CyberPath
Cybersecurity learning paths and roadmaps for building practical skills across fundamentals, SOC, penetration testing, and security tooling. A focused companion site for practical security learning.
Learning pathsRoadmapsCareer guide
Mistan Khomdram — Cybersecurity Analyst & Penetration Tester
CYBERSECURITY ANALYST · PENETRATION TESTER
// CYBERSECURITY ANALYST & PENETRATION TESTER
Scroll
01 — About
I'm a cybersecurity analyst focused on SOC investigations, penetration testing, malware triage, and detection engineering — connecting offensive testing with defensive visibility.
I build practical security projects, document investigations, and run a Wazuh-centered homelab. Terminal-first, lab-driven, documentation-heavy. Open to SOC analyst, security analyst, and junior penetration testing roles. Timezone: Asia/Kolkata.
- I prefer repeatable workflows over one-off wins.
- I document evidence, assumptions, and next actions clearly.
- I connect offensive testing to defensive visibility.
- I build tools that make analyst work faster, calmer, and easier to review.
0Certifications
0Security tools
0Homelab hosts
0Featured writeups
02 — Skills & Tooling
Offense meets defense
/01
Offensive Security
Penetration testing, ethical hacking, vulnerability assessment, enumeration, web testing.
Kali LinuxMetasploitNmapBurp SuiteGobuster
/02
Defensive / SOC
Alert triage, incident response, threat analysis, SIEM review, detection engineering.
WazuhSplunkLetsDefendTryHackMeSigma
/03
Malware Analysis
Static triage, IOC extraction, macro deobfuscation, packet review, memory clues.
FlareVMREMnuxYARAVolatilityGhidra
/04
Programming & Automation
Security scripts, analyst helpers, terminal-first workflows, setup automation.
PythonBashPowerShellSQLJavaScript
03 — Projects
Proof of work
Python for Cybersecurity
Hands-on Python security tooling — a network scanner, ARP-spoof MITM, backdoor, keylogger and packet sniffer — written by hand through a Coursera exploit-development course.
PythonNetwork securityOffensive tooling
LazyChad
An NvChad-based Neovim config, packaged for the AUR and as .deb/.rpm. A bundled cross-distro installer fetches Neovim nightly, verifies it's 0.12+, and wires up every language provider for a green checkhealth.
NeovimNvChadLuaPackaging
KVM/QEMU Setup Automation
A QEMU/KVM setup tool for Arch Linux — grown from a shell installer into a Python TUI with a discover-plan-apply backend and tests, for repeatable security-lab hosts.
KVMQEMUArch LinuxPython TUI
04 — Certifications
Major certifications
Certifications are treated as operating vocabulary, not decoration.
CEH
Applied through attack-surface thinking, enumeration discipline, and controlled validation in lab scenarios.
Security+
Applied through risk framing, incident response fundamentals, identity concepts, and security operations language.
eJPT
Applied through practical recon, exploitation workflow, web testing, and clear post-exploitation notes.
Specializations
05 — Writeups & Research
Evidence, not just claims
SOCMay 2026
Phishing Incident ResponseInvestigating a credential phishing alert, analyzing email headers, and containing the threat.
→
MalwareApr 2026
Emotet Phishing Doc AnalysisStatic and dynamic analysis of an Emotet-laced Word document — macro deobfuscation, C2 extraction, and IOCs.
→
HackTheBoxApr 2026
Lame — Easy Machine WalkthroughExploiting a vulnerable Samba service for initial foothold and root access.
→
TryHackMeApr 2026
Basic Pentesting — Room WalkthroughEnumeration, SMB share discovery, SSH brute forcing, and SUID privilege escalation on a vulnerable Linux machine.
→
All writeups →
06 — Homelab
Wazuh detection lab
Segmented cybersecurity lab — 192.168.x.0/24 — used to simulate attacker behavior, collect endpoint telemetry, review Wazuh alerts, and document what was detected, missed, or noisy. The goal: make attacks visible enough to investigate. The lab is intentionally small and controlled, so each scenario can be repeated, compared, and improved instead of becoming a one-off demo.
What this proves
- Operate a segmented lab instead of relying only on theory
- Connect attacker behavior to endpoint and SIEM evidence
- Separate useful alert signal from noisy baseline activity
- Turn lab runs into repeatable investigation notes and improvements
01 / SIMULATE
Kali activity
Controlled scans, web tests, and exploit validation in an isolated segment.
02 / COLLECT
Endpoint telemetry
Windows and Linux agents capture logs, file changes, auth events, and host context.
03 / TRIAGE
Wazuh review
Review alerts, identify false positives, decide what evidence is useful.
04 / DOCUMENT
Investigation notes
Record what fired, what was noisy, what was missed, what needs coverage.
05 / IMPROVE
Rule tuning
Feed findings back into scenarios, watchlists, custom rules, and writeups.
SCENARIO / 01
Suspicious Login Review
Verify authentication alerts, compare normal endpoint noise, and document whether the signal is useful for triage.
SCENARIO / 02
Phishing Endpoint Check
Trace a simulated phishing path through email artifacts, endpoint signals, URL reputation, and containment actions.
SCENARIO / 03
File Integrity Drift
Change watched paths on Windows and Linux targets, validate FIM alerting, and separate drift from noise.
SCENARIO / 04
Malware Triage Drill
Extract strings, indicators, network clues, and behavioral hypotheses using FlareVM and REMnux tooling.
Attacker
Kali Linux 2024.1
Generates controlled attacker activity — scans, web probes, exploit attempts, brute-force patterns.
MetasploitNmapBurp SuiteGobusterNikto
SOC
Windows 10 VM
Monitored Windows target — event logs, file integrity changes, process activity, user context.
Log SourceFIMCompliance
SOC
Fedora VM
Monitored Linux target — SSH activity, service events, package changes, filesystem drift.
Auth LogsFIMHardening
Malware
FlareVM (Windows)
Windows malware triage station — strings, imports, suspicious behavior notes, initial hypotheses.
x64dbgIDA FreePEStudioGhidra
Malware
REMnux (Linux)
Linux analysis and enrichment station — network indicators, YARA tests, packet notes, memory clues.
VolatilityYARAWiresharkCapa
Endpoint
Windows 11
Baseline endpoint for realistic background noise — agent health, normal user activity, baseline events.
Endpoint LogsAgent HealthBaseline
0Total hosts
0SOC nodes
0Malware analysis
0Attacker node
Current capabilities
- Attack simulation against isolated Windows and Linux systems
- Endpoint monitoring with Wazuh agents and SIEM alert review
- File integrity monitoring and compliance-oriented checks
- Malware triage with Windows and Linux analysis workstations
- IOC extraction, packet review, and basic detection validation
Next improvements
- Add Active Directory attack and detection scenarios
- Introduce Suricata or Zeek for network detection practice
- Write custom Wazuh rules for common attacker techniques
- Document detection engineering and incident response writeups
Let's talk
security
Open to SOC analyst, security analyst, junior pentest, and security tooling conversations.
Timezone: Asia/Kolkata · Best channel: LinkedIn or email.
SOC analyst & security analyst roles
Junior pentest & security internships
Detection engineering & homelab collaboration
Feedback on writeups, projects, or CyberPath