About PookaSec

PookaSec is an open source security research project focused on practical, validated detection engineering.

Our Philosophy

Test everything. Every detection rule in our library has been validated against real attack simulations. If we can’t prove it works, we don’t publish it.

The Stack

Our production SIEM environment runs Wazuh for endpoint detection and response, Graylog for log aggregation and pipeline processing, OpenCTI for threat intelligence (354k+ IOCs across IPs, domains, hashes, and URLs), and Shuffle for security orchestration. Detections are continuously tested using Fomorian, our internal attack simulation engine, which currently covers 1,273 attack log templates across 244 MITRE ATT&CK techniques.

AWS CloudTrail feeds directly into the pipeline for cloud visibility, with detection rules covering IAM abuse, credential exfiltration, and infrastructure reconnaissance.

The Lab

The attack lab is a multi tier enterprise simulation built on KVM with separate network segments for corporate, DMZ, and attack infrastructure. It runs a full Active Directory environment with deliberately misconfigured certificate templates, weak delegation paths, and a populated user directory. The Linux segment includes an IDS node running Zeek with seven monitoring workers, a vulnerable applications host with thirteen services spanning web, API, ICS/SCADA, and cloud simulation, and a dedicated attack platform with a C2 framework and a full suite of adversary tooling.

The deception layer covers all tiers: Active Directory honeytokens and decoy service principals on the domain, canary files on shared storage, and an SSH honeypot in the DMZ. Every deception artifact is wired to the SIEM.

Cloud attack tooling is deployed against a local AWS emulator with 31 attack scenarios, covering IAM privilege escalation, SSRF, RCE, and data exfiltration paths.

Contact