RayveLabs
10.0.0.0/24 SHA-256 a3f9c2… OUI 00:11:32 ▸ Synology ssdp:discover RTSP/1.0 401 192.168.1.1 WWW-Authenticate nmap -sS existence ≠ identity tcp/443 open Hikvision-Webs/8.13 jaccard = 0.87
Open research · Cybersecurity

A small open research practice in cybersecurity, generative AI, network discovery, cryptography, and public-sector technology.

Tools, writing, and projects in progress. Everything runs client-side, on devices you control. Built by Rayve Malhotra.

Rayve Malhotra
lat 38.8951°N · lon 77.0364°W
Rayve Malhotra
Researcher · CTO · Inventor
Scroll

Hands-on tools, not slide decks.

Everything we ship is something a curious person can open and use in their browser, on real data, on their own network. No accounts. No sign-ins. No upload.

The cyber-analytics pipeline, Labs 1 → 6

Six click-through teaching simulators that walk Dr. Ravi Mallarapu's GWU cyber-analytics pipeline, chapter by chapter — Descriptive → Diagnostic → Detective → Predictive → Prescriptive → Simulation — on a synthetic network with real CVE / ATT&CK data. Demonstration only · course material © Dr. Ravi Mallarapu / The George Washington University.

Lab 1 — Network Discovery
In RayveNet

The descriptive layer — what actually exists on the network? Build an asset inventory from ARP, mDNS, SSDP, SNMP and a TCP pilot, then reason about the three things that make an inventory trustworthy: vantage point, existence vs. identity, and completeness vs. soundness — measured against a known ground-truth network.

Ch 1 Descriptive Asset inventory Ground-truth In RayveNet
Open in RayveNet
Vantage
where you scan from
same-VLAN vs routed
changes what you see
Evidence
5 discovery methods
ARP · mDNS · SSDP
SNMP · TCP pilot
Identity
existence ≠ identity
a host answering ≠
knowing what it is
Quality
complete vs sound
missed hosts vs
false inventory rows
Lab 2 — Service Enrichment & Fingerprinting
In RayveNet

The diagnostic layer — what are these devices? Fingerprint each host through a cascade of independent evidence (OUI → banner → realm → RTSP), build a CPE, and score confidence with an honest ceiling. Four self-service tools and a difficulty-graded detective game with adversarial flips.

Ch 2 Diagnostic OUI / banner / realm CPE builder In RayveNet
Open in RayveNet
Cascade
stacked evidence
OUI   → Hikvision .40
realm → Hik      .70
RTSP  → Webs/8.13 .75
CPE
structured identity
cpe:2.3:o:hikvision
firmware 5.5.52
Confidence
honest ceiling
independent signals
raise the ceiling
Adversary
flip cards
a spoofed banner
breaks naive ID
Lab 3 — Vulnerability Assessment
Live

A teaching simulator for Chapter 3 — Vulnerability Assessment, Correlation & Prioritization. Turn a scan into prioritized findings: NVD/CVE association, CVSS decomposition, multi-protocol default-credential probing, KEV + EPSS overlays, and an evidence ledger — all behind an ROE / RBAC safety boundary. Same network and CVEs as the official Lab 3.

Ch 3 25 features Evidence ledger KEV + EPSS ROE / RBAC
Open Lab 3
Asset
172.30.0.10 · Hikvision
DS-2CD2143G2-I
firmware 5.5.52
KEV · CVE-2021-36260
Evidence
admin:12345 → HTTP 200
direct-auth success
strongest evidence class
stop on first success
Priority
severity + 5 inputs
+ EPSS + KEV
+ evidence + exposure
+ role + consequence
Safety
ROE-blocked: 172.30.0.40
medical / Alaris pump
method.not_run
not method.negative
Lab 4 — Attack Graph & Risk Scoring
Live

Why the lower-CVSS device is often the bigger risk. Build the attack graph, find the cheapest attacker paths (Yen's k-shortest), and score devices in context with the Breakwater Risk Score and a live SHAP-style attribution — then map findings to MITRE ATT&CK ICS and export a STIX 2.1 bundle.

Demonstration only. Synthetic network, real CVE / ATT&CK data. © Dr. Mallarapu / GWU.

Ch 4 Attack paths BRS + SHAP MITRE ICS STIX export
Open Lab 4
Graph
5 node · 8 edge types
shares_credentials 0.1
exploitable_via    0.3
can_reach          1.0
BRS
context > CVSS
0.2V + 0.2E + 0.2R
+ 0.15P + 0.05S − 0.2C
MITRE
ATT&CK ICS
T0812 default creds
T0836 modify param
T0879 damage
Export
STIX 2.1 bundle
attack-pattern
vulnerability
observed-data
Lab 5 — Offensive Validation
In progress

The prescriptive layer — which offensive tests should we actually run, and are they safe? Turn Lab 4's attack paths into a ranked, ROE-bounded validation plan: what to test, in what order, and where the rules of engagement say stop. Interactive demo in progress.

