LIVE
Master's in Cybersecurity — Production-grade portfolio project

SOC&GRC

End-to-end security operations and governance, built from scratch in Python. Detection engineering, risk management and compliance — tied together in one continuous security loop.

0
Tools built
0
MITRE rules
0
Tests passing
0
ISO controls
LIVE FEED
Portfolio Overview
Two disciplines. One security posture.

Most professionals specialise in one domain. This project demonstrates both detection and governance — and the feedback loop that connects them. Built to the standards enterprise security teams actually use.

Security Operations Center
Reactive — detect and respond
  • Log parsing and classification pipeline
  • MITRE ATT&CK-mapped detection rules
  • Brute force detection with sliding window
  • AbuseIPDB threat intelligence enrichment
  • NIST SP 800-61 incident response playbook
  • Daily automated scan pipeline via GitHub Actions
Governance, Risk and Compliance
Proactive — govern and prove
  • Risk matrix with likelihood × impact scoring
  • Network exposure scanner (nmap integration)
  • ISO 27001 compliance checklist and gap analysis
  • NIST CSF control mapping
  • Security policy and procedure templates
  • Automated weekly compliance reports
SOC
Security Operations
24/7 threat monitoring
Continuous visibility across logs, endpoints and network traffic.
GRC
Governance
Structured risk management
Policies, controls and compliance evidence that hold up in an audit.
Integration
Integration
One continuous feedback loop
SOC findings feed the risk register. GRC policies create the rules SOC enforces.
Security Operations
From raw logs to structured intelligence

The SOC pipeline ingests raw log files, classifies every entry, runs detection rules and produces structured alerts tagged with MITRE ATT&CK techniques. Click Execute to simulate the full pipeline.

Logs
Step 1
Log ingestion and parsing
Every line classified: SSH auth, Apache access, syslog. Suspicious entries flagged.
Detect
Step 2
Detection and alerting
YAML rules match patterns. Every alert gets a MITRE technique ID attached.
soc-project — pipeline
$ python soc/log-parser/parser.py --file sample.log | python soc/alert-rules/alert_engine.py
Ready. Click Execute pipeline to run...
🔍
Log Parser
Classifies every log line by type. Flags suspicious patterns. Outputs structured JSON for downstream processing.
parser.py
🚨
Alert Engine
YAML rules mapped to MITRE ATT&CK. Every rule match produces a severity-rated alert with full context.
alert_engine.py
🌐
Threat Intelligence
Source IPs enriched via AbuseIPDB. Abuse confidence score and categories added to every alert automatically.
threat_intel.py
🔒
Brute Force Detector
Sliding window algorithm. Counts failed logins per IP within a configurable time window. More accurate than total counts.
detector.py
📊
Dashboard
Terminal view: log volume by type, top IPs, HTTP status distribution, recent suspicious events in one place.
dashboard.py
📋
IR Playbook
Step-by-step response procedures per alert type. Based on NIST SP 800-61. Analysts know exactly what to do.
playbook.md
Governance, Risk and Compliance
Structure. Evidence. Accountability.

GRC is what turns technical security work into something an organisation can measure, audit and improve systematically. These tools implement a practical GRC programme from scratch.

Risk
Risk
Systematic risk assessment
Likelihood × impact. Six real-world scenarios scored and prioritised.
Compliance
Compliance
ISO 27001 and NIST CSF
Control mapping, gap analysis templates, audit-ready documentation.
📊
Risk Matrix
Likelihood × impact scoring engine. Outputs sorted risk register with severity levels and recommended treatment timelines.
risk_matrix.py
🌐
Network Scanner
nmap wrapper that converts risky open ports into structured risk register entries. Validates policy against network reality.
scanner.py
📄
Security Policy
Complete policy template: access control, patch management, incident response, data handling, physical security.
security_policy.md
Compliance Checklist
ISO 27001 and NIST CSF controls unified. Score coverage and identify gaps for remediation prioritisation.
checklist.md
📈
Report Generator
Automated weekly reports with compliance scores and risk distribution. Scheduled via GitHub Actions.
generate_report.py
🔍
Gap Analysis
Maps current control coverage against ISO 27001 and NIST CSF. Outputs a prioritised remediation roadmap.
gap-analysis.md
Detection Engineering
MITRE ATT&CK coverage

Every detection rule maps to a MITRE ATT&CK technique. This is the industry standard for categorising attacker behaviour — referenced in every enterprise SIEM, EDR and XDR platform.

