Building detection tools before landing a security job is one way to close the experience gap. The Simple series came out of that approach. Three Python CLI tools, each solving a specific triage problem, each designed to be small enough to understand completely and useful enough to run against real data.
Simple Phishing Analyzer
Phishing is still the most common initial access vector, and .eml files are the evidence. Simple Phishing Analyzer automates the first pass. It parses headers, checks SPF/DKIM/DMARC alignment, extracts URLs for VirusTotal enrichment, hashes attachments against MalwareBazaar, and produces a weighted risk score.
The goal wasn’t to replace a full email security platform. It was to answer the question an analyst asks in the first thirty seconds: is this worth escalating? Detections are mapped to MITRE ATT&CK T1566, T1566.001, and T1566.002.
Simple IOC Lookup
Once you have an IOC, whether an IP, a domain, a URL, or a hash, you need context fast. Simple IOC Lookup detects the IOC type automatically and routes it to the right source. VirusTotal handles URLs, hashes, and domains. AbuseIPDB covers IPs. WHOIS pulls registration data on domains and URLs.
Every result comes back with a MALICIOUS, SUSPICIOUS, or CLEAN verdict and the supporting context behind it. JSON output mode makes it pipeable and connects directly into the next tool.
Simple Log Parser
Logs are where the story lives. Simple Log Parser automatically detects and parses Windows Event XML, Linux auth.log, and Apache access logs, then extracts IOCs from each one using pandas for efficient processing.
The JSON output mode is where it gets really useful. Pipe the extracted IPs directly into Simple IOC Lookup for enrichment in a single command. Parse the log, extract the IOCs, enrich them. That’s the triage pipeline these tools were built to support.
All three tools are published on GitHub, type-checked with mypy, unit tested, and documented with sample logs. They run against real data from my home lab, the same infrastructure I use to validate detections and tune rules.
https://github.com/philipzangara/simple-phishing-analyzer