Cybersecurity Professional · Wisconsin

Kevin
Maslanka

Threat Intelligence  ·  OSINT  ·  Malware RE  ·  Adversary Tradecraft  ·  Terrorism Research

Security researcher and infrastructure engineer with deep expertise in adversary tradecraft, malware reverse engineering, and threat actor intelligence. I build, operate, and defend systems under real attack — not in a lab. My infrastructure autonomously classifies, geo-attributes, and blocks nation-state and criminal actors in real time, correlating honeypot telemetry, fail2ban jails, SSH tarpit data, and global threat feeds into a unified kill chain. Over 3.4 million IPs permanently blocked. Live 24/7.

View Resume ↗ Get in Touch
KEVSEC Platform ● LIVE
IPs Blocked
Probes Caught
Threat Processing
Monitoring 24 / 7 / 365
Platform Status ● OPERATIONAL
Top Actor ASN Loading…
Active Jails 9 fail2ban jails
--:--:-- INIT Loading threat feed...
IPs Actively Blocked
9+
Years Hands-On Security
40+
Active Honeypot Traps
500+
Platforms Enumerated
60+
Tools & Technologies
LIVE CVE INTELLIGENCE
NIST NVD · FIRST EPSS ·
LOADING THREAT FEED...
SOURCE: NIST NVD + FIRST EPSS PROBABILITY FULL DATABASE ↗
PLATFORM DETECTIONS — LIVE
KEVSEC ACTIVE DEFENSE ·
LOADING STATS... DASH.KEVSEC.COM ↗
Active Defense — Live Infrastructure

Honeypot Network Status

TRAPS: 40+
STATUS: ALL ACTIVE
BANS TODAY:
UPTIME: 99.9%
ACTIVE TRAP PATHS
● LIVE
/global-protect/login.espPalo Alto PAN-OS · CVE-2024-3400
/dana-na/auth/url_default/welcome.cgiIvanti Connect Secure · CVE-2025-0282
/mgmt/tm/util/bashF5 BIG-IP · CVE-2023-46747
/logon/LogonPoint/index.htmlCitrix Bleed · CVE-2023-4966
/ecp/Exchange ProxyShell · CVE-2021-34473
/setup/setupadministrator.actionConfluence · CVE-2023-22515
/human.aspxMOVEit Transfer · CVE-2023-34362
/remote/loginFortinet FortiGate · CVE-2022-40684
/ui/vropspluginui/rest/services/addrequestVMware vCenter · CVE-2021-21985
/actuator/envSpring Boot · CVE-2022-22965
/wp-admin + /wp-login.phpWordPress · credential spray
/cpanel + /whm + /2082-2083cPanel Web Hosting Panel
/phpmyadmin + /pmaphpMyAdmin · DB exposure
/.env + /.git/configLaravel / Git secrets probe
/api/v1/namespacesKubernetes API exposure
/latest/meta-data/iam/security-credentials/AWS IMDS SSRF
/v1/sys/healthHashiCorp Vault
/jellyfin/Users/AuthenticateByNameJellyfin API bruteforce
/zimbra/ + /v1.41/containers/jsonZimbra · Docker API exposure
+ 20 more trap paths active...gitlab · grafana · solr · jenkins · nagios...
RECENT IP BANS — LIVE
● UPDATING
PIPELINE: honeypot → fail2ban → nftables → blocklist · every 2h
Real-Time Intelligence
Global Threat Maps
SOURCE: KASPERSKY SECURITY NETWORK — LIVE GLOBAL ATTACK VECTORS OPEN FULL MAP ↗
SOURCE: RADWARE — LIVE GLOBAL DDOS & CYBER ATTACK MAP OPEN FULL MAP ↗
SOURCE: BITDEFENDER THREAT INTELLIGENCE — LIVE ATTACK FEED OPEN FULL MAP ↗
Live Intelligence

Observed TTPs

MITRE ATT&CK techniques actively detected by the KEVSEC platform's honeypot network and SSH tarpit. Updated from live telemetry.

