Threat Intelligence Research Engineer · XPLG · Tel Aviv, Israel

Adversary profiling, detection engineering, and hands-on security lab work.

I profile adversary behavior, map TTPs to detection candidates, and build tooling to automate the mechanical parts of CTI and reverse engineering. Focus areas: attribution discipline, infrastructure pivoting, hunting hypothesis construction, detection backlog management, and AI-assisted analyst tooling with mandatory human review at every decision point.

About Me Medium portfolio GitHub

About Andrey

Threat Intelligence Research Engineer at XPLG (enterprise security data platform). Formerly Head of Red Team — Israel Police Cyber Defence Unit. CTI-to-detection practitioner. Profiles adversary infrastructure, maps TTPs to ATT&CK-aligned detection candidates, and ships analyst tooling for CTI and reverse engineering workflows. Based in Tel Aviv, Israel.

Article library Medium portfolio CV

Contact

Email GitHub Medium LinkedIn Full profile

Choose Your Review Path

Start with the path that matches what you are evaluating. Each path keeps the top story defensive and CTI-to-detection oriented.

One-page summary

CTI / Threat Intelligence

  1. CTI Analyst Field Manual
  2. Operation Desert Hydra
  3. Israel Government Threat Actors CTI
  4. Customer-Driven AI CTI Project

Detection Engineering

  1. Desert Hydra Detection Atlas
  2. Validation Results (14 PASS / 1 PARTIAL / 1 FAIL)
  3. CTI detection pack
  4. Threat hunting hypotheses

Malware / Reverse Engineering

  1. AIDebug
  2. Android malware analysis
  3. Static malware orchestrator
  4. Unpacker

Cloud / Kubernetes Security

  1. Kubernetes CTI research
  2. stratus-ai
  3. vulnerable-cloud-lab
  4. cvss_4.0

Offensive Security / AI-Driven

  1. HexStrike AI Guide
  2. Operation DragonRx — Lab Architecture
  3. Operation DragonRx — Attack Playbook
  4. DragonRx lab repo

Full Library

Use the full Medium navigator only after the selected paths. The homepage keeps selected work visible first so the portfolio stays scannable.

Medium profile Blog navigator

Flagship Projects

Seven top-tier projects that define the portfolio, followed by five strong supporting pieces.

Top-tier flagships

CTI Analyst Field Manual

Practitioner operating manual: evidence labels, source reliability (Admiralty A-F/1-6), confidence language, attribution methodology, infrastructure pivoting, AI controls, hunting hypotheses, detection backlog, and 10 reusable analyst templates. 80 pages, 10 modules, CI-validated.

CTI tradecraftdetection backlogtemplates
80 pages · 10 modules · DRL 0–9 model · ATT&CK mapping requires behavior evidence gate
Site Repo

Operation Desert Hydra

Complete CTI-to-detection pipeline on MuddyWater / Seedworm — widely reported by government and vendor sources as Iran-linked activity associated with MOIS. 71 candidate sources reviewed, 8 promoted, 10 procedure records with Observed/Reported/Assessed evidence labels, OpenCTI 6.2 knowledge graph, 11 detection records with SIEM-agnostic pseudologic, and an Ansible-provisioned Windows 10 lab validated against Kibana. 14 PASS / 1 PARTIAL / 1 FAIL across 16 rule checks. 16 of 21 ATT&CK techniques (76%) fully validated. One-command reproducible.

CTI pipelinedetection engineeringOpenCTIAI-assistedlab-validated
71 candidates → 8 promoted → 10 procedures → 21 ATT&CK techniques → 11 detections · Sysmon + Winlogbeat + Kibana · OpenCTI 6.2
Site Repo Article Detection Atlas Validation Results Coverage Matrix

Israel Government Threat Actors CTI

Sector CTI covering Iranian, Palestinian, and regional threat actors targeting Israeli government, public-sector, critical infrastructure, and adjacent suppliers. Actor profiles, ATT&CK mappings, IOC reference locations, and detection examples. Blue-team only — no binaries or exploit code.

sector CTIpublic-sourcedefensive
Handala: ASN reuse → passive DNS → crt.sh → 14 hosts · 22+ hashes · T1003.001, T1505.003, T1567.002
Site Repo

Customer-Driven CTI-to-Detection Methodology

End-to-end methodology for structured CTI engagements: scoping, collection, analysis, and delivery with human validation gates throughout. 15-phase cycle with AI assistance under analyst control. Three-part article series and full Docusaurus reference site.

CTI methodologydetection backlogAI-assisted
Source gate: 6 criteria — reliability · timeliness · corroboration · relevance · bias · access
Site Repo Article

OpenCTI Intelligent Shield

OpenCTI platform with a custom Claude-powered enrichment connector: Docker Compose deployment, STIX 2.1 workflows, confidence-scored IOC enrichment, and an analyst gate before any object enters the threat intelligence graph. Sanitized env example; real credentials excluded from repo.

