Defensive security engineering, detection content, and operational data systems.
| Principle |
|---|
| Build practical tools for authorized security review. |
| Turn evidence, logs, and telemetry into measurable defensive action. |
| Keep security work reproducible, auditable, and grounded in artifacts. |
| Track | Status | Focus | Next |
|---|---|---|---|
| Lithium |  |
Auth-gated React/Vite dashboard, SQLite-backed normalized evidence records, relative API routing, search-first review, and privacy-aware evidence drilldowns. | Prove the active React shell is the served UI, keep chat logs searchable, validate evidence drawer cleanup, and preserve viewer-gated API behavior. |
| Speculum |  |
Authorized public-surface review utilities and security audit workflows. | Expand tests, reporting, documentation, and safe input validation. |
| Detection Engineering |  |
Sigma, KQL, SPL, Elastic, structured indicators, and defensive validation scripts. | Convert repeatable incident patterns into tested detection content. |
| Infrastructure Hardening | |
Inventory, configuration review, service exposure checks, and rollback-safe automation. | Keep scripts small, auditable, reversible, and evidence-producing. |
| 🤖 |
Lithium status: Running private build Current read: Auth-gated React dashboard backed by normalized SQLite evidence records Next proof: Served UI must match the active React shell build, not stale dashboard assets |
| Area | Current running state |
|---|---|
| Status |  |
| Public boundary | Dashboard traffic enters through an authenticated Nginx proxy. Unauthenticated dashboard and API requests are expected to return 401 Unauthorized. |
| Frontend | React/Vite dashboard shell. User-facing UI name is Lithium. The active UI must be served from the current React shell build, not legacy Streamlit pages, stale release folders, or copied dashboard assets. |
| API contract | Frontend uses relative same-origin API calls, especially GET /api/chat/events. Public IPs, localhost ports, tokens, chat IDs, and direct backend service ports are intentionally not documented here. |
| Data layer | SQLite-backed normalized dashboard records. Raw Telegram, journal, memory, and bridge files are treated as source evidence, not runtime dashboard data sources. |
| Access model | Dashboard access is viewer-gated. Admin views and normal evidence views are separated. Unknown or unauthenticated viewers are blocked before records are exposed. |
| Current UI priority | Chat Logs first: search, profile filters, source filters, count audit bar, readable table columns, row-click evidence drawer, and clean technical evidence details. |
| Evidence rule | Claims, summaries, filters, and dashboard cards must link back to evidence records or clearly show that evidence is missing. No fake scores, unsupported insights, or raw JSON dumps in the normal UI. |
| Active services summary | Nginx, React shell, dashboard backend/proxy, public API proxy, and chat events API are active. A duplicate React API service was intentionally disabled to avoid port collision. |
| Safety note | No secrets are stored in this public tracker. Runtime credentials, private messages, chat IDs, tokens, passwords, and private evidence text are excluded. |
Auto-updated: 2026-05-21 20:11 UTC
Source: CISA Known Exploited Vulnerabilities catalog. Severity below is Zeid Data operational severity, not a CVSS score.