Reconnaissance
T1595
Active Scanning
Masscan/Shodan-style port sweeps hitting SSH, HTTP, common admin ports. Detected via connection rate analysis.
HIGH FREQUENCY
Initial Access
T1110.001
Password Spraying
Coordinated credential spray campaigns against SSH using recovered breach dumps and vendor-default credentials.
HIGH FREQUENCY
Initial Access
T1190
Exploit Public-Facing App
Probes targeting GlobalProtect (CVE-2024-3400), Ivanti, Citrix NetScaler, and Exchange honeypot endpoints.
HIGH FREQUENCY
Discovery
T1046
Network Service Discovery
Service enumeration probes across HTTP/HTTPS, database ports, management interfaces (3389, 5900, 8080).
MED FREQUENCY
Collection
T1083
File and Directory Discovery
Automated traversal of common sensitive paths: /.env, /.git/config, /wp-config.php, /backup.zip, /admin.
HIGH FREQUENCY
Command & Control
T1090.003
Multi-hop Proxy
Chinese APT operators routing via Hetzner/LeaseWeb VPS nodes. Fingerprinted via timing correlation and shared credential lists.
ONGOING CAMPAIGN
Source: KEVSEC honeypot telemetry · endlessh tarpit · fail2ban jails · nftables blacklist pipeline · Mapped to MITRE ATT&CK v14
About

Mission Profile

I grew up immersed in online communities, forums, and multiplayer gaming environments — spaces where social engineering, deception, and trust exploitation happen in real time. That early exposure taught me something most people learn the hard way: the biggest vulnerability in any system is the human element. It's what drew me to Open-Source Intelligence (OSINT) investigations, digital footprint analysis, and understanding how attackers weaponize publicly available information.

Today I conduct independent security research, malware reverse engineering, and dark web operations to study adversary tradecraft and threat actor behavior. My research extends into domestic and international terrorism — including radicalization pipelines, extremist network infrastructure, and ideological threat actor ecosystems studied through an intelligence-collection lens. I am trained in the FEMA/NIMS Emergency Management Framework and hold multiple FEMA certifications covering incident command, national incident management, and national response operations. I maintain a personal cybersecurity lab running Linux environments and security tooling for hands-on analysis. KEVSEC is the operational platform I built end-to-end: automated threat blocking pipelines, multi-source intelligence aggregation, live honeypot systems, and a unified dashboard that surfaces what matters in real time.

My professional background spans enterprise IT support, physical security infrastructure, and AV systems — including serving 3,000+ customers across major corporate campuses, supporting a $100M facility launch, and training end users adapting to new technology platforms. Known for translating complex technical concepts into clear, actionable guidance for non-technical stakeholders. Highly curious, investigative, and driven to solve complex technical problems. Prior member of CBRE's Rising Professional Organization and certified first responder on the Emergency Response Team.

Role Cybersecurity Researcher
Focus Malware Analysis / OSINT / Terrorism Research
Platform KEVSEC SOC Lab
Environment Linux / Proxmox / Windows
Background IT + Physical Security
Education BS Cybersecurity — CSU
Current Ops Active Defense · Threat Attribution
Tools Active Ghidra · Maltego · nftables · Wireshark
Tracking Nation-state infra · crimeware TTPs
Status Open to Roles
Skills

Capability Matrix

// Intelligence & Analysis
OSINT Investigations & Digital Footprint Analysis 92%
Security Research & Threat Intelligence 87%
Dark Web Operations & Adversary Tradecraft 84%
Terrorism & Extremism Research 83%
// Technical
Malware Analysis & Reverse Engineering 88%
Python Scripting & Security Automation 88%
Network Protocol Analysis & PCAP 85%
MITRE ATT&CK Framework & TTP Mapping 87%
Linux Hardening & Security Operations 86%
Active Directory & Windows Administration 80%
// Operational
Technical Documentation & Intelligence Reporting 90%
Active Defense & Deception Infrastructure 88%
Tooling

Tools & Arsenal

// OSINT & RECON
Maltego Shodan SpiderFoot theHarvester Recon-ng OSINT Framework Bellingcat Toolkit
// NETWORK & OFFENSE
Wireshark Nmap Nessus Burp Suite Metasploit Aircrack-ng tcpdump
// MALWARE RE & FORENSICS
Ghidra x64dbg IDA Free Volatility YARA Cutter PEStudio Detect-It-Easy
// PLATFORM & DEV
Kali Linux Ubuntu Server Python Bash Git Docker Proxmox
// DEFENSE & INFRA
fail2ban nftables Nginx Cloudflare Splunk Suricata YARA
Expertise

Operational Domains

01 — THREAT_INTEL
Threat Intelligence
Real-time aggregation across CVE feeds, OSINT sources, and dark web telemetry. IOC correlation, threat actor profiling, and automated triage of critical disclosures. Operate a live production platform doing this 24/7.
Expert
02 — ACTIVE_DEF 🛡
Active Defense
Designed and deployed a 40+ surface deception network. Multi-layer kill chain: honeypot → fail2ban → nftables. 3.4M IPs permanently blocked. Automated ban enrichment with nation-state attribution in production.
Expert
03 — OSINT 🔍
OSINT Research
Passive reconnaissance, actor attribution, adversarial infrastructure mapping, and cross-platform identity correlation. Authored an open-source OSINT enumeration tool covering 500+ platforms.
Expert
04 — MALWARE_RE 🧬
Malware Reverse Engineering
Static and dynamic analysis using Ghidra, x64dbg, IDA, and Volatility. Unpacking loaders, extracting C2 configs, mapping execution chains to ATT&CK TTPs. Hands-on with infostealers, RATs, ransomware droppers, and APT implants.
Advanced
05 — TERROR_INTEL 🎯
Terrorism & Extremism Research
Intelligence-driven analysis of domestic and international extremist movements — radicalization pipelines, propaganda infrastructure, and ideological network attribution across the open web, social platforms, and encrypted channels.
Advanced
06 — DFIR 🔬
Digital Forensics & IR
Log analysis, host and network artifact forensics, incident reconstruction, and evidence preservation with chain-of-custody discipline. DFIR methodology applied to real incidents — not just simulated environments.
Practitioner
07 — EMERG_MGMT 🚨
Emergency Management
FEMA-certified in ICS, NIMS, and the National Response Framework. Applies incident command structure and multi-agency coordination doctrine to cybersecurity crisis response and executive communication.
Certified
08 — INFRA_ENG
Infrastructure Engineering
12+ production services on hardened Linux — Proxmox virtualization, nginx reverse proxying, nftables firewall, fail2ban, CIFS NAS, systemd management. Real infrastructure under real attack pressure, 24/7.
Expert
Experience

Mission Log

Freelance Security Engineer ● CURRENT Sep 2023 — Present
WebSec B.V.
Support senior analysts on active OSINT investigations for corporate and law-enforcement-adjacent clients. Conduct digital footprint analysis, cross-platform identity correlation, and adversarial infrastructure mapping. Produce structured investigative reports under NDA. Simultaneously operating the KEVSEC platform as an independent research environment.
OSINT Identity Correlation Adversary Attribution Intelligence Reporting
Key Account Manager Sep 2019 — Feb 2021
CH Coakley
Served as system administrator for enterprise asset management software. Oversaw a 20,000-item inventory transfer between business units. Created best practices documentation adopted company-wide as a standard operating procedure.
System Admin Enterprise Software Process Documentation
Service Desk Analyst Mar 2019 — Aug 2019
VCPI (Healthcare IT)
Handled 25–40 daily calls across healthcare clients. Active Directory administration, user account management, and endpoint troubleshooting. Operated within strict HIPAA, OSHA, and ANSI compliance requirements.
Active Directory HIPAA Healthcare IT
Information Systems Technician Oct 2018 — Feb 2019
BAYCOM, Inc.
Installed and configured physical security systems including IndigoVision, Panasonic, and Motorola equipment. Deployed in high-security environments: 911 dispatch centers, evidence lockers, and courtrooms.
Physical Security Network Deployment Security Systems
Audio Visual Coordinator Jun 2016 — Apr 2018
CBRE Global Workplace Solutions
Served 3,000+ customers across major corporate campuses. Supported the Day One opening of a $100M facility. Created enterprise-wide preventative maintenance standards still in use. Member of CBRE's Rising Professional Organization and certified first responder on the Emergency Response Team.
Enterprise Ops Emergency Response $100M Facility
Projects

