Open source cybersecurity intelligence, threat research, and defensive tooling — built by the community, for the community.
Interactive dashboards and matrices generated from open source intelligence feeds, MITRE ATT&CK mappings, and real-world malware analysis. All data and tooling is freely available through our Loaded Potato project.
MITRE ATT&CK re-envisioned through the lens of Windows API calls. Maps technique IDs to the native APIs that malware uses to execute each tactic, with cross-references to known malware families and EDR hook points.
Open Matrix →Comprehensive analysis of EDR vendor API hook coverage mapped against known evasion techniques. Identifies gaps in userland hooking across major endpoint protection platforms with risk-tiered severity ratings.
Open Matrix →Real-time intelligence dashboard aggregating APT group activity, malware family tracking, and campaign indicators from open source threat intel feeds including MITRE, VirusTotal, and community contributions.
Open Dashboard →Loaded Potato is a 130+ module platform for threat hunting, malware analysis, forensics, and detection engineering — integrating with Sentinel One, Microsoft Defender, Trend Micro Vision One, Elastic, and dozens of threat intelligence APIs.
Unified alert ingestion and enrichment across Sentinel One, Microsoft Defender XDR, Trend Micro Vision One, and Elastic. Automated threat attribution scoring and cross-platform correlation of alerts and indicators.
Discovers unsigned, unverified, and suspicious processes across your environment. Identifies new publishers, special-character process names, and file magic type mismatches against enterprise baselines.
Surfaces rare processes, DLLs, and artifacts that hide in the noise. Compares alert-specific telemetry against enterprise-wide baselines to find what doesn't belong — the long tail where attackers live.
Automated execution pipeline for malware samples with support for PE, PDF, and browser-based payloads. Downloads samples from VirusTotal, MalwareBazaar, and community feeds for controlled detonation.
Compares process behavior across malware samples, clean baselines, and APT families. Identifies unique malicious API calls, DLL loads, and behavioral patterns that distinguish threats from legitimate software.
Maintains 50+ nation-state actor profiles and 100+ malware family signatures. Cross-references hashes, domains, and IPs against known campaigns for automated threat attribution.
Offline analysis of Unix Artifact Collector dumps with 19 specialized modules: rootkit detection, hidden processes, C2 hunting, persistence mechanisms, webshell scanning, container escape vectors, and timeline reconstruction.
Batch IP reputation checking, ASN analysis via Team Cymru, blocked country detection, and network device forensics. Extracts network IOCs from Elastic, S1, Defender, and Devo SIEM.
Identifies digital signature gaps, revoked certificates, and suspicious publishers. Scans for embedded GitHub repositories in baselines and generates OSSF Scorecard risk assessments with YARA pattern matching.
Converts differential analysis findings into detection rules. Generates Sigma rules from malicious API patterns, converts between EDR formats (Sigma to S1), and syncs detection rules directly to Kibana SIEM.
Maintains and deploys YARA rules to Elasticsearch. Tracks the Living-off-the-Land Drivers database and exports LOLDriver detections as Kibana rules for endpoint monitoring.
Measures detection coverage and effectiveness from purple team exercises. Tracks which detonated samples triggered alerts, which were missed, and where detection gaps remain across your EDR stack.
Automated scanning against CIS Benchmarks, CMMC, and NIST 800-171 frameworks. Generates formatted compliance reports with pass/fail/remediation details for audit readiness.
Pre-built Group Policy Objects for workstations, servers, and domain controllers. Implements local hardening baselines aligned with CIS and DoD STIG recommendations out of the box.
CIS benchmark auditing for Linux systems with automated auditd policy deployment and logging hardening. Configures journald and rsyslog to meet compliance requirements.
Generates rich HTML dashboards including the API Capabilities Matrix, Global Threat Dashboard, EDR Evasion Matrix, and Attribution Reports — all from automated analysis pipelines.
Centralized PowerShell and Bash orchestration scripts that tie all modules together. GUI application for visual workflow management. Supports automated weekly metrics and API quota monitoring.
Ships with Thor-Lite for YARA/IOC scanning, KAPE for forensic artifact collection, DFIR-ORC for incident response, and UAC for Linux evidence gathering — ready to deploy without additional setup.
We believe that effective cybersecurity shouldn't be locked behind enterprise paywalls. Every defender deserves access to the same quality of threat intelligence and analysis tooling as the adversaries they face.
All of our research, tooling, and intelligence outputs are published freely. Our core project Loaded Potato provides automated threat analysis pipelines anyone can run.
Built by practitioners, for practitioners. We contribute back to the security community through shared detections, analysis frameworks, and research outputs that make everyone's defenses stronger.
We don't just aggregate data — we analyze it. Our reports map real-world threats to defensive gaps, giving security teams the context they need to prioritize what matters right now.
By understanding attacker tooling at the API level and mapping EDR coverage gaps, we help defenders stay ahead. Transparency about what is and isn't covered is the first step to closing those gaps.