Security & Intelligence Research

Research

This section collects my security research, dark-web intelligence work, and lab-based technical studies — structured research into how anonymity infrastructure and hidden-service ecosystems behave, and the collection and analysis workflows that make that research reproducible.

Featured Research

I2P Hidden Service Ecosystem Analysis

PhD Research · In Progress

A PhD research project focused on discovering, collecting, and analyzing application-layer and network-layer observations within the I2P anonymity network — to better understand hidden-service connectivity, infrastructure structure, and ecosystem behavior. The work treats anonymity infrastructure and the hidden services that ride on it as one connected system, and builds a reproducible collection-and-analysis framework around it.

This is a privacy-preserving hidden-service ecosystem study with relevance to cyber threat intelligence. It characterizes darknet infrastructure and connectivity; it does not identify, attribute, or track real-world adversary groups.

Hidden-service discovery Intelligence collection framework I2P ecosystem analysis Graph-based relationship analysis Application-layer crawling Reproducible research workflows

Objectives

Research questions

The study is organized around a small set of questions about how the I2P hidden-service ecosystem is structured and how it can be observed responsibly.

How can hidden services on the I2P network be discovered and enumerated at scale using only application-layer and network-layer observations?
What does connectivity between hidden services and the underlying routing infrastructure look like when the two layers are fused into a single graph?
How is the darknet hidden-service ecosystem structured, and how does that structure change over time?
What collection-and-analysis workflow makes this kind of darknet measurement reproducible and defensible?

Methodology

Collection & analysis approach

At a high level, the framework fuses two layers of observation — network-layer routing data and application-layer hidden-service ("eepsite") crawls — into a single directed graph for analysis.

Collection

Application-layer crawling of I2P hidden services via the I2P HTTP proxy, with structured storage in MariaDB.

Tooling

Python collection and processing pipelines built for repeatable, scriptable runs.

Analysis

Graph-based relationship analysis to characterize connectivity and infrastructure structure.

Methodology is described at the level appropriate for a public research summary; sensitive operational specifics are intentionally omitted.

Outputs

Research outputs

Doctoral dissertation research In Progress
Technical research notes — published as the work matures
Future conference / journal papers Planned
Related lab artifacts — see Security Lab Artifacts below

See the Publications page for the formal record.

Lab

Security lab artifacts

Technical environments and lab build-outs that support hands-on research and skills development.

Security Lab InfrastructureMalware Analysis Lab Environment

Building a Malware Reversing Lab on Proxmox

Security lab infrastructure for static and dynamic malware analysis, built on Proxmox alongside a detection-engineering stack feeding Elastic SIEM. Documented as a malware-analysis lab environment — not a CTI report or investigation.

View the lab build →

Activity

Current research activity

I2P Hidden Service Ecosystem Analysis In Progress — PhD research focused on hidden-service discovery, application-layer crawling, infrastructure mapping, graph-based relationship analysis, and reproducible collection workflows within the I2P anonymity network.
KC7 Cyber Investigation Portfolio In Progress — Building a public portfolio of scenario-based cyber threat investigations using KC7 Cyber materials, with emphasis on evidence analysis, KQL queries, IOC pivoting, ATT&CK mapping, and structured reporting.
Practical Detection Engineering In Progress — Studying detection engineering concepts and workflows. This capability is actively developing and will only be published as rules, detections, or validation reports once the work is completed and defensible.
Cyber Threat Intelligence Research & Writing In Progress — Developing public-facing investigation reports, research notes, and technical articles that document analytical reasoning, evidence collection, and security research.
Cyber Threat Intelligence Lab In Progress — Rebuilding the website as a long-term CTI Lab that connects investigations, research, publications, lab artifacts, and future detection engineering work into a single evidence-based professional identity.

Direction

Future research directions

Where the lab is headed as the work matures.

Dark-web infrastructure analysis

Extending ecosystem mapping to characterize darknet infrastructure at scale.

Threat-informed detection engineering

Translating observed tradecraft into detections — once the detection-engineering capability is established.

AI-enabled threat analysis

Applying machine learning to security measurement and triage.

Intelligence collection methodology

Reproducible, defensible collection workflows for hard-to-observe networks.

Security measurement research

Empirical measurement of security-relevant network ecosystems.