What I've Built

Security Platform
KEVSEC Intelligence Dashboard
Full-spectrum personal SOC: live CVE feeds, threat actor profiling, geopolitical intelligence, honeypot telemetry, Proxmox infrastructure telemetry, stock/weather/news aggregation, and 3.4M+ IP blocklist management — all in one hardened Flask application. Custom-built from scratch, running in production 24/7. No off-the-shelf SIEM. No paid feeds.
3.4M IPs managed · 10+ data feeds · zero vendor dependency
PythonFlasknftablesCloudflareSQLiteLinux
dash.kevsec.com ↗
OSINT Tool · Open Source
OSINT Username Enumerator
Python reconnaissance tool for cross-platform username enumeration across hundreds of platforms simultaneously. Engineered for passive footprint analysis, digital identity mapping, and threat actor attribution — used in active threat intelligence workflows.
500+ platforms · open source · used in live investigations
PythonOSINTAsync I/OOpen Source
github.com/Slankey ↗
Active Defense · Production
KEVSEC Honeypot Network
High-fidelity deception infrastructure deployed across 40+ attack surface paths targeting the most-exploited vulnerabilities of 2023–2026: Palo Alto PAN-OS GlobalProtect (CVE-2024-3400), Ivanti Connect Secure (CVE-2025-0282), F5 BIG-IP (CVE-2023-46747), Citrix Bleed, MOVEit, Exchange ProxyShell, Confluence, VMware vCenter, Fortinet FortiGate, WordPress, cPanel, phpMyAdmin, Jupyter, Kubernetes API, AWS IMDS, HashiCorp Vault, and more. Each fake panel logs the probe, fires an nftables ban, and reports to fail2ban. Events are enriched via bgp.tools + ip-api.com for state-actor attribution — catches Chinese operators routing through Western VPS space.
40+ active traps · real bans firing daily · state-actor attribution
PythonFlasknginxfail2bannftablesbgp.tools
Live on kevsec.com · 40+ trap paths
Active Defense · Production
Automated IP Kill Chain
Multi-source threat aggregation pipeline running on cron: honeypot events → fail2ban jails (9 active, monitoring in real time) → SSH tarpit IPs → deduplicated into a TTL-indexed custom.meta.tsv → merged with external feeds (Spamhaus DROP, blocklist.de, FireHOL Level 1) → compiled into nftables sets atomically. 3.4 million IPs blocked without a single firewall rule per IP. Every morning, a Discord DM report delivers newly-banned IPs with ASN, country, and state-actor flag. A Cloudflare-aware filter prevents banning CDN proxy IPs.
3.4M+ IPs blocked · 0 per-IP firewall rules · daily Discord report
BashPythonnftablesfail2banSpamhausFireHOL
Live — nftables · 3.4M+ IPs blocked
Active Defense · Production
SSH Tarpit — endlessh
Port 22 serves endlessh — an SSH tarpit that sends an infinite, never-terminating SSH banner at 1 byte per 10 seconds. Scanning bots and credential stuffers connect expecting a login prompt; instead, they're locked in a read loop burning connection slots for minutes to hours. Real SSH runs on a non-standard port, invisible to mass scanners. Every trapped IP is timestamped, logged, and injected into the nftables pipeline. Eliminates noise, burns adversary resources, and feeds intelligence at zero server cost.
Thousands of bot-hours wasted · feeds nftables pipeline nightly
endlesshsystemdnftablesSSH Protocol
Live — port 22 · thousands of hours wasted
Infrastructure Automation
Automated Media Pipeline
End-to-end Python orchestration layer across rtorrent, Sonarr, Radarr, Jellyfin, and a Hetzner StorageBox NAS. Label-based routing on torrent completion, CIFS transfer, symlink library management, codec-aware routing (H.264 → NAS, HEVC → local), nightly queue worker, Jellyfin library refresh, and Discord + email completion notifications — fully hands-off.
Fully hands-off · TB-scale NAS sync · multi-service orchestration
PythonSonarrRadarrJellyfinCIFSDiscord API
Self-hosted · Proxmox + Hetzner StorageBox
Web Application
KEVSEC Story TTS Studio
Browser-based text-to-speech studio using Microsoft Edge TTS. Segments long-form text for batch synthesis, streams real-time progress via Server-Sent Events, and outputs downloadable audio — entirely CPU-bound, no GPU. 100GB cap with automatic cleanup. Built to run on aging hardware without compromise.
story.kevsec.com ↗
Web Application
KEVSEC Garden Intelligence
Hyperlocal precision agriculture dashboard for Wisconsin. Ingests real-time weather data, computes 7-day rainfall accumulation, estimates soil moisture, and generates AI-driven care schedules per plant species. Runs on the same Flask/Python data pipeline as the security dashboard — proving the architecture scales beyond its original purpose.
garden.kevsec.com ↗
Web Application
KEVSEC Citation Manager
APA 7 academic citation manager purpose-built for cybersecurity and intelligence research. Auto-fetches metadata via DOI, ISBN, and URL; supports DOI CrossRef, Open Library, and web scraping fallbacks; handles group authors, BibTeX/RIS import, and Word document export. Built for rapid source management during intelligence report production.
bib.kevsec.com ↗
Research Output

