Purdue University · BS Cybersecurity 2027

Aryan Singh

Offensive Security / Threat Intelligence / Detection Engineering

A student interested in how nation-state actors operate — and how to build things that catch them.

View Dossier ↘ Request meeting
Live Telemetry Feed --:--:-- UTC

Experience.

AT-0007 / SECTION 01 · EMPLOYMENT Roles spanning MDR, student SOC operations, detection engineering, and product development.
01 / 2026.SU
Horizon3.ai
EDR Validation Intern Incoming · Summer
Offensive security and adversarial AI — validating endpoint defenses against autonomous attack techniques at NodeZero scale.
Summer 2026 San Francisco, CA
02 / 2026.SP
Verkada
Technical Support Engineer Intern Incoming · Spring
Supporting hardware-backed physical security infrastructure — cameras, access control, and enterprise device management.
Spring 2026 San Mateo, CA
03 / 2026.01
DiTM Security
Founder & Detection Engineer Active
Founded an offensive-led detection company. Shipping a browser-resident agent against ClickFix, clipboard hijacking, credential phishing, and social-engineering lures. Enterprise offering includes Armor Console with Splunk SIEM integration.
Jan 2026 — Present Remote
04 / 2025.06
ReliaQuest
Detection Engineer Intern
Authored production detections at MDR scale across 700+ customer environments. Tuned YARA-based coverage against live adversary tradecraft.
Jun — Aug 2025 Remote
05 / 2024.08
Purdue University
Student Lead SOC Analyst Active
Leading student-run incident response operations across a 50,000+ user campus environment. Triaging 50+ daily alerts across authentication, endpoint, and email telemetry. Authored detection runbooks for credential stuffing, lateral movement, and phishing campaigns.
Aug 2024 — Present West Lafayette, IN
06 / 2024.08
Purdue University
Undergraduate Teaching Assistant — CNIT270
Facilitated hands-on labs covering networking, cryptography, and web security fundamentals for 20+ students. Graded lab reports and provided technical feedback on assignments.
Aug — Dec 2024 West Lafayette, IN

Projects.

AT-0007 / SECTION 02 · PROJECT ARCHIVE Organized by discipline — offensive research, defensive tooling, and infrastructure.
Offensive Research
OP-001 · Adversary Emulation Program In Progress · APT29 Phase 1

APT Emulation Program

A research project reconstructing nation-state TTPs into functional tooling — built from primary-source threat intelligence reports, not ATT&CK generics. Each emulation takes a named campaign, extracts the actual behavioral patterns documented by Mandiant, MSTIC, CrowdStrike, and FireEye, then re-implements them as working tools engineered to evade 2026 enterprise defenses.

APT29/NOBELIUM is the first active emulation. Custom tooling written in C, Python, and PowerShell — EnvyScout HTML smuggler, evasive loader (Hell's Gate indirect syscalls, Ekko sleep masking, call stack spoofing), and a POSHSPY WMI backdoor. Tested against Elastic EDR 9.3 in full block/prevent mode and Windows Defender.

APT Roster
APT29 Cozy Bear / NOBELIUM ● In Progress
APT28 Fancy Bear / SOFACY ○ Queued
Turla Venomous Bear ○ Queued
Sandworm Voodoo Bear ○ Queued
Berserk Bear Dragonfly / Energetic Bear ○ Queued
01Init Access
02C2 Setup
03Discovery
04UAC Bypass
05Priv Esc
06Cred Access
07Def Evasion
08Persistence
09Lat Move
10Dom Priv Esc
11Dom Persist
12Cleanup
Also building → CLASSIFIED C2 framework with runtime TTP switching — behavioral profiles for each Bear. Hover to un-redact.
C / Win32Indirect SyscallsEkko Sleep Mask Stack SpoofingHTML SmugglingWMI Backdoor PythonPowerShellThreat Intel
EDR Detections00
APTs Queued06
Tools Authored07+
Case file Source
OP-002 · Browser-resident defense Shipping · 75+ installs

ClickArmor

A browser extension built to catch what traditional endpoint tools miss — ClickFix lures, clipboard hijacking chains, credential phishing, and social engineering pretexts at the moment of contact.

