Blue Team
Threat Hunting
Hypothesis-driven hunting across enterprise SIEM environments. Detection logic built from scratch against real attack chains — not from template rules. Every hunt starts with an adversary behavior, not a vendor alert.
Security Analyst & Indie Hacker · India
Hunting adversaries.
Building the tools
to do it faster.
I run detection engineering and threat intelligence operations across enterprise environments — hunting active threat actors, monitoring dark web infrastructure, and shipping the tooling that makes all of it faster.
About
On any given day: tracking a ransomware group's leak site, writing detection logic for a new attack chain hitting Indian enterprises, automating what used to take an analyst hours, or shipping a new security product.
I study adversary tradecraft from primary sources — actor forums, real campaigns, leaked tooling — because understanding how attacks are built is what makes detections that actually hold up. Most of my work happens inside enterprise SIEM environments across a multi-client MSSP book, where the job is equal parts threat hunting, dark web monitoring, and CERT-In responsible disclosure.
Outside that, I build. Security tooling, mostly — platforms that turn manual analyst work into something that runs itself — but also consumer products when the idea is worth shipping regardless of category.
- Threat Hunting
- Detection Engineering
- Dark Web Intelligence
- Adversary Research
- Security Tooling
- MSSP Operations
Capabilities
Tradecraft
Adversary Research
Reading adversary tradecraft from primary sources — actor forums, real campaigns, leaked tooling. Understanding how attacks are actually built, so detections don't fail the moment the playbook deviates.
Intelligence
AI × Security
Applying LLMs practically to security workflows — alert triage, threat brief authoring, hunt query generation. Shipped THREATPULSE, a chat-based CTI platform, and HuntWire, an agentic engine that runs continuous autonomous hunts.
OSINT
Dark Web Intelligence
Continuous monitoring of ransomware leak sites, actor forums, and paste infrastructure. Tracking victim disclosures, new group activity, and infrastructure changes before they surface in public feeds.
Technical Stack
Detection & Hunting
- IBM QRadar
- Palo Alto XSIAM
- Splunk
- Wazuh
- MITRE ATT&CK
- Sigma Rules
Development
- Python / FastAPI
- React / Vite
- Laravel / PHP
- PowerShell
- SQLite / Postgres
- Docker
Intelligence
- Ransomware Site Monitoring
- Threat Actor Tracking
- Dark Web Infrastructure
- Victim Disclosure Analysis
- Actor Attribution
- Enterprise Threat Briefing
Projects
Case files — security tooling and products, shipped solo.
LIVE
DarkPulse
Real-time dark web threat monitoring platform.
Continuous monitoring across ransomware leak sites, actor forums, and paste infrastructure. Tracks new victim disclosures, group activity spikes, and infrastructure pivots before they surface anywhere else. Full data pipeline built from scratch — collection, deduplication, normalization, and a client reporting layer.
LIVE
THREATPULSE
Chat-based cyber threat intelligence platform.
Feed it an actor name, a domain, a hash — it enriches across live intel sources and generates hunt queries for every major SIEM simultaneously. Presented publicly at the NullU Delhi Chapter meetup.
LIVE
HuntWire
Agentic threat hunting engine.
Doesn't wait for alerts. Runs continuous, autonomous hunting cycles across the environment — forming hypotheses, querying the SIEM, correlating findings across log sources, and surfacing threats that would never trip a rule. Built to do in minutes what a manual hunt takes hours.
LIVE
ADSentinel
Active Directory security assessment platform.
Multi-tenant AD assessment platform orchestrating 15+ audit tools through an authenticated PowerShell agent, consolidating findings by risk category across seven pillars, and generating client-ready reports — replacing what used to be a manual multi-tool process across enterprise environments.
LIVE
Rethrived
Free, ad-free motivational short-form video platform.
Timed sessions instead of an infinite scroll, a Goals Hub with streaks and check-ins, and a community leaderboard. Built end to end — React frontend, Laravel backend, deployed on a self-managed VPS.
rethrived.com
LIVE
IndiaThreatWatch
India-focused dark web & breach intelligence console.
A live intelligence console tracking India-relevant breach disclosures, threat actor activity, and dark web infrastructure — IST-native, with a filterable breach feed, sector heatmap, and IOC index. Evolving from a static display into a real-time multi-source ingestion pipeline.
LIVE
OSINT Engine
Passive infrastructure reconnaissance and actor mapping toolkit.
Maps exposed services, certificate history, and subdomain relationships to known threat actor targeting patterns. Used operationally to build actor infrastructure profiles and identify pivot points before engagement.
STEALTH
[Redacted]
Security infrastructure product.
Architecture complete. Building quietly — the idea is too sharp to surface yet.
STEALTH
[Redacted]
Consumer product.
Building quietly.
Talk and current focus
Public Talk
AI-Driven Cyber Threat Intelligence Pipelines
NullU Delhi Chapter — eSec Forte Technologies, 2026
Presented THREATPULSE — a live demo of a chat-based CTI platform enriching indicators in real time and generating hunt queries across multiple SIEM platforms simultaneously. First public talk at a security community meetup.
Currently
Building detection logic for advanced phishing and identity-based attack chains in enterprise environments. Writing monthly threat intelligence briefs for Indian enterprise clients covering active threat actor activity, emerging TTPs, and recommended defensive posture.