hi@keir_

/now

What I'm doing now

A running log of what I am breaking, building, and not getting arrested for.

Last updated

May 2026

Latest

May 2026

  • Tooling: Extending recon-suite with a service-fingerprinting pass and cleaner JSON output. The goal is one command that maps an external surface and hands back a ranked list of things worth poking.
  • Vyrox Security: Onboarding early pilots for the autonomous threat-investigation engine and hardening the deterministic core. Build the defenses by day, find the way past them by night.
  • Writing: Turning lab notes into real writeups. Half the skill is being able to explain what you did without lying.

Previous months

Earlier logs

April 2026
  • Vyrox Security: Shipped the Day 1 core foundation. Initial architecture, CI pipelines, HMAC-SHA256 crypto services. Memory-safe from the first commit, on purpose.
  • Rust for offense: Rewrote my port scanner in Rust as rscan. Faster than the Python original, and a single static binary I can drop on anything without dragging an interpreter along.
  • Lab: Built a defanged HTTP check-in client to study how implants actually phone home. No egress. Wireshark on the wire, reading every beacon.
March 2026
  • Offensive tooling: Moved more of the toolkit to Rust: single binaries, nothing to install on the target, no dependency hell mid-engagement.
  • Detection internals: Mapping what endpoint detection actually inspects, so I know what a technique looks like from the blue side before I run it. Theory in the lab, nothing pointed at anything real.
  • Vyrox: The deterministic workflow engine keeps eating my evenings. Reproducible by design is the whole pitch.
February 2026
  • Syscalls: Custom syscalls, what hooks see and what they miss. All of it in an air-gapped VM with a snapshot I am not afraid to roll back to.
  • Vyrox: Deep on deterministic state machines. The thing that makes a SOC trustworthy is the same thing that makes an attack reproducible.
  • Reading: Black Hat Rust, cover to cover.
January 2026
  • Bug bounty: A clean VDP report. Authorized scope, passive recon, a small finding, a tight writeup. Nobody replied. The writeup was the point.
  • Active Directory: Ran the GOAD attack chain end to end and wrote up the Kerberos path so it reads cleanly the second time.
  • Note: recon-suite picked up its first user outside my own lab this month. Small, but it left the building.
December 2025
  • BloodHound: Ingested my GOAD lab and let the graph show me the shortest path to Domain Admin. It is humbling how short the path usually is.
  • Lateral movement: Roast, crack, authenticate, repeat, until the whole domain falls over. In my own lab. Legally. Boringly. Beautifully.
  • Year-end: Cleaned up the lab, re-snapshotted everything, archived the year's notes. A tidy lab is a fast lab.
November 2025
  • Kerberoasting: Pulled a roastable hash out of GOAD, fed it to hashcat, watched a password fall out. Cackled at midnight, then apologized to nobody.
  • ad-arsenal-mini: Wired my LDAP and Kerberos tools into one CLI that prints the attack path in plain English.
October 2025
  • Active Directory: Stood up the GOAD lab. Provisioning took three hours and a walk. AD is a haunted house and I am mapping the floor plan.
  • Enumeration: NetExec, LDAP, SMB, the whole noisy chorus. Snapshotted everything before I touched it.
September 2025
  • Web, closed out: Finished the SSRF labs on PortSwigger. Comfortable with a proxy and a methodology now, not just a payload list.
  • VDP: Picked one program with broad scope, read the rules twice, did authorized passive recon only. Built a target inventory and kept my hands in my pockets.
August 2025
  • Foothold: Chained a couple of bugs on a deliberately vulnerable box to a shell. Then did it again cleanly, with real enumeration instead of luck, because the second run is the one that teaches you anything.
  • sqli-probe and xss-probe: Small detectors, tested against DVWA and Juice Shop, false-positive rates written down honestly.
July 2025
  • PortSwigger sprint: Worked the Web Security Academy hard. Practitioner labs, the ones that hurt in a good way.
  • Building: Started xss-probe, a context-aware reflected XSS detector. Finding the bug is half the work. Proving it is the other half.
June 2025
  • Recon: Shipped pyscan (async TCP scanner) and subhunter (subdomain enum). Wrapped both into recon-suite, my first flagship. Small, but it ships.
  • Lab: Metasploitable and Juice Shop running on isolated networks. My playground does not touch the internet.
May 2025
  • Tooling: Built auth-log-parser, a 50-line tool that reads auth.log and ranks the top failed SSH source IPs. First tagged release in the toolkit.
  • Networking: Read packets like tea leaves until the TCP handshake was something I could narrate instead of look up.
April 2025
  • The lab: Kali updated, KVM and Docker working without sudo, host-only network with no egress. Snapshot everything, restore instead of rebuild.
  • Workflow: Dotfiles in version control, git as reflex, everything reproducible. The boring infrastructure that makes the interesting work possible.
March 2025
  • Recon platforms: Set up accounts on HackerOne, Bugcrowd, PortSwigger, OverTheWire. Mapped which programs had scope actually worth the time.
  • Reading: Sun Tzu, because every web app is a fortress someone forgot to lock.
February 2025
  • Setup: Stood up the first version of the isolated environment and the toolchain that everything since has been built on top of.
  • Cadence: Wrote down the boring rules. Ship something every week, write it down, sleep. The work does not survive without them.
January 2025
  • Lab foundation: Stood up the isolated environment: Kali, KVM, Docker, host-only network. The whole point is a place where breaking things has no blast radius.
  • Health: Sleep, exercise, one off day a week. The non-negotiables that keep the rest running.