Ch 5 Prescriptive Validation plan ROE-bounded In progress
Demo in progress
Input
Lab 4 attack paths
cheapest paths
ranked by BRS
Plan
what to test first
most risk-reduction
per test, first
Safety
ROE boundary
medical / OT →
no active test
Output
validation runbook
ordered, bounded
approver-gated
Lab 6 — Digital Twin & Remediation
Live

Test every fix against a digital twin before production — catch cascading failures, schedule patch waves, and prove zero-disruption against a strengthened definition. Then the real question: is the twin even trustworthy? The showpiece is a live KL / Jensen-Shannon drift lab with a Trust / Resync / Rebuild / Block verdict.

Demonstration only. Synthetic twin, real divergence math. © Dr. Mallarapu / GWU.

Ch 6 Twin fidelity Cascades Twin Authority KL / JS drift
Open Lab 6
Twin
profile fidelity
Σ(conf) / devices
refuse < 0.60
Cascade
rotate MQTT cred
credential cascade
.31 .32 .33 .34
Zero-disrupt
8-point claim
flag=true ≠ safe
check 8 conditions
Drift
KL / JS divergence
firewall rule → JS≈0
verdict: Block
Beyond Twin Authority
Research

A RayveLabs original that picks up where Chapter 6 stops. Distributional drift (KL/JS) is blind to the targeted changes that actually invalidate a remediation — so this adds a structural drift detector (typed graph-edit distance + a path predicate) that catches 8/8 where KL/JS catch 2/8, plus a value-of-information rule that turns the authority checklist into a real Act / Resync / Block decision.

Original research Graph-edit distance Value of information Per-decision validity
Open the extension
Gap
KL / JS detection
2 / 8 material
changes detected
Detector
structural diff
8 / 8 detected
+ path predicate
Decision
value of information
Act / Resync / Block
min expected cost
Result
per-decision validity
authority = f(cost,
measured error)

Use it now — paste something in, get an answer

No setup, no keys, no install. Open data and real feeds, entirely in your browser.

RayveNet
Live

An interactive network-security walkthrough. Three labs and a self-service toolkit in one place. Scan your network lab teaches discovery — vantage point, existence vs. identity, completeness vs. soundness — with a simulation against a known ground-truth network. Cascade Lab teaches device fingerprinting through four self-service tools and a difficulty-graded detective game. Web Log Lab teaches privacy-preserving request fingerprinting from raw Apache, Nginx, or Bro/Zeek access logs. Everything runs client-side.

Discovery Fingerprinting Logs Client-side No upload
Open RayveNet
Lab 01
Scan your network
nmap -sn 10.0.0.0/24
discovered: 14 hosts
identity:   ? unknown
Lab 02
Cascade Lab
OUI    → Hikvision (0.40)
realm  → Hik (0.70)
RTSP   → Webs/8.13 (0.75)
Lab 03
Web Log Lab
parse  → normalize
SHA-256 → compare
jaccard = 0.87
Toolkit
4 self-service tools
OUI lookup
realm decoder
banner analyzer
category-error spotter
Open Cyber Atlas
Live

A public portal where anyone can actually use the open cybersecurity data — no sign-up, no API keys, no install. Paste an IP, domain, URL, hash, or CVE and the atlas checks 11 free feeds at once (URLhaus, ThreatFox, Feodo, SSLBL, Spamhaus, Tor, DShield, DataPlane, KEV, EPSS, HIBP) and stitches the answer together. Plus a CVE explorer that joins KEV + EPSS + ATT&CK in one view, and an interactive map of how the open security databases connect to each other. Daily-refreshed via GitHub Actions cron.

Companion open-data registry with 41 catalogued datasets, citations, and one-click curl commands.

IoC lookup CVE explorer Connections map Daily refresh No sign-up
Open the Atlas
Vulnerabilities
CISA KEV · NVD · EPSS
known_exploited_…json
nvdcve-2.0-{year}.gz
epss_scores-current.gz
MITRE
ATT&CK · CAPEC · CWE · D3FEND
enterprise-attack.json
mobile-attack.json
ics-attack.json
Threat intel
abuse.ch · Spamhaus · Tor
urlhaus / threatfox
feodo C2 list
spamhaus DROP + EDROP
Datasets
CIC-IDS · UNSW · DARPA
CIC-IDS2017
UNSW-NB15
DARPA OpTC · LANL Auth
Rayve Malhotra (currently cooking)
Cybersecurity Researcher · Technology & Security Executive · Inventor · Musician

Open to collaboration, feedback, and research ideas — especially novel work at the intersection of network discovery, generative AI, and public-sector technology.

What I'm thinking about
  • Privacy-preserving fingerprinting for asset inventory
  • Generative AI as a discovery aid, not a black box
  • Practical cryptography for the people who actually deploy it
  • Public-sector technology that respects the public