  • Analyzed 55,000+ phishing samples from PhishTank and ThreatFox to extract indicators and validate detection coverage against live adversary infrastructure.
  • Reverse-engineered 5,000+ ClickFix domains to map execution chains, staging infrastructure, and obfuscation patterns.
  • Enterprise offering (Armor Console) includes Splunk SIEM integration with structured ditm:armor:agent events and agent enrollment.
ExtensionClickFixClipboard HijackSplunk SIEMArmor Console
Installs75+
TelemetrySplunk
Samples55k+
Request demo
OP-003 · Offensive Infra Lab Operational

Phishing Infrastructure Lab

End-to-end AiTM phishing range built to study adversary delivery infrastructure, MFA bypass techniques, and anti-analysis evasion.

  • Deployed Evilginx with custom phishlets for MFA bypass and session hijacking; automated provisioning with Terraform and Caddy reverse proxies.
  • Implemented JA4 fingerprinting, headless browser detection, website keying, and dynamic obfuscation to study anti-analysis evasion patterns.
  • Tested HTML smuggling via SVG payloads against Google Safe Browsing to understand delivery evasion at scale.
AiTMEvilginxMFA BypassJA4HTML SmugglingTerraform
Lab notes
Defensive Research
DF-001 · Cloud-Native EDR Built

Shelter EDR — Cloud-Native Endpoint Telemetry Platform

A self-built EDR exploring what it takes to collect, process, and visualize endpoint telemetry at scale — designed to understand the defender's side of the stack from first principles.

  • Built a Go-based agent with a distributed ingestion API for real-time endpoint telemetry collection.
  • Designed a Redis-backed async pipeline processing 3,000+ events/sec at sub-120ms latency.
  • Deployed Dockerized services with cloud-hosted PostgreSQL and Redis for scalable, fault-tolerant event processing.
  • Implemented batching, compression, and retry logic maintaining under 3% CPU and 50MB memory per endpoint.
  • Built a React dashboard for host monitoring, event visualization, and alert triage.
GoPostgreSQLRedisReactDockerAWS
Throughput3k+/s
Latency<120ms
Mem/host<50MB
DF-002 · Malware Analysis Lab Ongoing

Malware Analysis & RE Lab

A home lab for static and dynamic malware analysis — built to understand how malware behaves before writing detections for it.

  • Built an isolated sandbox environment; used PEStudio and CAPA to study malware families including ransomware and malicious documents.
  • Performed static analysis on malware binaries with Remnux and Ghidra — studying import tables, process trees, and function call patterns.
  • Analyzed dynamic malware behavior using SysInternals to observe running processes, file system changes, and registry modifications.
GhidraPEStudioCAPARemnuxSysInternals
DF-004 · Mobile Security Lab

Android Pentesting Lab

Hands-on exploration of Android application security vulnerabilities and mobile penetration testing techniques.

  • Deployed InjuredAndroid on an API Level 29 Android virtual machine to study and exploit common mobile vulnerabilities.
  • Used Jadx and Android Studio to discover security misconfigurations exposing sensitive Firebase and AWS database credentials.
  • Injected Frida manually and used Objection to disable SSL pinning for traffic interception and analysis.
AndroidFridaObjectionJadxSSL Pinning
Infrastructure & Networking
NW-001 · Enterprise Network Lab Built

Enterprise Network Engineering Lab

A from-scratch enterprise network simulation covering routing, switching, segmentation, and security policy.

