake the next analyst’s question easier to answer.

Selected work

A few pieces worth starting with, plus the full archive when you want the rest.

primary caseNetwork

Home Network Security Control Plane

Production-style HomeNet operations

Firewall policy, DNS control, logs, canary checks, and recovery state separated by function and tracked in a private control plane. Daily-use home network run like a production environment.

OPNsenseProxmoxControl viewRecovery
question:can daily network operations stay visible without adding an inline bottleneck?
checked:OPNsense, CrowdSec, NetBox, Uptime Kuma, Victoria, NetAlertX, OpenCanary, Trivy/Syft
control view:Homepage Mission Status, Security Snapshot, and Recovery Snapshot
decision:keep enforcement on OPNsense; stage remote access, endpoint agents, and VLANs
Identity

IdentityRiskGraph

CloudTrail IAM risk review

Open →
Detection

Splunk Detection Content

Detection library

Open →
Full archive18 projects, labs, and contribution notesOpen all work →

Local lab

Browser Surface Check

A quiet browser self-check. It shows what ordinary JavaScript can see from any page you visit — the same signals used in fingerprinting, session tracking, and fraud detection. The result stays on your machine.

  • Local only.
  • No tracking.
  • No storage.
  • No network request.
Browser surfaceRendering checksReview note
Surface
screen, browser, timezone, language
Rendering
canvas, audio, WebGL
Use
compare privacy settings and browser profiles
Open the check

Method

Before I trust the result.

A finding is only useful after it holds up under scrutiny. My approach is simple: read the system, compare what changed, avoid early conclusions, and leave a cleaner note behind.

  1. 01Identity cleanup

    Do not remove access from one stale timestamp.

    Seen
    Old device activity in Entra ID.
    Check
    Interactive sign-ins, owner context, join type, management status, and dry-run output.
    Avoid
    Disabling access before person and device context agree.
    Leave
    Dry-run list with review, owner, and approval notes.
    Read the lapse case
  2. 02Detection triage

    Persistence needs a maintenance check.

    Seen
    A scheduled task is created or changed.
    Check
    Task action, author, run context, binary path, parent process, recent logons, and maintenance windows.
    Avoid
    Calling normal endpoint management activity malicious too early.
    Leave
    Triage note with host, user, command line, and tuning detail.
    Open detection notes
  3. 03Browser review

    Exposure is not the same as compromise.

    Seen
    A browser or LMS workflow reveals more surface than expected.
    Check
    What JavaScript can observe, what leaves the page, account context, screenshots, and permission boundaries.
    Avoid
    Turning a privacy concern into a security claim without evidence.
    Leave
    Local-only surface note with plain-language risk boundaries.
    Open the local lab
  4. 04Network controls

    Convenience changes the attack path.

    Seen
    A home or lab service needs easier access.
    Check
    Ingress rules, DNS, firewall policy, admin surface exposure, backups, and recovery path.
    Avoid
    Publishing management panels just to make monitoring easier.
    Leave
    Control note with exposed surface, recovery path, and deferred work.
    Read the network case

Contact

Open to security operations, detection, IAM, and analyst work.

If you're building a defensive security team and want someone who can investigate, automate small workflows, tune detections, and leave useful notes, reach out.

Start with STIGPilot, lapse, the open source PRs, or the home network case.

contact [at] srkyn.com

Quick jump

Open a project, note, profile, or resume without hunting through the page.

Use arrows to move, Enter to open, Escape to close.