Tools, writing, and projects in progress. Everything runs client-side, on devices you control. Built by Rayve Malhotra.
Everything we ship is something a curious person can open and use in their browser, on real data, on their own network. No accounts. No sign-ins. No upload.
Six click-through teaching simulators that walk Dr. Ravi Mallarapu's GWU cyber-analytics pipeline, chapter by chapter — Descriptive → Diagnostic → Detective → Predictive → Prescriptive → Simulation — on a synthetic network with real CVE / ATT&CK data. Demonstration only · course material © Dr. Ravi Mallarapu / The George Washington University.
The descriptive layer — what actually exists on the network? Build an asset inventory from ARP, mDNS, SSDP, SNMP and a TCP pilot, then reason about the three things that make an inventory trustworthy: vantage point, existence vs. identity, and completeness vs. soundness — measured against a known ground-truth network.
Open in RayveNet →same-VLAN vs routed changes what you see
ARP · mDNS · SSDP SNMP · TCP pilot
a host answering ≠ knowing what it is
missed hosts vs false inventory rows
The diagnostic layer — what are these devices? Fingerprint each host through a cascade of independent evidence (OUI → banner → realm → RTSP), build a CPE, and score confidence with an honest ceiling. Four self-service tools and a difficulty-graded detective game with adversarial flips.
Open in RayveNet →OUI → Hikvision .40 realm → Hik .70 RTSP → Webs/8.13 .75
cpe:2.3:o:hikvision firmware 5.5.52
independent signals raise the ceiling
a spoofed banner breaks naive ID
A teaching simulator for Chapter 3 — Vulnerability Assessment, Correlation & Prioritization. Turn a scan into prioritized findings: NVD/CVE association, CVSS decomposition, multi-protocol default-credential probing, KEV + EPSS overlays, and an evidence ledger — all behind an ROE / RBAC safety boundary. Same network and CVEs as the official Lab 3.
Open Lab 3 →DS-2CD2143G2-I firmware 5.5.52 KEV · CVE-2021-36260
direct-auth success strongest evidence class stop on first success
+ EPSS + KEV + evidence + exposure + role + consequence
medical / Alaris pump method.not_run not method.negative
Why the lower-CVSS device is often the bigger risk. Build the attack graph, find the cheapest attacker paths (Yen's k-shortest), and score devices in context with the Breakwater Risk Score and a live SHAP-style attribution — then map findings to MITRE ATT&CK ICS and export a STIX 2.1 bundle.
Demonstration only. Synthetic network, real CVE / ATT&CK data. © Dr. Mallarapu / GWU.
Open Lab 4 →shares_credentials 0.1 exploitable_via 0.3 can_reach 1.0
0.2V + 0.2E + 0.2R + 0.15P + 0.05S − 0.2C
T0812 default creds T0836 modify param T0879 damage
attack-pattern vulnerability observed-data
The prescriptive layer — which offensive tests should we actually run, and are they safe? Turn Lab 4's attack paths into a ranked, ROE-bounded validation plan: what to test, in what order, and where the rules of engagement say stop. Interactive demo in progress.
Demo in progresscheapest paths ranked by BRS
most risk-reduction per test, first
medical / OT → no active test
ordered, bounded approver-gated
Test every fix against a digital twin before production — catch cascading failures, schedule patch waves, and prove zero-disruption against a strengthened definition. Then the real question: is the twin even trustworthy? The showpiece is a live KL / Jensen-Shannon drift lab with a Trust / Resync / Rebuild / Block verdict.
Demonstration only. Synthetic twin, real divergence math. © Dr. Mallarapu / GWU.
Open Lab 6 →Σ(conf) / devices refuse < 0.60
credential cascade .31 .32 .33 .34
flag=true ≠ safe check 8 conditions
firewall rule → JS≈0 verdict: Block
A RayveLabs original that picks up where Chapter 6 stops. Distributional drift (KL/JS) is blind to the targeted changes that actually invalidate a remediation — so this adds a structural drift detector (typed graph-edit distance + a path predicate) that catches 8/8 where KL/JS catch 2/8, plus a value-of-information rule that turns the authority checklist into a real Act / Resync / Block decision.
Open the extension →2 / 8 material changes detected
8 / 8 detected + path predicate
Act / Resync / Block min expected cost
authority = f(cost, measured error)
No setup, no keys, no install. Open data and real feeds, entirely in your browser.
An interactive network-security walkthrough. Three labs and a self-service toolkit in one place. Scan your network lab teaches discovery — vantage point, existence vs. identity, completeness vs. soundness — with a simulation against a known ground-truth network. Cascade Lab teaches device fingerprinting through four self-service tools and a difficulty-graded detective game. Web Log Lab teaches privacy-preserving request fingerprinting from raw Apache, Nginx, or Bro/Zeek access logs. Everything runs client-side.
Open RayveNet →nmap -sn 10.0.0.0/24 discovered: 14 hosts identity: ? unknown
OUI → Hikvision (0.40) realm → Hik (0.70) RTSP → Webs/8.13 (0.75)
parse → normalize SHA-256 → compare jaccard = 0.87
OUI lookup realm decoder banner analyzer category-error spotter
A public portal where anyone can actually use the open cybersecurity data — no sign-up, no API keys, no install. Paste an IP, domain, URL, hash, or CVE and the atlas checks 11 free feeds at once (URLhaus, ThreatFox, Feodo, SSLBL, Spamhaus, Tor, DShield, DataPlane, KEV, EPSS, HIBP) and stitches the answer together. Plus a CVE explorer that joins KEV + EPSS + ATT&CK in one view, and an interactive map of how the open security databases connect to each other. Daily-refreshed via GitHub Actions cron.
Companion open-data registry with 41 catalogued datasets, citations, and one-click curl commands.
Open the Atlas →known_exploited_…json
nvdcve-2.0-{year}.gz
epss_scores-current.gz enterprise-attack.json mobile-attack.json ics-attack.json
urlhaus / threatfox feodo C2 list spamhaus DROP + EDROP
CIC-IDS2017 UNSW-NB15 DARPA OpTC · LANL Auth
Open to collaboration, feedback, and research ideas — especially novel work at the intersection of network discovery, generative AI, and public-sector technology.