I maintain or contribute to multiple open source projects, the most significant of which are described below.



Leonidas is a framework for automating execution of attacker actions in the cloud. It was developed as part of my work on attack detection in cloud-native environments at WithSecure (previously F-Secure Consulting). It provides a YAML-based format for defining cloud attacker tactics, techniques and procedures (TTPs) and their associated detection properties. These definitions can then be compiled into:

  • A web API exposing each test case as an individual endpoint, deployed as a serverless function into the relevant cloud provider. This is built by an automatically created CI/CD pipeline.
  • Sigma rules (https://github.com/Neo23x0/sigma) for detection
  • Documentation - see http://detectioninthe.cloud/ for an example

The architecture for a typical Leonidas deployment can be seen below. This is all deployed using the Terraform included in the repository.

Leonidas Architecture


To simplify management of my testing systems, I developed a set of Packer templates and Vagrant files to automatically build a clean and up-to-date Kali Linux virtual machine. These can be found here: https://github.com/NJonesUK/kali-packer-vagrant

As part of this, I also maintain collections of Ansible roles for installing a wide variety of tools. These can be found at: