Security Playbooks is an open-source, educational repository designed for cybersecurity professionals.
It focuses on delivering realistic, MITRE ATT&CK–aligned attack scenarios, detection engineering content, and hands-on labs to help users build practical skills in threat hunting, incident response, and adversary simulation within controlled environments.
The project aims to bridge the gap between theoretical knowledge and real-world security operations by providing structured, reproducible, and practical cybersecurity workflows.
Security Playbooks supports a range of practical cybersecurity workflows and real-world scenarios:
- Alert Investigation & Triage – Analyze and validate alerts generated by SIEM and EDR platforms
- Threat Hunting Operations – Execute structured hunts based on known tactics, techniques, and procedures (TTPs)
- Detection Engineering & Validation – Develop, test, and refine detection logic against simulated threats
- Incident Response Simulation – Follow structured procedures to investigate and respond to security incidents
- Adversary Emulation (Lab Only) – Reproduce attacker techniques to validate defensive capabilities
- Training & Skill Development – Strengthen technical skills through hands-on, scenario-based exercises
This Security Playbooks repository is intended strictly for educational, research, and authorized security testing purposes only.
Unauthorized use of this software, including deployment against systems without explicit permission, is strictly prohibited.
Users are solely responsible for ensuring their activities comply with all applicable laws and regulations.
The maintainers assume no liability for misuse or any damages resulting from the use of this project.
The contents of this repository, including scripts, scenarios, and detection rules, are provided for educational, research purposes only. No responsibility for any damage, misuse, or legal consequences resulting from the use of this material.
This software is provided “as is” without warranty of any kind, express or implied.
Security Playbooks is intended for cybersecurity professionals who want to practice, analyze, and understand real-world cyber threats in a structured and controlled environment.
- SOC Analysts – Perform alert triage, log analysis, and incident investigation
- Threat Hunters – Conduct hypothesis-driven hunts and analyze adversary behavior
- Blue Team Engineers – Build, test, and optimize detection rules (Sigma, YARA, Suricata)
- Cybersecurity Professionals – Gain hands-on experience and develop practical expertise
- Red Teamers (Lab Use Only) – Emulate adversary techniques in controlled, isolated environments
- Detection Rules – Ready-to-use Sigma, YARA, and Suricata rules for threat detection
- Attack Scenarios – MITRE ATT&CK–based simulations (phishing, malware, lateral movement)
- Hands-on Labs – Practical exercises with PoC scripts for controlled environments
- Log Analysis Examples – Sample logs, outputs, and visual artifacts
- Documentation & Tools – Quick Start guides, architecture docs, and helper scripts
python demo/ioc_detection_demo.py[INFO] Generating simulated network logs...
[INFO] Running detection pipeline...
========== ALERT ==========
Title : Malicious IOC Communication Detected
Severity : HIGH
Hostname : WIN10-LAB
DestinationIP : 45.133.1.10
Domain : 1.example-domains.com
Technique : T1071
ATT&CK : Application Layer Protocol
[SOAR] IOC Enrichment Started
[THREAT INTEL] Reputation Score: MALICIOUS
[THREAT INTEL] Confidence: HIGH
[SOAR] Host isolation queued: WIN10-LAB
[SLACK] Alert notification sent for WIN10-LAB
\security-playbooks\> python demo/ioc_detection_demo.py
[INFO] Generating simulated network logs...
[INFO] Running detection pipeline...
========== ALERT ==========
Title : Malicious IOC Communication Detected
Severity : HIGH
Hostname : WIN10-LAB
DestinationIP : 185.220.101.45
Domain : 2.example-domains.net
Technique : T1071
ATT&CK : Application Layer Protocol
[SOAR] IOC Enrichment Started
[THREAT INTEL] Reputation Score: MALICIOUS
[THREAT INTEL] Confidence: HIGH
[SOAR] Host isolation queued: WIN10-LAB
[SLACK] Alert notification sent for WIN10-LAB
Note
This IP/hostname is an example target.
- Linux (primary, recommended)
- Windows (WSL2 recommended)
- macOS (Docker or native Python supported)
- Python 3.11+
- Docker
- YAML-based configuration system
- JSON data structures
- Sigma, YARA, Suricata, KQL rule formats
- Bash / Make (for automation)
# Clone repository
git clone https://github.com/secwexen/security-playbooks.git
cd security-playbooks
# Create virtual environment
python -m venv venv
source venv/bin/activate # Linux/Mac
venv\Scripts\activate # Windows
# Install dependencies
pip install -r requirements.txt
# Install dev dependencies
pip install -r dev-requirements.txtFor full details, refer to the Quick Start file.
Copyright © 2026 secwexen.
This project is licensed under the MIT License.
See the LICENSE file for full details.
Contributions and suggestions are welcome!
- Fork the repository and create a feature or fix branch (e.g.
feature/your-feature,fix/bug-name,docs/update-readme,chore/dependency-update). - Make your changes and add relevant tests.
- Use clear commit messages (e.g. Conventional Commits: feat:, fix:, docs:, refactor:).
- Ensure all tests pass (
pytest) and code style checks (e.g.make lint). - Open a pull request referencing related issues/discussion when possible.
- All PRs must pass CI checks before merging.
Please open an issue before submitting major changes or new features.
See CONTRIBUTING for detailed contribution guidelines.
This document outlines the planned development path for the Security Playbooks repository, including short‑term improvements, medium‑term expansions, and long‑term strategic goals.
Planned improvements include:
- expanded ATT&CK-mapped playbooks and lab scenarios
- enhanced and validated detection rules (Sigma, YARA, Suricata)
- structured SOC workflows with SOAR-ready automation
- standardized, machine-readable playbook formats
- alignment with security frameworks (NIST, CIS, ISO)
For the full roadmap and upcoming features, see ROADMAP.
This project is under active development.
For guidance on safe usage and reporting vulnerabilities, see SECURITY.