CyberSec Projects

• Combine: port scanner + subdomain enum + DNS recon + header check
• Single CLI tool with argparse
• Output to JSON report + markdown summary
• Add screenshot capability (selenium headless)

* Combo: Ports directly into full pentest suite (SCRPT-MO1)

• Download: Mr-Robot, Kioptrix, or Basic Pentesting 1
• Recon → foothold → privesc → root
• Document every step in markdown
• Write a mini pentest report

* Combo: Chain 3+ machines → OSCP prep (NET-MO1)

• Install WebGoat (Java or Docker)
• Complete all OWASP Top 10 lessons
• A01 Broken Access Control through A10 SSRF
• Write one-pager summary per vuln

* Combo: Unlocks web pentest automation month project

• ARP spoofing: arpspoof + Wireshark in isolated VM lab
• SSL stripping with bettercap
• Capture credentials from HTTP traffic
• Defend: static ARP + HTTPS enforcement

• Install Elasticsearch + Logstash + Kibana (Docker)
• Ship syslog, auth.log, firewall logs via Filebeat
• Build 3 dashboards: failed logins, port scans, outbound traffic
• Write 2 detection rules

* Combo: Core of home SOC (DEF-MO1)

• Ship Cowrie logs into ELK
• Dashboard: attacker IPs, commands run, passwords tried
• Cross-reference IPs with threat intel feeds (AbuseIPDB API)
• Alert on new attacker commands

• Set up FlareVM or REMnux
• Run safe malware sample in isolated VM
• Monitor: procmon, Wireshark, regshot
• Document: file drops, registry changes, network IOCs

• Install Ghidra
• Decompile a simple CTF binary — find hardcoded key
• Decompile crackme — patch jump condition
• Analyze a real open-source malware (TinyShell)
• Annotate functions in Ghidra

• 3-VM lab: attacker | pivot | inner target
• Compromise pivot, use it to reach inner
• SSH tunneling: local/remote/dynamic port forward
• Metasploit route + socks proxy

* Combo: Essential for AD month project

• Padding oracle attack (against vulnerable Flask app you write)
• Length extension attack on SHA1
• ECB mode block detection (CBC vs ECB oracle)
• RSA small e attack (cube root)

• Write Python SQLi error-based scanner
• SSRF: reach internal metadata endpoint (cloud lab)
• XXE: read /etc/passwd via XML input
• Test all three on deliberately vulnerable apps

• AS-REP Roasting (GetNPUsers.py)
• Kerberoasting (GetUserSPNs.py)
• Pass-the-Hash with Mimikatz (isolated lab)
• BloodHound: visualize attack paths

* Combo: Full AD pentest chains into month project

• Python agent: beacon home every N seconds
• Server: receive beacon, send back commands
• Encode traffic in base64
• Add jitter to beaconing interval

* NOTE: Lab/VM only. Learn detection via DEF-WK1.

• Install Suricata, load ET Open rules
• Generate test alerts (nmap scan, exploit traffic)
• Install Zeek, read conn.log and dns.log
• Feed both into ELK (from DEF-WK1)

• Chain: subfinder → httpx → ffuf → nuclei
• Bash/Python pipeline: one command does all
• Output: live subdomains, interesting endpoints, known CVE hits
• Run against HackerOne bug bounty target

• Tier 0–1 Starting Point machines
• No walkthroughs until truly stuck (30 min rule)
• Write report-style writeup for each
• Focus: methodology, not just flags

• Inputs: email, username, domain, IP
• Lookups: WHOIS, DNS, breach check, social, Shodan
• Output: markdown profile report
• Add screenshot of profiles (selenium)

• Exploit VulnHub machine fully through Metasploit
• Post-exploitation: hashdump, meterpreter, persistence
• Pivoting with Metasploit route
• Write custom resource script to automate

• Deploy intentionally vulnerable app (Damn Vulnerable Cloud App)
• Find: public S3, overprivileged IAM, exposed metadata
• Docker escape: privileged container lab
• Kubernetes: exposed dashboard, RBAC bypass

• Create root CA with openssl
• Issue intermediate CA, end-entity certs
• Configure Apache/Nginx with custom cert
• Implement CRL (certificate revocation list)

• Learn YARA syntax
• Write rules for 5 malware families from IOCs
• Test against malware samples (MalwareBazaar)
• Integrate YARA scan into Python script

• Decompile APK: jadx, apktool
• Static: hardcoded keys, exported activities
• Dynamic: MobSF, Frida hook
• Intercept traffic with Burp on Android emulator

• Simulate: attacker compromises web server VM
• IR process: detection → containment → eradication
• Collect artifacts: memory dump (volatility), disk image
• Write incident report

• PMKID attack with hcxdumptool (no client needed)
• Set up evil twin with hostapd-wpe
• Capture MSCHAPv2 credentials
• Crack with hashcat mode 5500

* NOTE: Own network lab only.

• Port scan → service detect → CVE lookup (NVD API)
• Web: check SQLi, XSS, open redirect, headers
• Output: severity-ranked HTML report
• Diff reports: detect new vulns between scans

• Pull from: AlienVault OTX, AbuseIPDB, VirusTotal API
• IOC lookup: IP, domain, hash
• Feed matches into ELK SIEM alerts
• Daily digest email report (smtplib)

• Compile vulnerable C program (strcpy, no canary)
• Find offset with pattern_create (Metasploit)
• Control EIP, redirect to shellcode
• Bypass NX with ret2libc

• Flask app with intentional vulns: SQLi, XSS, IDOR, path traversal
• Write challenge descriptions + flags
• Host for friends or local CTF

* Combo: CTF hosting = teaches both attack & defense mindset

• Segment home lab into trust zones
• WireGuard + firewall rules enforce zone boundaries
• Service identity via mTLS (mutual TLS)
• Verify: no lateral movement possible between zones

• Pick recent CVE (Log4Shell, ProxyLogon class)
• Read: NVD, GitHub advisory, patch diff
• Set up vulnerable version in Docker
• Write Python PoC or adapt existing one
• Document: vuln class, impact, patch

• Deploy Lambda function with IDOR vuln
• Test: broken auth, over-privileged role, unvalidated input
• API Gateway: enumerate endpoints, find undocumented
• Use Postman + manual testing

• ELK Stack SIEM with real dashboards
• Suricata + Zeek feeding into ELK
• Cowrie honeypot logging live attacks
• Wazuh or OSSEC host-based IDS on all VMs
• PagerDuty/email alerts on critical events
• Weekly threat digest auto-report

* Showcase: This alone is a real portfolio piece

• Set up 5+ VulnHub/HackTheBox machines in lab
• Full pentest each: recon → exploit → privesc → persist
• Write a professional pentest report (executive summary + technical)
• Include: scope, findings, risk ratings, remediation
• Simulate: time-boxed (72h per machine)

* Showcase: Submit to eJPT or use as OSCP prep

• Chain: subfinder → httpx → nuclei → custom SQLi/XSS scanner
• Auto-screenshot interesting pages
• Deduplicate + triage findings by severity
• HTML report with evidence screenshots
• Submit findings to HackerOne bug bounty

* Showcase: Use on real bug bounty targets (HackerOne/Bugcrowd)

• Pick a notable open malware sample (emotet, njRAT)
• Full static: PE analysis, string extraction, Ghidra decompile
• Full dynamic: FlareVM, behavioral analysis
• Extract all IOCs: IPs, domains, hashes, registry keys, mutexes
• Write professional malware analysis report (15+ pages)
• Publish on GitHub + LinkedIn

* Showcase: Top 1% of junior candidates have this

• Red: full AD attack chain (recon → foothold → lateral → DA)
• AS-REP, Kerberoasting, DCSync, Golden Ticket
• Blue: deploy Microsoft Defender for Identity, Sentinel
• Detection rules for each attack technique (SIEM alerts)
• Harden: tiering model, LAPS, privileged access workstations

