Michael Haag

Hunt harder, hunt smarter.

I build cybersecurity tools and automation for defenders. Open source modules for threat hunting, detection engineering, and security operations.

Explore Arsenal Read Field Notes GitHub
Defense Console
ACTIVE MODULES 32
LATEST SHIP 2025-01-15
FOCUS DEFENSE TOOLING
SIGNAL STRONG
STATUS ONLINE
$ hunt --harder --smarter

Featured Modules

Production-ready tools for security operations

Active Featured Module

CRXMiner

Chrome Extension Security API - AI-powered threat detection for 10,000+ Chrome extensions. Analyze extensions for security risks, malicious behavior, and privacy concerns.

chrome-extensions security-api ai threat-detection browser-security
Quickstart
curl -H "Authorization: Bearer crx_your_api_key" "https://crx.michaelhaag.org/api/v1/extensions/{extension_id}"
Read More → GitHub Docs
Active Featured Module

MITRE ATT&CK MCP

MCP server providing AI assistants with instant access to the complete MITRE ATT&CK framework - techniques, tactics, groups, software, and mitigations.

mcp mitre-attack threat-intelligence ai detection-engineering
Quickstart
npx -y mitre-attack-mcp
Read More → GitHub Docs
Active Featured Module

Security Detections MCP

MCP server that lets AI assistants query 6,500+ security detection rules from Sigma, Splunk ESCU, and Elastic. Detection engineer harder and smarter with AI.

mcp detection-engineering sigma splunk elastic ai
Quickstart
npx -y security-detections-mcp
Read More → GitHub Docs
Active Featured Module

ClickGrab

Finding ClickFix and FakeCAPTCHA like it's 1999. Detection and hunting tools for clipboard hijacking attacks.

clickfix fakecaptcha detection hunting phishing
Quickstart
Visit https://mhaggis.github.io/ClickGrab/ or git clone https://github.com/MHaggis/ClickGrab.git
Read More → GitHub
Active Featured Module

NEBULA

Interactive PowerShell framework for testing WMI, COM, LOLBAS, and persistence techniques. Built for red team testing and defense validation.

powershell red-team wmi lolbas persistence testing
Quickstart
git clone https://github.com/MHaggis/NEBULA.git && Import-Module .\NEBULA.psm1 && Invoke-NEBULA
Read More → GitHub
Active Featured Module

Atomics on a Friday

Weekly YouTube show exploring atomic tests, detection engineering, and security research. Live demonstrations and deep dives into attack techniques.

youtube atomic-red-team detection education community
Quickstart
Subscribe at youtube.com/@atomicsonafriday
Read More → GitHub

Capabilities

What I build and ship

🎯

Detection & Triage

Tools for threat hunting, detection engineering, and rapid incident triage.

Automation & Hardening

Scripts and utilities to automate security tasks and harden environments.

🔬

Research & Prototypes

Experimental tools and proof-of-concepts for emerging threats.

Watch & Learn

Security research videos and live demonstrations

Michael Haag

Security research, tool demos & deep-dives

Subscribe

Atomics on a Friday

Weekly atomic testing & detection engineering

Subscribe

Latest Field Notes

Insights from the frontlines of defense

The Lost Payload: MSIX Resurrection

How adversaries weaponize MSIX packages for initial access, and how to detect it. Plus introducing MSIXBuilder for safe testing of detection coverage.

msix malware detection