OpenCTIplatform engineeringSTIX 2.1
Pipeline: raw feed → connector → confidence score → analyst gate → STIX object
Repo

Operation DragonRx

Full-stack APT41 pharmaceutical-sector attack simulation: Log4Shell initial access → Sliver C2 implant → Active Directory lateral movement → LSASS credential dump. Dual-layer detection with Wazuh + Zeek + Elastic. Published CTI report, lab architecture, and step-by-step attack playbook.

APT41 simulationdetection engineeringlab
CVE-2021-44228 → Sliver C2 → T1003.001 LSASS dump · Wazuh + Zeek + Elastic coverage
Lab Architecture Attack Playbook CTI Report Repo

AIDebug

Reverse engineering walker for malware analysts: Capstone disassembly, FLIRT signature matching, CFG extraction, Frida-based dynamic tracing, INetSim isolation, 8 behavioral pattern detectors, and SIEM-ready JSON output. TUI interface — no sandbox required for static analysis passes.

Python toolmalware analysisreverse engineering
Real sample: MD5 c6ab7265… (DearStealer) · T1056.001, T1547.001, T1555.003, T1573.001 mapped
Repo Article

Strong supporting work

CVSS v4.0

CVSS v4.0 enrichment CLI (BTE scoring) that turns CVEs into prioritized vulnerability-management work using NVD, CISA KEV, EPSS, and configurable asset profiles. Companion Docusaurus field guide site with scoring explanations and practitioner decision frameworks.

Python CLICVSS v4.0vulnerability mgmt
Field Guide CLI repo

StratusAI

Multi-cloud security scanner: 9 AWS modules + 7 GCP modules, 125-test suite, ECS Fargate / Cloud Run deployment. Multi-LLM finding analysis with attack-chain synthesis and severity classification in 2–4 minutes per scan.

cloud scannerAWS + GCPmulti-LLM
Repo Article

Android Malware Analysis

Android APK analysis toolkit: AI-powered static analysis from the terminal, OWASP Mobile Top 10 coverage, decompilation, manifest inspection, permission risk scoring, and output formatted for mobile security assessment reports.

malware analysisAndroidPython
Repo Article

Vulnerable AI Lab

Intentionally vulnerable AI security training lab — DVWA/WebGoat for modern AI systems. Pre-built OWASP LLM Top 10 2025 scenarios: prompt injection, RAG poisoning, tool-call manipulation, and data exfiltration via LLM agents in a realistic RAG pipeline.

LLM securityAI red teamOWASP LLM
Repo LLM attacks article

Medium Blog Navigator

Docusaurus navigation layer for 200+ Medium articles — organized by topic, difficulty, and content cluster. Makes cross-article research and topic discovery practical at scale without relying on Medium's own recommendation engine.

Docusauruscontent navigation
Repo Medium

Work by Domain

Start here before opening the full article library.

Malware Analysis

Malware analysis tools, APK analysis, YARA-related work, file triage, import analysis, strings, and unpacking utilities.

AIDebugAndroid malware

Cloud / Kubernetes Security

Cloud-native threat research, cloud scanning, vulnerable cloud labs, audit-log thinking, and prioritization support.

Kubernetes researchstratus-ai

Live Evidence

Real screenshots from published research — tool outputs, malware analysis, infrastructure pivots, and attack simulations. Click any image to open the source article.

