Cybersecurity Analyst focused on threat detection, incident response, and SIEM operations in regulated environments. Building and testing detection pipelines, security tooling, and attack simulations in a home lab environment.
I operate a segmented cybersecurity lab environment used for:
- penetration testing practice
- intrusion detection research
- network traffic analysis
- threat intelligence integration
- SIEM experimentation
My work focuses on understanding how attacks occur and building defensive visibility to detect them.
The lab is designed as a segmented enterprise-style network architecture centered around an OPNsense firewall, managed switching, dedicated infrastructure segments, and containerized security tooling.
graph TD
Internet[Internet] --> OPNsense[OPNsense Firewall<br/>Protectli VP2420]
OPNsense --> SWIF[igc1 - Netgear Switch Uplink]
OPNsense --> NUCIF[igc2 - Intel NUC Segment]
OPNsense --> DSHIF[igc3 - DShield Segment]
OPNsense --> DNSIF[DNS Privacy Segment]
OPNsense --> WG[WireGuard VPN<br/>Remote Access]
SWIF --> Switch[Netgear Managed Switch]
Switch --> VLAN10[VLAN10 - Cyber Lab]
Switch --> VLAN20[VLAN20 - Remote Work]
Switch --> VLAN30[VLAN30 - Trusted Wireless]
Switch --> VLAN40[VLAN40 - Guest / IoT Wireless]
Switch --> VLAN50[VLAN50 - Printer / Scanner]
Switch --> VLAN99[VLAN99 - Management]
VLAN30 --> SecureSSID[Trusted SSID]
VLAN40 --> GuestSSID[Guest SSID]
VLAN40 --> IoTSSID[IoT SSID]
VLAN40 --> KodiPi[Raspberry Pi<br/>Kodi Media Streaming]
DNSIF --> DNSPrivacy[Raspberry Pi<br/>DNS Privacy Stack]
NUCIF --> SecurityServer[Intel NUC Ubuntu Server<br/>Docker Security Stack]
SecurityServer --> Wazuh[Wazuh SIEM]
SecurityServer --> TheHive[TheHive]
SecurityServer --> Cortex[Cortex]
SecurityServer --> OpenCTI[OpenCTI]
DSHIF --> DShield[Raspberry Pi<br/>DShield Honeypot Sensor]
WG --> RemoteClients[Remote Devices<br/>4 WireGuard Endpoints]
This environment supports hands-on experimentation with:
- intrusion detection tuning
- SIEM alert correlation
- network traffic inspection
- adversary simulation
- threat intelligence enrichment
- firewall rule analysis
- DNS privacy infrastructure
- remote secure access via VPN
The architecture isolates lab, work, wireless, IoT, printer, and management networks while enabling controlled monitoring and telemetry collection.
Security telemetry collected within the lab environment flows through the following monitoring and analysis pipeline.
graph LR
Traffic[Network Traffic] --> Firewall[OPNsense Firewall]
Firewall --> Suricata[Suricata IDS/IPS]
Suricata --> Wazuh[Wazuh SIEM]
Wazuh --> Alerts[Alert Generation]
Alerts --> TheHive[TheHive Incident Response]
TheHive --> Cortex[Cortex Automated Analysis]
Cortex --> OpenCTI[OpenCTI Threat Intelligence]
OpenCTI --> Investigation[Security Investigation]
- OPNsense Firewall (Protectli VP2420)
- VLAN segmentation with managed switching
- WireGuard VPN for secure remote access
- Suricata IDS/IPS
- ZenArmor traffic analysis
- Wazuh SIEM
- TheHive incident response platform
- Cortex automated analysis engine
- Ubuntu server running Docker security stack
- Intel NUC security host
- Raspberry Pi sensors and infrastructure services
- DNS privacy stack for internal resolution hardening
- DShield honeypot sensor
A segmented cybersecurity lab environment built with OPNsense firewall and VLAN isolation.
Research areas include:
- IDS rule tuning
- firewall policy validation
- network traffic analysis
- SIEM event correlation
- detection engineering experimentation
Documenting security research and lab exercises including:
- penetration testing labs
- network security experiments
- vulnerability analysis
- detection engineering techniques
Research notes and walkthroughs are published at:
Linktr
This GitHub will continue to grow with:
- security research
- lab infrastructure projects
- penetration testing tooling
- detection engineering experiments
- security walkthroughs
