Available for new engagements

Mario Martín.

Cybersecurity consultant specialised in offensive simulation and detection engineering — the purple side of the room.

Defence is only real once a real attack validates it.

Get in touch Explore projects

years in security

public repos

certifications

cyberknight91 ~ profile

mario@cyberknight $ whoami

mario.martin.feliz · cyberknight91

mario@cyberknight $ ./profile.sh --summary

# loading profile…

─────────────────────────────────────

profile · cybersecurity consultant

focus · purple-team · detection eng

base · león, spain · remote-friendly

stack · sigma · yara · wazuh · att&ck

─────────────────────────────────────

mario@cyberknight $ echo $STATUS

[OK] available for new engagements

mario@cyberknight $

v0.1.0 · deployed on cloudflare online

HTB: Conversor | XSLT Injection → SQLite → needrestart (Linux Easy)

18 May 2026

Watch

Tu Linux guarda TUS Wi-Fi en texto plano 🚨 #shorts

18 May 2026

CURSO LINUX OFENSIVO - CLASE 4 - Detectar Backdoors y Reverse Shells en Linux (ps, netstat, lsof)

17 May 2026

CURSO LINUX OFENSIVO - CLASE 3 - Permisos Especiales en Linux (SUID, SGID y Sticky Bit) + CHMOD

15 May 2026

HTB: GiveBack | GiveWP RCE → PHP-CGI → runc Escape (Linux Medium)

14 May 2026

CURSO LINUX OFENSIVO - CLASE 2 - Cómo encontrar contraseñas en Linux como un hacker | CyberKnight

11 May 2026

Featured work · 04 / 7

Where offence meets detection.

Each lab ships both the attack and the detection that catches it. No isolated demos — the full chain, end-to-end.

./projects/ purple-lab

flagship

Adversary simulation paired with detection engineering.

Every MITRE ATT&CK technique (T1059, T1566, T1548…) ships with the Sigma rule that catches it, the expected SIEM events and a 72-hour false-positive baseline.

atomic-red-teamsigmamitre-att&ckwazuh

github.com/cyberknight91/purple-lab cd ./purple-lab ↵

./projects/ ad-attack-detection

Active Directory attacks and the detections that catch them.

Kerberoasting, AS-REP Roasting, Pass-the-Hash and DCSync executed end-to-end in a lab AD. Every step ships with Sigma + Elastic EQL detections and a hardening playbook.

active-directoryimpacketrubeuselastic

github.com/cyberknight91/ad-attack-detection cd ./ad-attack-detection ↵

./projects/ siem-homelab

Dockerised SOC. One docker compose up and you have a working detection stack.

Wazuh 4.8 + OpenSearch + Suricata + Filebeat — the full ingestion, parsing and dashboard chain ready to spin up a SOC in minutes.

dockerwazuhopensearchsuricata

github.com/cyberknight91/siem-homelab cd ./siem-homelab ↵

./projects/ detection-engineering

Sigma and YARA rule library built for production, not demos.

Full MITRE ATT&CK mapping, test cases, real false-positive notes and baselines tuned on office traffic.

sigmayaramitre-att&ck

github.com/cyberknight91/detection-engineering cd ./detection-engineering ↵

See all projects

Philosophy

Detection without simulation is theatre.

Simulation without detection is posing. Every offensive test in my labs ships with its blue counterpart: the Sigma rule, the hunting query, the runbook. Or it does not ship.

That overlap — the purple side of the room — is where the best work happens. Where the attack teaches you to defend, and the defence forces you to attack better.

detection-engineering ~ T1003.001.yml

# sigma rule · adversary playbook

defender@soc $ cat ./detection/T1003.001.yml

title: OS Credential Dumping (LSASS)

id: 5ad88c0e-72b1-4d12-9e3d-purple

status: production

level: high

logsource:

category: process_access

product: windows

detection:

selection: