Open source cybersecurity intelligence, threat research, defensive tooling, and training — built by the community, for the community.
Interactive dashboards and matrices generated from open source intelligence feeds, MITRE ATT&CK mappings, and real-world malware analysis. All data and tooling is freely available through our Elastic Potato project.
MITRE ATT&CK re-envisioned through the lens of Windows API calls. Maps technique IDs to the native APIs that malware uses to execute each tactic, with cross-references to known malware families and EDR hook points.
Open Matrix →Comprehensive analysis of EDR vendor API hook coverage mapped against known evasion techniques. Identifies gaps in userland hooking across major endpoint protection platforms with risk-tiered severity ratings.
Open Matrix →Real-time intelligence dashboard aggregating APT group activity, malware family tracking, and campaign indicators from open source threat intel feeds including MITRE, VirusTotal, and community contributions.
Open Dashboard →Free CompTIA certification training in Spanish — video lessons taught by Katie, your AI-powered tech instructor. Watch the full courses on YouTube.
Spanish-language video course covering CompTIA Security+ (SY0-701). Hosted on YouTube under Cyber Panda. New lessons added regularly — subscribe to follow along.
Watch on YouTube →Spanish-language video course covering CompTIA A+ Core 1 (220-1101) and Core 2 (220-1102). Hosted on YouTube under Cyber Panda. New lessons added regularly — subscribe to follow along.
Watch on YouTube →Elastic Potato is the Elastic-focused triage toolkit at the core of Macaroni Rockets — covering remote collector deployment, offline forensic triage (UAC + router), Elastic alert investigation with an AI agent, and process baselining in an Elastic environment. Companion projects extend the workflow: Hardening & Compliance and NextGen NSRL.
Pushes UAC, KAPE, and DFIR-ORC to remote hosts from pre-staged offline packages. No internet access required on the target — ideal for incident response on air-gapped or restricted networks.
Pulls ~75 forensic commands from a live router or edge device over SSH and saves the dump for offline analysis. Auto-detects platform across Cisco IOS-XE, NX-OS, Junos, FortiOS, PAN-OS, MikroTik, and more.
Offline expert analysis of Unix Artifact Collector dumps: rootkit detection, hidden processes, C2 hunting, persistence mechanisms, credential exposure, timeline reconstruction, and APT attribution against the apt/ intel base.
APT-focused analysis of routers and edge devices. Run live via SSH against the device or offline against a previously saved dump. Produces HTML triage reports for IR delivery.
Agentic Elastic alert investigation for both Windows and Linux endpoints. Pulls detonation logs, enriches with VirusTotal offline data, and produces a structured alert triage report — tuned per the included tuning guide.
Pulls Elastic detonation logs by time window and runs Thor or Loki YARA/IOC scans against downloaded malicious files. Combined offline analysis path bundles log pull, rule refresh, and AI triage in one step.
Keeps detection content current: pulls the LOL Drivers database (loldrivers.io + LOLDrivers Sigma + SigmaHQ) and syncs Elastic's protections-artifacts YARA rules into the local detections cache.
Surveys new processes appearing in an Elastic environment along several axes: specific process name, new drivers, unverified publishers, unsigned Windows processes, and unsigned Linux processes.
Enriches baseline findings with VirusTotal verdicts, APIVoid IP reputation, suspicious-ASN flags, domain cleanup, and special-character process detection — the long tail where attackers hide.
Hardening & Compliance is a Windows + Linux toolkit for applying CIS/STIG-aligned configuration and running read-only audits against NIST 800-53, NIST 800-171, CIS Benchmarks, and CMMC 2.0 — with HTML/CSV reports.
Generates import-ready Group Policy Object backups for Workstation, Server, and Domain Controller profiles. Imports hardened GPOs into Active Directory with optional OU linking and enforcement — aligned with CIS and DoD STIG recommendations.
Apply CIS/STIG configuration without Active Directory or Group Policy. Uses secedit, auditpol, and registry to enforce baseline settings on a single host. Profile auto-detection distinguishes workstations, member servers, and DCs.
Bash scripts that deploy hardened auditd rules and rsyslog/journald configuration aligned with CIS Linux benchmarks. Runs natively on Linux or via WSL from a Windows host.
Read-only audit against CIS Linux benchmarks producing pass/fail/remediation output. Pairs with the auditd/logging hardening scripts to verify enforcement.
~200-check rapid audit combining NIST 800-53 Rev 5 controls with CIS Benchmark essentials. Read-only and non-disruptive — safe to run in production.
Comprehensive scans across Win 10/11 and Server 2022. Full CIS Benchmark coverage (~420 checks), CMMC 2.0 (Level 1 or Level 1+2), and all 110 NIST 800-171 Rev 2 controls.
Exports the last scan as formatted HTML and CSV reports with pass/fail status and remediation notes — ready for assessor delivery and tracking.
NextGen NSRL is a VirusTotal-driven baseline and statistical differential analysis platform — a modern replacement for the legacy NSRL hash set, enriched with APT intelligence, fidelity scoring, and behavioral differentials.
Builds clean process baselines from running systems, enriched with VirusTotal verdicts across multiple API keys. The agentic Fidelity Index engine produces fidelity-index.json and process-baseline.json artifacts for downstream differential analysis.
Pulls VirusTotal metadata for nation-state actor hash sets (apt/APTs/**/*_Master_Intel.csv). Run against ALL APT families or filter to a specific actor or malware family for targeted analysis.
Deduplicates IOC lists by normalizing MD5/SHA1 to SHA256 via VirusTotal, filters out already-known MalwareBazaar entries, and organizes local baselines across categories with dedupe across the corpus.
Statistical analysis of malicious API calls and DLL loads against the clean process baseline. Identifies anomalous behavior that distinguishes malware from legitimate software — the long tail where attackers live.
Specified differential analysis for individual malware families or APT campaigns. Cross-references YARA, Sigma, certificate, and API differential signals stored as versioned JSON artifacts.
Pulls VirusTotal YARA and Sigma detection metadata for a list of hashes, measuring which samples are caught by which rules — quantifying detection coverage across the rule corpus.
We believe that effective cybersecurity shouldn't be locked behind enterprise paywalls. Every defender deserves access to the same quality of threat intelligence and analysis tooling as the adversaries they face.
All of our research, tooling, and intelligence outputs are published freely. Our core project Elastic Potato provides automated threat analysis pipelines anyone can run.
Built by practitioners, for practitioners. We contribute back to the security community through shared detections, analysis frameworks, and research outputs that make everyone's defenses stronger.
We don't just aggregate data — we analyze it. Our reports map real-world threats to defensive gaps, giving security teams the context they need to prioritize what matters right now.
By understanding attacker tooling at the API level and mapping EDR coverage gaps, we help defenders stay ahead. Transparency about what is and isn't covered is the first step to closing those gaps.