Kibana — det_mw_0001 spearphishing attachment detection PASS
Desert Hydra — det_mw_0001 (T1566.001) PASS Kibana captures Office child process spawn; spearphishing attachment detection validated
Kibana — det_mw_0010 LSASS credential access detection PASS
Desert Hydra — det_mw_0010 (T1003.001) PASS Sysmon EID 10 ProcessAccess to lsass.exe captured; credential access detection validated
OpenCTI — MuddyWater knowledge graph
Desert Hydra — OpenCTI knowledge graph MuddyWater intrusion set: 9 malware, 4 tools, 21 ATT&CK techniques, 20 source reports
AIDebug TUI — function analysis
AIDebug — function analysis (TUI) Capstone disassembly + FLIRT signature matching on real sample (MD5: c6ab7265…)
AIDebug — behavioral pattern tab
AIDebug — behavioral patterns tab PatternDetector flags T1055.001 and T1547.001 without AI call
AIDebug — malware pattern detection results
AIDebug — pattern detection output 8 behavioral patterns scanned per function; registry modification flagged
AIDebug — control flow graph visualization
AIDebug — control flow graph (CFG) Basic-block graph built per function; branch structure visible without reading ASM
AIDebug — four-panel TUI overview
AIDebug — four-panel TUI layout Disasm · Patterns · CFG · AI tabs on a live binary; no sandbox required
CFF Explorer — PE header analysis
CFF Explorer — PE header analysis Import table, DOS/NT headers, sections examined on Authenticator.exe
Detect It Easy — packing and obfuscation scan
Detect It Easy — entropy + packing scan DIE analysis: normal entropy, no packer detected on DearStealer sample
Process Monitor — Authenticator.exe process tree
Procmon — dynamic process trace Authenticator.exe runs with no subprocesses and closes after 2 min (stealer behavior)
FakeNet-NG — network traffic capture
FakeNet-NG — network capture No HTTP plaintext to malicious domain; encrypted TLS channel confirmed (T1573.001)
unpac.me — file upload for automated unpacking
unpac.me — automated unpacker upload Packed .NET sample submitted; SmartAssembly obfuscation layer identified
unpac.me — unpacked files ready for analysis
unpac.me — unpacked result Nested packing layers stripped; unpacked files available for static analysis
de4dot — .NET deobfuscation
de4dot — .NET deobfuscation DeepSea Obfuscator layer removed; strings and control flow restored
Android APK tool — terminal run output
APK Analyzer — terminal run Four-phase analysis from a single CLI command; no sandbox required
Android APK tool — Phase 1 static analysis
APK Analyzer — Phase 1 (Androguard) Permissions, intents, native libs, DEX entropy extracted via Androguard
Android APK tool — ATT&CK TTP mapping output
APK Analyzer — MITRE ATT&CK mapping CRITICAL service + T1416 OverlayActivity flagged without bytecode decompilation
Android APK tool — YARA scan results
APK Analyzer — YARA scan + AI analysis Curated ruleset hits for Cerberus/Joker/FluBot families; AI remediation steps output
stratus-ai — cloud attack simulation output
stratus-ai — cloud scan output AWS + GCP attack simulation: 9+7 modules, 125-test suite, CloudTrail capture
stratus-ai — findings report with severity
stratus-ai — findings report Multi-LLM severity classification and remediation output per finding
Handala infrastructure pivot chain
Handala — infrastructure pivot ASN reuse → passive DNS → crt.sh → 14 additional hosts · 22 confirmed hashes

Selected Article Library

Direct Medium links only. The blog navigator is listed separately as an index resource, not used as a substitute article link.

Medium profile

CTI, Attribution, Pivoting

The Intelligent Shield. OpenCTI

OpenCTI deployment, connector engineering, STIX workflows, enrichment source confidence management, and platform operations.

CTIOpenCTISTIX 2.1guide
Medium · May 2026

CTI Research: Handala Hack Group

Threat persona and cluster analysis with evidence labels, IOC handling, and defensive guidance.

CTIHandalaIsraeldetection
Medium · Mar 2026

Attribution Methodology

How to build, defend, and challenge attribution claims without overstating the evidence.

CTIattributionconfidenceguide
Medium · Mar 2026

ATT&CK as a Working Tool

Hands-on ATT&CK use for mapping, gap analysis, Sigma thinking, hunting, and adversary emulation.

CTIATT&CKhuntinglong guide
Medium · Mar 2026

Manual CTI vs. AI-Assisted CTI

Step-by-step comparison of where AI compresses CTI work and where analyst judgment remains non-negotiable.

CTIanalyst workflowtradecraftguide
Medium · May 2026

CTI Program Design

Customer-Driven AI CTI Project

End-to-end CTI-to-detection methodology and project workflow overview.

CTI programdetection engineeringgovernance
Medium · May 2026

Detection And Hunting

The Atomic Standard

Practitioner compendium for single-event threat detection and rule design.

detectionrulesarticle
Medium · Nov 2025

The Invisible Pipeline

Defending CI/CD systems from targeted attacks with concrete controls and detection ideas.

detectionCI/CDDevSecOps
Medium · Oct 2025

Malware, Cloud, AI Security

Android APK Analysis Tool

AI-assisted static APK malware analysis with YARA, VirusTotal context, candidate MITRE mapping, and Frida hooks.

malwaretoolAndroid
Medium · Mar 2026

AI-Powered Malware Debugger

AIDebug walkthrough: FLIRT, patterns, CFGs, Frida, unpacking detection, YARA, and reports.

malwareATT&CKtool
Medium · Mar 2026

StratusAI Cloud Security Scanner

AWS and GCP scanner architecture, multi-LLM routing, Terraform deployment, and test coverage.

cloudAWSGCPAI
Medium · Mar 2026

AI in Offensive Operations

Evidence-based research on attacker AI use, TTPs, incidents, confidence, and forecast judgments.