💡
Why MITRE ATT&CK matters
When an alert fires, the technique ID tells you what the attacker is trying to accomplish and what they are likely to do next. This enables faster triage and targeted response — which is why every major security vendor maps their detections to ATT&CK.
T1110
Brute Force
Credential Access
RULE-001
Repeated failed logins per source IP. Attacker is systematically guessing credentials.
T1110.004
Credential Stuffing
Credential Access
RULE-004
Multiple 401s against /login. Attacker using leaked credential pairs from other breaches.
T1078
Valid Accounts
Initial Access
RULE-002
Login with non-existent username. Often enumeration ahead of a targeted attack.
T1078
Valid Accounts
Privilege Escalation
RULE-003
Sudo authentication failure. Attempt to escalate from a standard account.
T1190
Exploit Public App
Initial Access
RULE-005
Request to /admin paths. Scanner probing for exposed administrative interfaces.
T1203
Client Exploitation
Execution
RULE-006
Segmentation fault detected. May indicate exploitation of a running process.
Threat Intelligence
IP reputation lookup

Enrich any alert with external intelligence. Try the demo IPs or enter your own.

AbuseIPDB threat intelligence — demo
Integration
The feedback loop

SOC and GRC are not parallel tracks. They form a continuous loop. Every detection improves governance. Every policy creates new rules. This is what mature security operations looks like in practice.

1
SOC
Alert fires
Brute force SSH from 45.33.32.156. AbuseIPDB: 97% abuse confidence. Classified as targeted attack, not noise.
2
GRC
Risk register updated
Attack pattern raises likelihood on RISK-001 (SSH Exposure) from 3 to 5. Risk level escalates to Critical.
3
GRC
Policy updated
Security policy amended: SSH key auth now mandatory, password auth disabled. Patch deadline shortened to 7 days.
4
SOC
New detection rule
Rule added: any password-based SSH attempt is now a policy violation. Threshold tightened from 5 to 3 attempts.
5
Both
Compliance improves
Weekly GRC report shows Access Control score up 12%. Risk downgraded. Post-incident report filed. Loop continues.
🎯
Why this matters at large organisations
Enterprise security teams do not look for people who know one tool. They want people who understand how detection, risk management and compliance connect. Describing this loop with a concrete example demonstrates system-level thinking. Most candidates cannot do it.
Incident Response
NIST SP 800-61 lifecycle

Every escalated incident follows this structure. The playbook exists so analysts do not make decisions under pressure.

1
Triage
Assess and classify
Real incident or false positive? Check source IP, time, context. Do not act until you know what you are dealing with.
Target: 5 minutes
2
Containment
Stop the spread
Block the source IP. Isolate affected systems. Priority is preventing lateral movement before investigation begins.
HIGH alerts: 30 minutes
3
Investigation
Build the timeline
What did the attacker do? Did they succeed? Which systems were touched? Evidence-based timeline from logs.
Complexity-dependent
4
Eradication and Recovery
Remove and restore
Remove threat, patch vulnerability, verify clean state. Restore services with continuous monitoring active.
Before full restoration
5
Post-Incident
Learn and improve
Write the report. Update detection rules. Improve the playbook. Feed findings back into the risk register.
Within 5 business days
Risk Management
Likelihood × impact scoring

Risk scoring gives an objective basis for prioritisation. The score tells you what comes first when you cannot fix everything at once. Select a scenario or calibrate manually.

Phishing
L:5 × I:4 = 20
Unpatched systems
L:4 × I:5 = 20
SQL injection
L:3 × I:5 = 15
Insider threat
L:2 × I:5 = 10
DDoS attack
L:3 × I:3 = 9
Lost device
L:3 × I:2 = 6
9
Medium
Remediate within 90 days
1–4
Low
Accept or monitor
5–9
Medium
90-day remediation
10–16
High
30-day remediation
17–25
Critical
Immediate action
Powered by Claude
Ask the AI security analyst

This is a live AI trained on cybersecurity. Ask anything about SOC, GRC, MITRE ATT&CK, risk scoring, ISO 27001, incident response, or how to break into the industry. This is what I am made of.

AI
Security Analyst AI
Cybersecurity assistant
Online
Hello. I am an AI security analyst. I can answer questions about SOC operations, GRC frameworks, MITRE ATT&CK, ISO 27001, NIST CSF, risk management, incident response and careers in cybersecurity. What would you like to know?
Why there is a live AI on this portfolio
Because showing is better than telling. Anyone can write that they understand cybersecurity. Embedding a live AI analyst that can answer real questions about this project demonstrates both technical depth and the ability to build things that actually work. This is built on Claude, Anthropic's AI — the same model that powers enterprise security tools.
Self-assessment
Enterprise interview readiness

These are the exact topics that come up in SOC and GRC interviews at large organisations. Tick what you can explain confidently. Each item maps to something this project demonstrates in practice.

Career
Career readiness
Enterprise security roles demand both technical and strategic fluency
0 / 12 topics assessed