Skip to content
View cipheread's full-sized avatar
🎯
Focusing
🎯
Focusing
5 followers · 0 following

Block or report cipheread

Block user

Prevent this user from interacting with your repositories and sending you notifications. Learn more about blocking users.

You must be logged in to block users.

Maximum 250 characters. Please don’t include any personal information such as legal names or email addresses. Markdown is supported. This note will only be visible to you.
Report abuse

Contact GitHub support about this user’s behavior. Learn more about reporting abuse.

Report abuse
cipheread/README.md 
██████╗ ███████╗██████╗     ██╗    ██████╗ ██╗     ██╗   ██╗███████╗
██╔══██╗██╔════╝██╔══██╗   ██╔╝    ██╔══██╗██║     ██║   ██║██╔════╝
██████╔╝█████╗  ██║  ██║  ██╔╝     ██████╔╝██║     ██║   ██║█████╗  
██╔══██╗██╔══╝  ██║  ██║ ██╔╝      ██╔══██╗██║     ██║   ██║██╔══╝  
██║  ██║███████╗██████╔╝██╔╝       ██████╔╝███████╗╚██████╔╝███████╗
╚═╝  ╚═╝╚══════╝╚═════╝ ╚═╝        ╚═════╝ ╚══════╝ ╚═════╝ ╚══════╝

Faisal Mehmood · cipheread

Security Operations Engineer · Red Teamer · Blue Teamer · Incident Responder

"I attack like a Red Teamer. I defend like a Blue Teamer. I think like both."

LinkedIn Email TryHackMe HackTheBox GitHub

$ whoami --full

name:         Faisal Mehmood
alias:        cipheread
role:         Security Operations Engineer
speciality:   Red + Blue Team Operations · DevSecOps · Incident Response
mindset:      Adversary-informed defense — I break things to learn how to fix them
current:      Enhancing detection logic, SIEM use cases, and VAPT lifecycles
learning:     Adversary emulation (MITRE ATT&CK), purple teaming, CI/CD security

I operate on both sides of the security divide — running offensive assessments as a Red Teamer to uncover real attack paths, then switching context to Blue Team operations to build the detections that catch them. My SOC work is shaped by attacker thinking: every alert I tune, every SIEM rule I write, every incident I respond to is informed by how an adversary would actually behave in the environment.

$ cat /etc/operator-profile

🔴 Red Team Operations

Role        Offensive Security Analyst
Mindset     Assume breach · think like the adversary
Focus       VAPT · adversary simulation · TTPs
Framework   MITRE ATT&CK · PTES · OWASP

What I do on the Red side:

  • Conduct full-scope VAPT engagements (network, web, AD)
  • Simulate real-world adversary TTPs against live environments
  • Develop custom payloads and evasion techniques
  • Exploit misconfigurations across cloud and on-prem infra
  • Document attack paths for remediation and purple team handoff

🔵 Blue Team Operations

Role        SOC / Detection Engineer · IR Lead
Mindset     Detect early · contain fast · learn always
Focus       SIEM · EDR · log analysis · incident response
Framework   NIST · MITRE D3FEND · Cyber Kill Chain

What I do on the Blue side:

  • Build and tune SIEM detection use cases (Splunk · Sentinel · QRadar)
  • Lead incident response and digital forensics investigations
  • Analyse logs, artefacts, and IOCs to reconstruct attack timelines
  • Develop threat hunting playbooks from Red Team findings
  • Harden environments based on real adversary behaviour

$ sudo run-operation --phase all

🔴 RECON [Red] → 🔵 DETECT [Blue]

RED  ──┬── OSINT gathering          [ Maltego · Shodan · theHarvester ]   T1589/T1590
       └── Network scanning         [ Nmap · Masscan · Censys ]            T1046

BLUE ──┬── Attack surface mgmt      [ Shodan Monitor · GreyNoise ]         Detect T1590
       └── Honeypot alerting        [ OpenCanary · Canarytokens ]          Detect T1046

🔴 INITIAL ACCESS [Red] → 🔵 BLOCK [Blue]

RED  ──┬── Spear phishing           [ GoPhish · EvilGinx2 ]                T1566.001/002
       └── Exploit public apps      [ Metasploit · Burp Suite ]            T1190

BLUE ──┬── Email security gateway   [ Proofpoint · M365 Defender ]         Detect T1566
       └── Patch management         [ Tenable · Qualys ]                   Detect T1190

🔴 EXECUTION [Red] → 🔵 CONTAIN [Blue]

RED  ──┬── Living-off-the-land      [ PowerShell · WMI · mshta ]           T1059/T1218
       └── Macro / script exec      [ Empire · Sliver · Cobalt Strike ]    T1059.001

BLUE ──┬── Script block logging     [ Windows Event 4104 · AMSI ]          Detect T1059
       └── Application allowlist    [ AppLocker · WDAC ]                   Detect T1218

🔴 PERSISTENCE [Red] → 🔵 HUNT [Blue]

RED  ──┬── Registry Run keys        [ Reg.exe · PowerShell ]                T1547.001
       └── Scheduled tasks          [ schtasks · Cron ]                     T1053

BLUE ──┬── Registry monitoring      [ Sysmon Event 13 · Sentinel ]          Detect T1547
       └── Task / cron auditing     [ Velociraptor · OSQuery ]              Detect T1053

