About Me

Mon, 01 Jan 0001 00:00:00 +0000

Intro

Hi, my name is Mohammad Abdulla AlSayegh. A proactive and results-driven cybersecurity professional with extensive expertise in threat intelligence, automation, and security operations. Adept at leveraging cutting-edge technologies and automation to enhance threat detection, response, and mitigation strategies. Experienced in developing and integrating advanced security playbooks, scripts, and automated processes to streamline security operations and minimize risks.

Proven track record in:

Threat Intelligence & Incident Response:
- Collecting, analyzing, and disseminating actionable intelligence to mitigate emerging threats.
Security Automation & Orchestration:
- Designing and implementing automated security workflows to enhance response times and efficiency.
Dark Web & Threat Hunting:
- Monitoring and investigating leaked credentials, compromised data, and malicious activities.
Malware & Phishing Defense:
- Developing automated sandbox analysis, phishing detection, and domain monitoring solutions.
Cybersecurity Strategy & Innovation:
- Implementing custom security integrations and improving cybersecurity frameworks.

Committed to staying ahead of evolving cyber threats and continuously enhancing security postures through innovation and automation.

malsayegh.ae is a personal blog of my projects, discoveries and experiences in my world.

Certification

09-May-2023 - ITIL 4 Foundation
24-Aug-2023 - Certified in Cybersecurity (CC)
18-Nov-2024 - Network Monitoring and Threat Detection In-Depth (SEC503)
16-Oct-2025 - Cyber Threat Intelligence (FOR578)

Contact me

If you want to get in contact with me, feel free to send an e-mail to: contact@malsayegh.ae

Projects

Mon, 01 Jan 0001 00:00:00 +0000

This page has moved. Browse all projects at /project/.

Search

Mon, 01 Jan 0001 00:00:00 +0000

Tools & Resources

Mon, 01 Jan 0001 00:00:00 +0000

A curated list of tools I use across threat intelligence, security operations, detection engineering, and automation. Each entry includes a note on how I use it in practice.

Threat Intelligence Platforms

MISP Open-source threat intelligence sharing platform. I use MISP as the central IOC repository — ingesting feeds, tagging events with ATT&CK techniques, and pushing enriched indicators to SIEM and EDR via the API.

OpenCTI A knowledge graph for threat intelligence with native STIX 2.1 support. Useful for building actor profiles, tracking campaign relationships, and visualising the connections between TTPs, malware, and infrastructure.

AlienVault OTX Community-driven threat intel feed. I pull OTX pulses into the IOC enrichment pipeline for additional context on IPs, domains, and hashes — particularly useful for regional threat campaigns.

Malware Analysis & Sandboxes

Any.run Interactive sandbox for detonating suspicious files and URLs. The real-time process tree and network activity views make it invaluable for phishing analysis automation — behaviour results feed directly into verdict scoring.

VirusTotal Multi-engine file, URL, IP, and domain reputation platform. Used extensively in enrichment pipelines via the v3 API. The graph feature is underrated for visualising malware infrastructure.

Cuckoo Sandbox Self-hosted malware analysis environment. Useful when files are too sensitive to submit to public sandboxes. Integrates cleanly with SOAR playbooks via the REST API.

FLOSS FireEye/Mandiant tool for automatically extracting obfuscated strings from malware binaries — far more effective than plain strings for packed or encoded samples.

OSINT & Reconnaissance

Shodan Search engine for internet-connected devices. I use Shodan in IOC enrichment to check open ports, services, and historical data for suspicious IPs. The API integrates directly into the enrichment pipeline.

Censys Similar to Shodan but with stronger TLS certificate search. Useful for tracking threat actor infrastructure — C2 servers often reuse certificates across campaigns.

URLScan.io Automated URL scanner that captures screenshots, DOM content, and network requests. Used in phishing analysis for safe URL detonation and visual inspection without visiting the site directly.

WHOIS / DomainTools Domain registration history and WHOIS data. Checking domain age is a critical step in phishing triage — domains registered less than 30 days ago are heavily weighted in the verdict engine.

Detection & Monitoring

Splunk Primary SIEM for alert correlation, threat hunting queries, and detection engineering. SPL (Search Processing Language) is the query language I use most across hunt packages and tuning automation.

Microsoft Sentinel Cloud-native SIEM/SOAR with deep Microsoft 365 and Entra ID integration. KQL is expressive and fast — particularly strong for identity-based hunting and the compromised account playbook.

Sigma Generic detection rule format that compiles to Splunk, Sentinel, Elastic, and others. Writing detections in Sigma first prevents vendor lock-in and makes sharing with the community straightforward.

YARA Pattern-matching language for malware detection. I use YARA rules in sandbox pipelines, EDR custom detections, and MISP for classifying malware families against collected samples.

Automation & Orchestration

Palo Alto XSOAR The SOAR platform behind most of the playbooks documented in this site. Python-based playbook scripting with a large integration library covering most enterprise security tools.

n8n Self-hosted workflow automation. Useful for lighter automation tasks — webhook-triggered enrichment, scheduled report delivery, and connecting tools that don’t have a native SOAR integration.

Python 3 The primary language for all automation projects on this site. Key libraries: pymisp, vt-py, requests, pandas, jinja2, telethon, splunk-sdk.

Threat Intelligence Frameworks & References

MITRE ATT&CK The universal vocabulary for adversary behaviour. Every hunt package, detection rule, and playbook on this site maps back to ATT&CK techniques. The Navigator tool is essential for visualising coverage gaps.

MITRE D3FEND The defensive counterpart to ATT&CK — maps countermeasures to attack techniques. Useful for prioritising security controls and justifying tooling investments to management.

CISA KEV Catalog CISA’s list of vulnerabilities with confirmed in-the-wild exploitation. A CVE in this list instantly becomes a P1 remediation priority regardless of CVSS score.

FIRST EPSS Exploit Prediction Scoring System — daily probability score for whether a CVE will be exploited in the next 30 days. More operationally useful than CVSS alone for prioritising patch tickets.

Malpedia Curated malware family encyclopedia maintained by Fraunhofer FKIE. My first stop when identifying a new malware sample — family descriptions, YARA rules, and actor associations.

Missing a tool or want to discuss any of these? Reach out at contact@malsayegh.ae

Pages on Mohammad Al Sayegh

Archives

About Me

Intro

Certification

Contact me

Projects

Search

Tools & Resources

Threat Intelligence Platforms

Malware Analysis & Sandboxes

OSINT & Reconnaissance

Detection & Monitoring

Automation & Orchestration

Threat Intelligence Frameworks & References