Intelligence Findings

Sanitized summaries of active research derived from the KEVSEC platform's live data pipeline.

TLP:WHITE
Q1 2026 · ONGOING
State Actor Attribution — Chinese APT via Western VPS Infrastructure
Detected and documented a pattern of Chinese state-affiliated operators routing attack traffic through Dutch and German VPS providers (Hetzner, LeaseWeb, Leaseweb NL) to obscure origin. Behavioral fingerprinting via honeypot credential patterns revealed coordinated timing and shared credential lists across ██ distinct source IPs. ASN attribution via bgp.tools combined with org-name keyword analysis ("Guosheng IDC", "CSTNET", CJK character detection in reverse DNS) confirmed China Telecom and Alibaba Cloud BGP space as upstream infrastructure. All identified IPs permanently flagged and injected into nftables blocklist.
APTChinaInfrastructure ObfuscationHoneypot Attribution
TLP:WHITE
2025 · DOCUMENTED
Novel Credential Spray — Coordinated Wave Targeting VPN/Gateway Surfaces
Documented a systematic credential spray campaign targeting GlobalProtect (CVE-2024-3400), Ivanti Connect Secure (CVE-2025-0282), and Citrix NetScaler (CVE-2023-4966) honeypot endpoints. Attack waves showed coordinated timing across ██+ source IPs — consistent with Telegram-coordinated botnet tooling. Credential lists recovered from POST bodies included known breach dumps and vendor-default credentials (admin:admin, root:toor, Cisco defaults). Full behavioral timeline documented and cross-referenced against known botnet operator profiles.
Credential SprayBotnetVPN ExploitationCVE-2024-3400
TLP:WHITE
18+ MONTHS · ONGOING
SSH Tarpit Intelligence — Botnet Campaign Timing & Infrastructure Reuse
18+ months of endlessh tarpit data reveals structured patterns in scanning infrastructure: botnet operators reuse the same ASN ranges across campaign cycles (typically 2–4 week intervals), credential lists evolve slowly (new entries grafted onto stable base lists), and campaign timing clusters around UTC 02:00–06:00 and 14:00–18:00 windows. Cross-correlating tarpit source IPs with honeypot access logs shows significant overlap — the same scanning infrastructure responsible for SSH probes also drives web-layer attacks. Dataset feeds directly into the nftables pipeline and is used to pre-emptively block emerging scanner infrastructure before first contact.
SSH TarpitBotnet BehaviorTemporal AnalysisInfrastructure Tracking
Education & Certifications

Credentials & Training

B.S. Cybersecurity
Colorado State University Global (CSU System)
Minor: Intelligence & Homeland Security
● In Progress
Criminal Justice & Political Science
University of Wisconsin — Milwaukee
2013 – 2014
FEMA Certifications — Earned
[✓] FEMA IS-100.c: Introduction to Incident Command System Earned
[✓] FEMA IS-200.c: Basic ICS for Initial Response Earned
[✓] FEMA IS-700.b: Intro to National Incident Management System Earned
[✓] FEMA IS-800.d: National Response Framework Earned
Certification Roadmap
[ ] CompTIA Network+ Planned
[ ] CompTIA Security+ Planned
[ ] CompTIA CySA+ Planned
[ ] CompTIA Linux+ Planned
[ ] Certified Ethical Hacker (CEH) Planned
[ ] CISSP Planned
[ ] OSCP — Offensive Security Planned
Value Proposition

What I Bring

Real-world, production-proven capabilities — not just certifications.