  • Implemented dual-router OSPF with inter-VLAN routing, DHCP, and NAT across a multi-segment topology.
  • Deployed VLAN-aware ACLs for HTTP/HTTPS/FTP traffic segmentation policies and destination NAT to publish IIS services.
  • Configured MSTP for loop-free Layer-2 redundancy and fault tolerance across the switching fabric.
OSPFVLANsACLsNATMSTP
NW-002 · AD & Virtualization Lab Built

AD & vSphere Infrastructure Lab

A multi-site Active Directory and virtualized infrastructure lab built to understand enterprise identity and compute environments — the same environments that get compromised.

  • Constructed a multi-site Active Directory domain with 4 domain controllers and 6 clients with DNS-integrated authentication and name resolution.
  • Deployed enterprise services on VMware ESXi/vSphere with centralized management via vCenter.
Windows ServerActive DirectoryDNSVMware ESXivSphere
NW-003 · Cloud IoT Lab Built

Cloud IoT Device Emulation Lab

Emulated outbound-only cloud-connected IoT device behavior to study connectivity failure modes and support escalation patterns.

  • Reproduced offline states via DNS/NTP blocks, firewall and NAT changes, and MTU mismatch scenarios.
  • Root-caused failures using packet captures and connection traces; produced symptom-to-fix documentation for support-style escalation.
  • Built a companion pre-deployment network validation tool evaluating DNS resolution, TLS connectivity, NTP sync, MTU limits, and proxy behavior.
PythonTCP/IPTLSDNSNTPLinux

Competitions.

AT-0007 / SECTION 03 · COMPETITIVE RECORD CTF and competitive security rankings.
Top 50 / 8,569
National Cyber League — Individual
Top 0.6% nationally. Used Wireshark for traffic analysis and UDP exfiltration detection, ELK for log analysis, Autopsy for ext4 forensics, Binwalk for Squashfs image analysis, and Volatility for memory dumps.
April 2024 · NCL
Top 10 / 4,212
National Cyber League — Team
Top 0.25% in team category. Combined forensics, log analysis, and network traffic investigation across team challenges spanning multiple categories.
April 2024 · NCL
#5 / US
TryHackMe — February 2024
Ranked #5 in the United States on TryHackMe in February 2024. Earned Dante Pro Lab certification on HackTheBox through a simulated enterprise network pentest.
Feb 2024 · TryHackMe / HTB

Credentials.

AT-0007 / SECTION 04 · LICENSES & ACCREDITATIONS
CRTL
Certified Red Team Lead — Zero-Point Security. Perfect score on record.
ZPS-CRTL-00118 / 18
CRTO
Certified Red Team Operator — adversary tradecraft and C2 operations.
ZPS-CRTO-002Passed
Offensive Phishing Ops
MaldevAcademy — modern phishing infrastructure and payload tradecraft.
MA-OPO-003Completed
eJPT
eLearnSecurity Junior Penetration Tester — INE.
INE-JPT-004Passed

Skills.

AT-0007 / SECTION 05 · TECHNICAL INVENTORY Tools, languages, and platforms across offensive and defensive disciplines.
Red Team
Cobalt Strike· Sliver C2· Havoc C2· Evilginx· Crystal Kit (post-ex)· Phishing Kit RE· Burp Suite
Detection & SIEM
Splunk· Elastic EDR· CrowdStrike Falcon· Microsoft Defender· IBM QRadar· Google Chronicle· ELK Stack· YARA
Languages
C / C++· Python· PowerShell· Go· JavaScript· SQL
Analysis & RE
Ghidra· Wireshark· PEStudio· CAPA· Remnux· SysInternals· Frida· Volatility
Infrastructure
Docker· Linux· Active Directory· VMware ESXi / vSphere· AWS· Terraform· Supabase
AT-0007 / SECTION 06 · CORRESPONDENCE

Contact.

Student researcher. Open to internships, research collaborations, and conversations about offensive security and threat intelligence.

01 / Mail ttaryan10@gmail.com 02 / Repo github.com/61tiger 03 / LinkedIn aryan-cybersecurity 04 / Return Top of file
© 2026 · A. SINGH File AT-0007 · Rev. 03
github.com/61tiger