Analyst: Nyimenka
Focus: Blue Team Β· SOC Analysis Β· DFIR Β· Network Forensics Β· Security Automation
Status: Active β April/May 2026
---
This repository documents a structured 30-day cybersecurity challenge covering the full blue team analyst skillset β from SIEM detection engineering and network forensics through Python automation, memory forensics, incident response, and threat intelligence. Every project uses real tools, real malware samples, and real attacker infrastructure tracked across a simulated 25-day campaign.
The portfolio is designed to demonstrate job-ready skills for SOC Analyst, Junior DFIR, and Security Operations roles.
---
| Category | Skills |
|---|---|
| SIEM / Splunk | SPL queries, dashboards, detection rules, threat hunting, API automation |
| Network Forensics | Wireshark, PCAP analysis, protocol analysis, file extraction, malware C2 |
| DFIR | Volatility 3, memory forensics, incident response, ransomware analysis |
| Python Automation | Log parsing, IP reputation, port scanning, IOC extraction, alert enrichment |
| Threat Intelligence | VirusTotal API, WHOIS, IOC classification, campaign attribution |
| SOC Operations | Alert triage, phishing investigation, detection use cases, playbook authoring |
| CTF / Labs | TryHackMe, Blue Team Labs Online, CyberDefenders |
---
| Day | Project | Key Skills |
|---|---|---|
| Day 01 | Failed Login Dashboard | SPL Β· timechart Β· stats Β· visualisation |
| Day 06 | Brute-Force Detection Rule | Alert scheduling Β· threshold tuning Β· cron |
| Day 10 | Port Scan Detection | Firewall log analysis Β· rate-based detection |
| Day 16 | PowerShell Threat Hunting | T1059.001 Β· encoded commands Β· download cradles |
| Day 22 | Full SOC Operations Dashboard | Multi-source Β· 6 panels Β· auth/network/endpoint |
| Day 23 | Splunk API Automation | Python Β· REST API Β· async job polling |
---
| Day | Project | Key Skills |
|---|---|---|
| Day 02 | HTTP Traffic Capture | Live capture Β· TCP streams Β· HTTP analysis |
| Day 07 | DNS Analysis | NXDOMAIN Β· DGA domains Β· DNS filtering |
| Day 09 | Malware C2 PCAP Analysis | Domain fronting Β· C2 traffic Β· IOC extraction |
| Day 14 | ARP Storm Analysis | ARP protocol Β· storm vs poisoning Β· Cisco |
| Day 19 | File Extraction from PCAP | Export Objects Β· HTTP/FTP Β· DFIR recovery |
| Day 28 | WARMCOOKIE Intrusion Analysis | BITS abuse Β· C2 beaconing Β· SMB2 recon |
---
| Day | Project | Key Skills |
|---|---|---|
| Day 03 | Apache Log Parser | Regex Β· suspicious pattern detection Β· reporting |
| Day 08 | IP Reputation Checker | VirusTotal API Β· threat scoring Β· JSON output |
| Day 13 | Multi-threaded Port Scanner | Socket Β· threading Β· service identification |
| Day 17 | IOC Extractor | 10-category regex Β· false positive filtering Β· JSON |
| Day 27 | Alert Enrichment Tool | WHOIS + VirusTotal Β· multi-source Β· verdicts |
---
| Day | Project | Key Skills |
|---|---|---|
| Day 12 | Windows Event Log Analysis | Event IDs Β· MITRE mapping Β· BTL1-style |
| Day 15 | Ransomware IR Report | Full IR report Β· T1490 Β· do-not-pay analysis |
| Day 21 | Memory Forensics with Volatility | Volatility 3 Β· pslist Β· filescan Β· envars |
| Day 25 | DFIR Capstone Investigation | 47-min attack chain Β· 14 MITRE techniques Β· double extortion |
---
| Day | Project | Key Skills |
|---|---|---|
| Day 04 | SOC Alert Triage | 10 alerts Β· FP/FN Β· prioritisation |
| Day 11 | Phishing Investigation | Email forensics Β· IOC extraction Β· MITRE |
| Day 20 | Credential Stuffing Detection Use Case | T1110.004 Β· detection logic Β· triage steps |
| Day 26 | Ransomware SOC Playbook | 7-phase IR Β· SPL integration Β· MTTD/MTTR |
---
| Day | Project | Key Skills |
|---|---|---|
| Day 05 | TryHackMe β Intro to SIEM | THM{000_SIEM_INTRO} Β· Splunk fundamentals |
| Day 18 | TryHackMe β DFIR Introduction | THM{DFIR_REPORT_DONE} Β· IR lifecycle Β· SANS vs NIST |
| Day 24 | BTLO β Phishing Analysis | 10/10 score Β· nested .eml evasion Β· Blogspot abuse |
---
A consistent attacker campaign runs as a thread across 25 days of this portfolio. The same threat actor infrastructure was tracked from initial reconnaissance through to ransomware deployment and data exfiltration:
Day 01 ββββ SSH brute-force scanning (185.220.101.45)
Day 06 ββββ Brute-force detection rule built
Day 08 ββββ VirusTotal confirms 185.220.101.45 β 17 engine detections
Day 09 ββββ C2 PCAP analysis β 91.240.118.172, domain fronting via exp-tas.com
Day 11 ββββ Phishing compromise of WS-SARAH-01
Day 12 ββββ Windows event log forensics post-compromise
Day 15 ββββ Ransomware incident response β INC-2026-0415
Day 16 ββββ Threat hunting confirms svchost32.exe on all 5 hosts
Day 21 ββββ Memory forensics β svchost32.exe still running
Day 23 ββββ Splunk API confirms attacker IPs across environment
Day 25 ββββ DFIR Capstone β full 47-minute attack chain reconstructed
14 MITRE techniques Β· 45 MB exfiltrated Β· double extortion
The portfolio demonstrates how a threat actor can persist across an environment when incidents are incompletely remediated β a real-world scenario that makes this portfolio uniquely coherent compared to disconnected individual projects.
---
| Tool | Projects Used In |
|---|---|
| Splunk Enterprise | Days 1, 6, 10, 16, 22, 23 |
| Wireshark | Days 2, 7, 9, 14, 19, 28 |
| Volatility 3 | Day 21 |
| Python 3 | Days 3, 8, 13, 17, 23, 27 |
| VirusTotal API | Days 8, 27 |
| TryHackMe | Days 5, 18 |
| Blue Team Labs Online | Day 24 |
| Kali Linux | All practical days |
---
- BTL1 β Blue Team Level 1 (Security Blue Team)
- CompTIA Security+
---
Banking and Finance graduate (Rivers State University) transitioning into cybersecurity with a focus on the defensive blue team path. Building this portfolio to demonstrate practical, job-ready skills ahead of applications for SOC Analyst and Junior DFIR roles.
---
- πΊ YouTube: https://www.youtube.com/@thecyberstudysessions
- πΌ LinkedIn: http://www.linkedin.com/in/elizabethnyimenka
- π GitHub: https://github.com/nyimenkabenson
- π§ Email: nyimenkabenson@gmail.com
---
Built across AprilβMay 2026 Β· 30 days Β· 28 projects Β· 1 campaign narrative