Threat Intelligence
Operate a live, self-built intelligence platform ingesting CVE feeds, geopolitical threat data, dark web alerts, and real-time honeypot telemetry. Not a consumer of commercial platforms — I built the platform. Every alert is correlated, enriched, and actionable.
🔍
OSINT · HUMINT · SIGINT
Expert-level multi-INT collection across surface, deep, and dark web. Enumerated threat actor identities, mapped criminal infrastructure, and attributed campaigns to specific actors using digital breadcrumbs most analysts miss. Authored and maintains an open-source OSINT enumeration tool actively used by the community.
🕸
Adversary Tradecraft
Firsthand command of attacker TTPs from initial access to post-exploitation — studied where adversaries actually operate. Underground forums, crimeware-as-a-service ecosystems, and nation-state lateral movement patterns aren't abstractions. They're research subjects I track daily.
🌐
Dark Web Operations
Active long-term research across Tor hidden services, illicit marketplaces, paste sites, and threat actor forums. Credential exposure detection, data leak identification, and infrastructure attribution for proactive defense — before incidents, not after.
Hands-On Infrastructure Engineering
12+ production services running on hardened Linux — not a homelab demo, real infrastructure under live attack 24/7. Designed, built, and secured every layer: nftables firewall, fail2ban jails, Cloudflare WAF integration, nginx hardening, systemd service management, and automated backup pipelines.
🧬
Malware Reverse Engineering
Actually disassembling adversary tooling — not reading vendor reports. Static and dynamic analysis with Ghidra, x64dbg, and Volatility to unpack loaders, extract C2 configurations, and map execution chains to ATT&CK TTPs. Hands-on research with infostealers, RATs, ransomware droppers, and APT implants.
🎯
Terrorism & Extremism Research
Intelligence-driven analysis of domestic and international extremist movements — radicalization pipelines, operational security failures, propaganda distribution networks, and ideological actor attribution across the open web, social platforms, and encrypted channels.
🛡
Active Defense & Deception
Designed and deployed a production deception network: 40+ honeypot surfaces mimicking CVE-targeted systems (Ivanti, Palo Alto, Citrix, F5, Exchange, Confluence) fed by OSINT on scanner behavior. Every probe auto-bans, auto-enriches, and reports. Real adversaries hit it daily — and leave with nothing but burned IPs.
Architecture

Analysis Pipeline

End-to-end threat intelligence collection, classification, and response pipeline running 24/7 on self-hosted infrastructure.

01
🕸
Ingestion
endlessh tarpit captures SSH scanner IPs · Flask honeypot logs credential spray attempts and path probes · fail2ban monitors auth logs across 9 jails · Nginx logs HTTP probes
endlessh · fail2ban · Python Flask
02
🔬
Attribution
ASN/org lookups via bgp.tools · Geo-attribution · CJK character detection in rDNS · Temporal correlation to cluster campaign activity · Credential list fingerprinting
bgp.tools · MaxMind · ipinfo.io
03
Classification
Nation-state vs criminal vs opportunistic botnet categorization · TTP mapping to MITRE ATT&CK · CVSS/EPSS enrichment from NVD · Attack vector correlation across sources
NIST NVD · FIRST EPSS · MITRE ATT&CK
04
🛡
Response
Automatic nftables injection via custom banctl · 3.4M+ permanent blocks · Weekly intel reports generated from aggregated data · Threat feed shared via platform API
nftables · Python · Flask API
Contact

Establish Contact

kevsec@ops — secure-contact — bash
[email protected] in LinkedIn GitHub Resume
Response within 24 hours · All communications handled with discretion · 🔒 Available for NDA-protected engagements