Security Researcher · Builder · India

I hunt adversaries for sport and build products for leverage. Both sides of the wire — detection, exploitation, intelligence. Running AI against security data before it was a buzzword. Perpetually building — tools, ventures, systems.

Get in touch GitHub ↗
Discipline Threat Hunting · Detection
Offensive depth Red Team · Adversary ops
Intelligence Dark web · Actor tracking
AI application LLM-driven analysis
Mode Builder · Founder · Grinder
Scroll
THREAT HUNTING · DARK WEB INTEL · ADVERSARY TRACKING · LLM ANALYSIS · DETECTION ENGINEERING · OFFENSIVE SECURITY · OSINT · MALWARE INTEL · SOC AUTOMATION · FOUNDER · BUILDER · RANSOMWARE INTELLIGENCE · ACTOR PROFILING · AI × SECURITY · PERPETUAL GRINDER  ·  THREAT HUNTING · DARK WEB INTEL · ADVERSARY TRACKING · LLM ANALYSIS · DETECTION ENGINEERING · OFFENSIVE SECURITY · OSINT · MALWARE INTEL · SOC AUTOMATION · FOUNDER · BUILDER · RANSOMWARE INTELLIGENCE · ACTOR PROFILING · AI × SECURITY · PERPETUAL GRINDER  · 
BOTH
SIDES
OF THE
WIRE.

Most defenders have never attacked anything. Most attackers have never defended anything. I've done both — and that gap is where every missed detection, every bypassed rule, every blind spot lives.

Years of SOC work built depth in detection, log forensics, and threat intelligence. Deep study of offensive tradecraft gives context no certification teaches — how attackers actually move, what they leave behind, and what defenders almost always miss.

Beyond security, I build products. I run ventures. I operate 3–4 projects in parallel — because idle time is wasted leverage. Always building, always shipping, always on the grind.
Domains
01 · Blue Team
THREAT HUNTING

Proactive adversary hunting across complex enterprise environments. Behavioral detection, SIEM rule engineering, offense triage, multi-stage correlation. Know what real attacker artifacts look like in logs — not textbook theory. Built tooling that collapses detection timelines.

SIEMDetection RulesLog ForensicsIOC HuntingEDRAQL
02 · Red Team
🎯
OFFENSIVE SECURITY

Full attack lifecycle knowledge — initial access, lateral movement, persistence, exfiltration. Understanding how real intrusions unfold changes every detection you write. The offense side isn't separate from defense; it's the thing that makes defense actually work.

ReconExploitationAD AttacksLateral MovementPost-Exploitation
03 · Intelligence
🕷
DARK WEB INTEL

Monitoring adversary infrastructure across clearnet and Tor. Tracking ransomware groups, leak forums, data broker activity, actor alias networks. Turning raw OSINT into structured intelligence with real operational value — not just IOC lists.

OSINTTorActor ProfilingRansomware IntelIOC Extraction
04 · Applied AI
AI × SECURITY

Running large language models against raw security data — logs, events, behavioral sequences. Automated interpretation, triage, and investigation summaries. Building pipelines where AI does the heavy processing so analysts can stay focused on decisions, not data wrangling.

LLM PipelinesLocal ModelsAutomationAnalysisRAGPython
Selected Work
01
ThreatLedger Building
Unified threat intelligence platform. Ingests IOCs, malware samples, ransomware victim disclosures, and government advisories from live feeds. Normalized interface, severity scoring, historical trending. Built for analysts who need signal, not noise.
Threat IntelMulti-FeedPythonIOC
02
Dark Web Surveillance System Live
Automated crawler across Tor hidden services — ransomware blogs, paste boards, actor forums. Tracks new victim disclosures, infrastructure fingerprints, keyword emergence across hundreds of monitored endpoints. Daily intelligence digests.
TorOSINTCrawlerAlerting
03
LLM Security Analysis Pipeline Live
Feeds raw security event streams — log data, behavioral sequences, offense chains — into locally-hosted language models for automated interpretation and analyst-ready investigation summaries. Reduces time-to-understand on complex multi-stage incidents significantly.
LLMPipelinePythonAutomation
04
Adversary TTP Correlation Engine Live
Real-time mapping of observed log artifacts to MITRE ATT&CK techniques. Correlates multi-stage attack sequences, scores campaign sophistication, surfaces detection gaps. Built on live event stream — catches what static rules miss.
MITRECorrelationDetectionSIEM
05
OSINT Recon Framework Live
Multi-source passive recon toolkit. Shodan, Censys, theHarvester, certificate transparency, subdomain enum, WHOIS — unified, normalized output. Used for both threat hunting context enrichment and pre-engagement reconnaissance.
ShodanCensysPassive ReconPython
06
Ransomware Intelligence Series Ongoing
Ongoing threat advisory series — active ransomware group TTPs, victim targeting patterns, IOCs, ransom negotiation behavior, infrastructure analysis. Technically verified, zero filler. Written from monitoring actor infrastructure directly, not aggregated from secondary sources.
RansomwareAdvisoryThreat Intel
07
Malware Behavior Classifier Building
Static and behavioral analysis pipeline for unknown samples. Feature extraction, family correlation, YARA rule generation. Designed to handle novel samples where signature-based tools fail — behavioral fingerprinting at scale.
MalwareYARAAnalysisPython
08
Detection Engineering Playbooks Internal
Production-grade detection runbooks covering credential dumping, lateral movement, suspicious process chains, C2 beaconing. Annotated with attacker evasion variants — written for analysts who know how attackers will try to bypass each rule.
DetectionPlaybooksBlue TeamEvasion
09
Redacted Stealth
Security infrastructure product. Not disclosed. Architecture done, building quietly. Will surface when ready.
SecurityInfrastructureAI
10
Redacted Stealth
Founder tooling. For builders who ship. Not disclosed. The idea's too good to talk about publicly yet.
ProductFoundersSaaS
Ventures
Building
THREAT
LEDGER
Threat intelligence platform for security teams who want signal from the noise. Aggregates dark web feeds, IOC streams, and government advisories into one operational view.
Security Intelligence · SaaS · 2025
Stealth
REDACTED
Founder tooling. Can't say more. For the builders who are always 3 projects deep and refuse to slow down. Coming when it's ready.
Product · Founders · 2025
Stealth
UNDIS
CLOSED
Something at the edge of AI and security infrastructure. Architecture is solid. Not disclosed. Will be loud when it ships.
AI · Security · Infrastructure
Shell
neeraj@ns:~ — zsh — 80×24
whoami
neeraj sihag  // security researcher · builder · perpetual grinder · india
cat mode.txt
hunt threats during the day. study how to cause them at night.
understand the attack side because that's where defenses fail.
run language models against raw security data — not for demos, for actual work.
track ransomware groups across dark web. watch them move. write about it.
ls /active-projects
threatledger/  dark-web-surveillance/  llm-pipeline/  [redacted]/  [redacted]/
cat philosophy.txt
if it's manual — automate it.
if it's slow — rebuild it.
if it's missing — build it yourself.
idle time is wasted leverage.
# [email protected] · github.com/Neeraj-Sihag · neerajsihag.com
LET'S
BUILD
SOMETHING.
Security · Intelligence · Collaboration · Product
[email protected] GitHub neerajsihag.com