Blue Team Operations
MOHAMMAD FAVAS S
Cyber Security Analyst | SOC Analyst | Certified CSA
Certified SOC Analyst (CSA) focused on threat detection, security monitoring, incident response, and Linux hardening. Experienced in building SIEM-driven detection workflows, CTI pipelines, log correlation, and virtual lab environments for security testing.
Defense-first monitoring, hardened infrastructure, and practical security engineering.
Certified SOC Analyst focused on monitoring, incident response, Linux hardening, traffic analysis, and threat-intelligence workflows.
Based in Kerala, India, with hands-on experience building SIEM pipelines, lab environments, and defensive security tooling.
- Threat detection engineering
- Incident response readiness
- Linux system hardening
- Virtual lab security testing
- CTI enrichment and IOC prioritization
- Defense-first analysis of logs, endpoints, and network traffic
- Hands-on experience building isolated virtual lab environments
- Strong Linux administration and hardening foundation
- Practical automation for faster triage and investigation
- Building measurable detections from threat intelligence and host telemetry
Top Projects
Selected projects.
Hardened Sensor & Compliance Baseline
Linux Hardening & SIEM Orchestration
Remediated 100+ security misconfigurations on Arch Linux, raising CIS compliance from 26% to 83%. Hardened the attack surface with kernel module blacklisting, secure mount options, sysctl protections, and 22,000+ auditd rules, then wired the host into a Dockerized Wazuh stack for FIM, SCA, and SOC-style alert triage.
Open repositoryBlue Team CTI Automation
Threat Intel Aggregation & IOC Enrichment Pipeline
Built a Python CTI pipeline that processes 50k-60k+ IOCs per run from URLhaus, Feodo Tracker, and AlienVault OTX, normalizes and deduplicates 55k+ indicators in SQLite, scores 45k+ IOCs by recency and corroboration, enriches high-confidence IPs with AbuseIPDB and VirusTotal, and exports Wazuh CDB lists with live MITRE-mapped detections.
Open repositoryLightweight JavaScript scanner
Peelr
Built a stdlib-only JavaScript triage tool in Go for rapid recon across remote and local `.js` files. Peelr identifies hardcoded secrets, risky client-side sinks, endpoints, comments, emails, and filesystem paths, then surfaces risk scores through a CLI, local web UI, scan history, and diff support.
Open repositoryTech Stack
Tools and platforms.
SIEM & Threat Monitoring
Wazuh
ELK basics
Splunk basics
Log Analysis
Log Correlation
Alert Triage
MITRE ATT&CK
EDR/XDR Concepts
Network & Traffic Analysis
Wireshark
Packet Analysis
TCP/IP
DNS
DHCP
HTTP/S
Security Assessment & VAPT
Burp Suite
Metasploit
Nmap
Hashcat
Threat Intelligence & Detection Engineering
IOC Analysis
IOC Enrichment
Threat Correlation
Detection Rules
Wazuh CDB Lists
Systems & Infrastructure
Arch Linux
Kali Linux
Linux Hardening
CIS Benchmarks
auditd
PAM Configuration
sysctl Hardening
Docker
systemd
Scripting & Automation
Bash
Python
Go
JavaScript
Compliance-as-Code
Special Edition
The Detection Ledger
Investigations, engineering notes, and technical writeups.
🛰️ Threat Intel Aggregation & IOC Enrichment Pipeline
Technical writeup for a Blue Team CTI pipeline that ingests open-source IOCs, deduplicates and scores them, enriches high-confidence indicators, and exports live Wazuh CDB detection lists.
Read story🐧 Linux Infrastructure Hardening & SIEM Orchestration
Technical walkthrough covering the remediation of 100+ misconfigurations on a minimalist Arch Linux endpoint to achieve an 83% CIS Benchmark score. Demonstrates a defense-in-depth methodology, shifting from a vulnerable baseline to a production-hardened posture via layered kernel, filesystem, and identity-level controls.
Read story🧅 Peelr: JavaScript Recon And Triage
Peelr is a stdlib-only Go tool for JavaScript recon and triage. It analyzes remote or local .js files, highlights secrets, endpoints, risky sinks, and paths, then presents results through a CLI, web UI, and scan history.