CTIoffensiveAI security
Medium · Apr 2026

CVSS v4.0 Field Guide

CVSS-BTE, KEV, EPSS, environmental scoring, examples, scanner triage, and automation.

vulnerabilityCVSSEPSS
Medium · Mar 2026

Tools And Repositories

Repositories are grouped by defender output, not by programming language.

All GitHub repos

CTI Engineering

Reports, pivoting automations, detection packs, and hunting hypotheses that move intelligence into operational use.

CTIhuntingtooling
CTI autoWF Detection pack Hunt hypotheses

Guides & Docs

Docusaurus knowledge bases, field manuals, and structured references. 52+ step-by-step guides on Medium.

All guides → HexStrike →

CTI Analyst Field Manual

Analytic judgment, evidence discipline, hunting hypotheses, and ATT&CK-mapped detection candidates.

CTIhuntingmanual
SiteRepo

Operation Desert Hydra

End-to-end CTI-to-detection pipeline: source review gate → procedure dataset → OpenCTI knowledge graph → 11 detection records → benign lab simulation → Kibana proof screenshots. 14 PASS / 1 PARTIAL / 1 FAIL across 16 rule checks.

CTI pipelinedetection engineeringOpenCTIlab-validated
SiteRepoDetection Atlas

Israel Government Threat Actors CTI

Defensive CTI knowledge base for Israeli public sector, critical infrastructure, municipal, and supplier exposure.

Israel CTIpublic sectordefense
SiteRepo

Customer-Driven AI CTI Project

End-to-end methodology for turning intelligence requirements into hunts, detections, and delivery artifacts.

CTI programdetectionsgovernance
SiteRepo

Customer-Driven AI CTI Template

Reusable templates for requirements, hunts, detections, evidence packs, and customer delivery.

templatehuntstoolkit
SiteRepo

CVSS v4.0 Field Guide

Practical CVSS v4.0 scoring, environmental profiles, scanner triage, and prioritization guidance.

vulnerabilityCVSSrisk
SiteRepo

HexStrike AI Guide

Authorized AI-assisted security lab workflows used as operator-context evidence for CTI work.

offensivelabAI
SiteRepo

Medium Blog Navigator

Separate index for browsing the full Medium library by topic, depth, and role. Article cards above use direct article links.

indexnavigation150+ articles
SiteRepo

OpenCTI Intelligent Shield

OpenCTI operations and security-team workflows for enrichment source confidence management and threat-intelligence platform work.

OpenCTItooloperations
RepoArticle

Lab Work

Authorized, controlled environments built to understand attacker behavior, validate detection assumptions, and practice the full attack-to-defend cycle.

All labs →

Operation DragonRx

APT41 pharmaceutical-sector attack simulation. Log4Shell initial access → Sliver C2 → Active Directory lateral movement. Dual-layer detection with Wazuh + Zeek + Elastic.

CTIlabAPT41Log4Shell
Lab Architecture Attack Playbook Repo

Cloud & Kubernetes Labs

Vulnerable cloud infra for cloud pentest practice: GCP + AWS Terraform deployments, 25-issue Kubernetes misconfiguration lab, and IIS / SharePoint / Fluent Bit environment.

cloudlabTerraformKubernetesGCP
vulnerable-cloud-lab K8s Lab GCP Lab IIS Lab

Active Directory Labs

Reproducible Windows / AD pentest environments: vulnerable Windows 10, full AD domain with GPOs, Kerberoasting, Pass-the-Hash, and LSASS dump paths. Manual and one-prompt Cursor AI deployments.

labWindowsActive DirectoryKerberos
Manual guide One-prompt deploy Windows 10 Lab

Android Security Labs

Android analysis lab on Ubuntu (Androguard + Frida toolchain). Deliberately vulnerable Android app covering all OWASP Mobile Top 10 classes. Autonomous mobile PT walkthrough.

labAndroidOWASP MobileFrida
Vulnerable-APK Analysis tool Lab setup Vuln app article

Vulnerable AI Lab

Intentionally vulnerable AI application lab — like DVWA but for modern AI: RAG assistants, tool-calling agents, LLM-powered copilots. Covers prompt injection, data exfiltration, and agent manipulation.

AI securitylabLLMRAG
AI-PT-Lab repo Article

Linux & Web App Labs

Vulnerable Ubuntu 24.04 server with full HexStrike pentest walkthrough. DVWA deployment automated with Ansible for reproducible web-app attack-and-detect practice.

labLinuxDVWAAnsible
Ubuntu Lab DVWA Lab

About

I profile adversary behavior, map TTPs to ATT&CK-aligned detection candidates, and ship tools that automate the mechanical parts of CTI and reverse engineering work. Current role: Threat Intelligence Research Engineer at XPLG. Formerly Head of Red Team at Israel Police Cyber Defence Unit. All tooling ships with mandatory analyst review built into the workflow — AI assists with throughput, not with judgment.

Full profile & employment history → Full CV →