| Severity | CVE | Product | Risk class | Added | Due | Zeid Data defensive build | Rationale |
|---|---|---|---|---|---|---|---|
 |
CVE-2025-34291 |
Langflow Langflow | Known exploited vulnerability | 2026-05-21 |
2026-06-04 |
KEV watcher item and manual validation checklist | Ransomware-linked, RCE/auth bypass, or immediate exploit priority |
|
CVE-2026-34926 |
Trend Micro Apex One | Path traversal/file exposure | 2026-05-21 |
2026-06-04 |
Route/file exposure audit, web evidence capture, remediation report | Ransomware-linked, RCE/auth bypass, or immediate exploit priority |
|
CVE-2008-4250 |
Microsoft Windows | Memory corruption | 2026-05-20 |
2026-06-03 |
Patch-priority radar and host-update validation | Ransomware-linked, RCE/auth bypass, or immediate exploit priority |
|
CVE-2009-1537 |
Microsoft DirectX | Known exploited vulnerability | 2026-05-20 |
2026-06-03 |
KEV watcher item and manual validation checklist | Ransomware-linked, RCE/auth bypass, or immediate exploit priority |
|
CVE-2009-3459 |
Adobe Acrobat and Reader | Memory corruption | 2026-05-20 |
2026-06-03 |
Patch-priority radar and host-update validation | Ransomware-linked, RCE/auth bypass, or immediate exploit priority |
|
CVE-2010-0249 |
Microsoft Internet Explorer | Known exploited vulnerability | 2026-05-20 |
2026-06-03 |
KEV watcher item and manual validation checklist | Ransomware-linked, RCE/auth bypass, or immediate exploit priority |
|
CVE-2010-0806 |
Microsoft Internet Explorer | Known exploited vulnerability | 2026-05-20 |
2026-06-03 |
KEV watcher item and manual validation checklist | Ransomware-linked, RCE/auth bypass, or immediate exploit priority |
|
CVE-2026-41091 |
Microsoft Defender | Known exploited vulnerability | 2026-05-20 |
2026-06-03 |
KEV watcher item and manual validation checklist | Ransomware-linked, RCE/auth bypass, or immediate exploit priority |
| Pattern | Evidence to look for | Zeid Data build |
|---|---|---|
| Exploited CVEs | Known exploited products, missing patch evidence, internet exposure | KEV radar, exposure checks, patch validation |
| Public metadata exposure | Public profiles, account linkage, visible relationships | Authorized public visibility audit tooling |
| Windows persistence | New services, scheduled tasks, startup entries, orphan binaries | Suspicious persistence inventory and cleanup scripts |
| Detection gaps | Missing SIEM rules, weak telemetry, untested assumptions | Sigma, KQL, SPL, and Elastic detections |
| Weak evidence chain | Findings without logs, source refs, or reproducible tests | Normalized evidence records, source refs, reports, dashboards |
| Signal | Value |
|---|---|
| Repository | Zeid-Data/lithium |
| Visibility | private |
| Language | mixed |
| Default branch | main |
| Last push | 2026-05-21T02:52:54Z |
| Latest commit | 935a5c2 Add Lithium README |
| Latest workflow | No workflow run visible |
| Repo | Language | Updated | Description |
|---|---|---|---|
| Zeid-Data/.github | Python | 2026-05-21 |
Zeid Data organization profile and dynamic threat intel radar |
| Zeid-Data/dominos_source | Python | 2026-05-17 |
Python bindings for the Domino APIs |
Threat intel is only useful when it becomes a control, a detection, a test, or a fix.
| Adversary Behavior | Telemetry | Defensive Control | Zeid Data Build |
|---|---|---|---|
| Account takeover | Authentication logs Mailbox rules OAuth grants Device history |
MFA review Session revocation Rule cleanup Login anomaly detection |
Identity incident checklist and account review scripts |
| Secret harvesting | Git history Workflow files Environment files Token inventory |
Secret scanning Token rotation Least-privilege review Protected branches |
Repository exposure audit workflow |
| Endpoint persistence | Services Scheduled tasks Startup folders Run keys PowerShell logs |
Persistence inventory Safe-disable process Script block logging Change audit |
Windows cleanup and persistence review toolkit |
| Data exposure | Public assets Storage permissions Application logs Repository metadata |
Exposure inventory Access review Evidence capture Remediation tracking |
Public-surface and data exposure review workflows |
| Repository | Description | Language | Stars | Updated |
|---|---|---|---|---|
| .github | Zeid Data organization profile and dynamic threat intel radar | Python | 0 | 2026-05-21 |
| dominos_source | Python bindings for the Domino APIs | Python | 0 | 2026-05-13T13:46:20Z |
| Rule |
|---|
| Authorized testing only. |
| Evidence before conclusions. |
| Telemetry over vibes. |
| Rollback paths before risky changes. |
| Readable outputs beat clever outputs. |
Last generated: 2026-05-21