* Showcase: Directly maps to enterprise pentest + SOC roles

• Web UI (Flask/FastAPI + React) for OSINT investigations
• Modules: person, domain, IP, company
• Data sources: Shodan, HaveIBeenPwned, WHOIS, crt.sh, LinkedIn
• Store results in SQLite, export PDF reports
• Graph visualization of relationships (networkx + d3.js)

* Showcase: Open-source on GitHub — recruiter magnet

• Full PKI: root CA → intermediate → end-entity certs
• Attack demonstrations: padding oracle, length extension, timing attack
• Implement Diffie-Hellman, RSA, ECDSA from scratch in Python
• Blog post explaining each attack with diagrams

* Showcase: Shows you understand crypto deeply, not just tools

• Full AWS audit: IAM, S3, EC2, Lambda, RDS
• Find and document all misconfigurations (ScoutSuite report)
• Remediate each finding + document steps
• Implement: CloudTrail, GuardDuty, Config Rules, SCPs
• Terraform IaC for hardened baseline deployment

* Showcase: AWS/GCP security skills are very hireable

• Modules: recon, web scan, vuln check, exploit assist, report gen
• Plugin architecture — easy to extend
• Config file support, rate limiting, scope enforcement
• Full documentation, README, example output
• Publish on GitHub, write a blog/Medium post

* Showcase: If this gets GitHub stars, it opens doors

• Design 15–20 challenges across categories
• Categories: web, crypto, forensics, RE, pwn, OSINT
• Deploy CTFd platform (free)
• Announce on Reddit/Discord, run for 48h
• Write post-mortems + solution writeups after

* Showcase: Organizing = leadership. Recruiting loves this.

Weekend → Week → Month NET-W1 → NET-W2 → NET-W5 → RE-W1 → NET-WK1 → NET-WK3 → NET-WK4 → AD-WK1 → NET-MO1 (OSCP-style lab)

Weekend → Week → Month WEB-W1 → WEB-W2 → WEB-W3 → WEB-W4 → WEB-W5 → WEB-WK1 → WEB-WK2 → WEB-WK3 → WEB-MO1 (pentest suite + bounty submission)

Weekend → Week → Month DEF-W1 → DEF-W2 → DEF-W4 → MAL-W1 → DEF-WK1 → DEF-WK2 → DEF-WK3 → DEF-WK4 → DEF-MO1 (home SOC) → AD-MO1 (AD defense)

Weekend → Week → Month MAL-W1 → MAL-W2 → RE-W2 → MAL-WK1 → MAL-WK2 → MAL-WK3 → RE-WK1 → MAL-MO1 (full malware analysis report)

Weekend → Week → Month SCRPT-W1 → SCRPT-W2 → SCRPT-W3 → SCRPT-WK1 → SCRPT-WK2 → SCRPT-WK3 → SCRPT-MO1 (pentest suite)

• TryHackMe: https://tryhackme.com (beginner friendly)
• HackTheBox: https://hackthebox.com (intermediate)
• VulnHub: https://vulnhub.com (free VMs)
• picoCTF: https://picoctf.org (CTF practice)
• HackerOne: https://hackerone.com (bug bounty)
• MalwareBazaar: https://bazaar.abuse.ch
• crackmes.one: https://crackmes.one

• Kali Linux / ParrotOS
• Burp Suite Community
• Wireshark + tshark
• Metasploit Framework
• Ghidra (NSA, free)
• BloodHound + SharpHound
• Nuclei + ProjectDiscovery tools
• Python 3 or Go (your best weapons)

• Google Cybersecurity Certificate (Coursera)
• TryHackMe Jr Penetration Tester path
• eJPT (INE, $200 — worth it after month projects)
• CompTIA Security+ (entry-level industry standard)

   Month 1-2:  All Weekend projects (pick 2/weekend)
   Month 3-4:  Week projects (1 per week)
   Month 5-8:  Month projects (1 per month)
   Month 9+:   Bug bounty, certs, job apps