🔴 PRIVILEGE ESCALATION [Red] → 🔵 HARDEN [Blue]

RED  ──┬── Token impersonation      [ Incognito · Cobalt Strike ]           T1134
       └── Kernel exploitation      [ PrintNightmare · CVE drivers ]        T1068

BLUE ──┬── Privileged access mgmt   [ CyberArk · HashiCorp Vault ]          Detect T1134
       └── EDR kernel protection    [ CrowdStrike · SentinelOne ]           Detect T1068

🔴 LATERAL MOVEMENT [Red] → 🔵 SEGMENT [Blue]

RED  ──┬── Pass-the-Hash/Ticket     [ Mimikatz · Rubeus · Impacket ]        T1550.002
       └── RDP / SMB pivoting       [ Impacket · Chisel ]                   T1021.001

BLUE ──┬── Network segmentation     [ VLAN · Firewall ACLs · Zero Trust ]   Detect T1021
       └── Credential Guard         [ Windows Credential Guard ]            Detect T1550

🔴 EXFILTRATION [Red] → 🔵 RESPOND [Blue]

RED  ──┬── C2 exfil over DNS        [ DNScat2 · Cobalt Strike ]             T1071.004/T1048
       └── Cloud storage abuse      [ rclone · aws s3 cp ]                  T1567.002

BLUE ──┬── DNS traffic analysis     [ Zeek · Umbrella · Sentinel ]          Detect T1071.004
       └── DLP + CASB               [ Purview · Netskope · ZScaler ]        Detect T1567

$ ls -la /tools/

🔴 Offensive Arsenal

Category Tools
Recon Maltego · Shodan · theHarvester · Recon-ng
Web Burp Suite · OWASP ZAP · SQLmap
Exploitation Metasploit · Impacket · CrackMapExec
C2 Frameworks Cobalt Strike · Sliver · Empire
AD Attacks Mimikatz · Rubeus · BloodHound
Phishing GoPhish · EvilGinx2

🔵 Defensive Stack

Category Tools
SIEM Splunk · Microsoft Sentinel · QRadar
EDR CrowdStrike Falcon · MS Defender for Endpoint
Network Wireshark · Zeek · Snort · Suricata
Threat Intel MISP · OpenCTI · YARA
Forensics Velociraptor · Volatility · OSQuery
VAPT Nessus · OpenVAS · Qualys

$ cat /etc/purple-team.conf

╔══════════════════════════════════════════════════════════════════╗
║              🟣  PURPLE TEAM — WHERE I BRIDGE BOTH              ║
╠══════════════════════════════════════════════════════════════════╣
║                                                                  ║
║  Red findings    ──►  Blue detection rules                       ║
║  Attack paths    ──►  Threat hunt playbooks                      ║
║  TTP simulation  ──►  SIEM use case development                  ║
║  Evasion tests   ──►  EDR tuning and gap closure                 ║
║  MITRE ATT&CK    ──►  Control validation mapping                 ║
║                                                                  ║
║  "If Red did it and Blue didn't catch it — I fix both sides."    ║
║                                                                  ║
╚══════════════════════════════════════════════════════════════════╝

Purple Team activities I run:

  • Joint adversary simulation with detection feedback loops
  • MITRE ATT&CK coverage mapping against existing controls
  • Detection gap analysis post-Red Team engagement
  • SIEM rule tuning based on attacker evasion techniques observed in the field
  • Threat hunting from Red Team TTP playbooks

$ ls -la ./certifications/

drwxr-xr-x  OFFENSIVE
├── [CEH]    Certified Ethical Hacker                    — EC-Council
└── [CRTA]   Certified Red Team Analyst                  — TCM Security

drwxr-xr-x  DEFENSIVE
├── [SOC101] SOC Fundamentals                            — TCM Security
├── [SOC202] Intermediate SOC Analysis                   — TCM Security
├── [PWF]    Practical Windows Forensics                  — TCM Security
└── [CPPS]   Certified Phishing Prevention Specialist    — TCM Security

drwxr-xr-x  CLOUD & IT
├── [AWS]    AWS Builders Online Series                   — Amazon Web Services
└── [GITS]   Google IT Support Specialization            — Coursera / Google

$ cat /proc/languages

Python PowerShell Bash Go C C++ C# TypeScript

$ uptime --stats

$ ping --platforms

Platform Handle
💼 LinkedIn faisalmehmood111
🐙 GitHub cipheread
📧 Email cipheread@gmail.com
🔐 TryHackMe cipheread
🏴 Hack The Box cipheread 
[ 🔴 ATTACKING · 🔵 DEFENDING · 🟣 BRIDGING THE GAP ]

"Every log tells a story — I help you read between the lines."

Popular repositories Loading

  1. cipheread cipheread Public

    1

  2. UMSA UMSA Public

    Forked from shoaib3737/UMSA

    Its Under Maintenance wef 21 July , 2025

    Jupyter Notebook 1

  3. portfolio portfolio Public

    HTML

  4. cedar-c3-router-guide cedar-c3-router-guide Public

    Complete guide for Cedar C3 5G Aggregation Router - Load Balancing, Failover & Setup

  5. paksat-hts-terminal-guide paksat-hts-terminal-guide Public

    PAKSAT HTS User Terminal — PakSat-MM1 satellite broadband tools & docs

    Python