Python catches an attacker in under 10 seconds. No human in the loop. No enterprise budget required.
A live cybersecurity pipeline that:
- Monitors an authentication log in real time
- Detects failed SSH login attempts (brute-force pattern)
- Queries AbuseIPDB to identify known malicious IPs
- Fires a formatted Slack alert with full threat details — automatically
This is the same principle behind Splunk SOAR, Microsoft Sentinel Playbooks, and Palo Alto XSOAR — built in Python for free.
| Component | Details |
|---|---|
| Host | Windows or Mac laptop |
| Hypervisor | VMware Workstation / VMware Fusion |
| Guest OS | Ubuntu 22.04 LTS |
| VM Network | NAT — shares laptop internet |
| Runtime | Python 3 virtual environment |
| APIs | AbuseIPDB (free) + Slack (free) |
threat-detection-demo/ │ ├── README.md # This file ├── requirements.txt # Python dependencies (requests) ├── config.example.py # Safe config template — copy to config.py │ ├── threat_detector.py # Main pipeline — Terminal 1 ├── simulate_attack.py # Attack simulator — Terminal 2 ├── test_slack.py # Pre-demo Slack test │ └── docs/ └── architecture.md # Component diagram and data flow
Note:
config.pyis in.gitignore— your API keys are never committed to this repository.
- VMware Workstation (Windows) or VMware Fusion (Mac) installed
- Ubuntu 22.04 LTS ISO downloaded from ubuntu.com/download/server
- AbuseIPDB free account — abuseipdb.com/register
- Slack free workspace with #threat-alerts channel
- Slack Incoming Webhook URL — api.slack.com/apps
- Python 3.8+
- pip and venv
- git
- curl
- Internet access via NAT
VMware → New Virtual Machine Name: threat-demo-vm OS: Ubuntu 64-bit RAM: 2048 MB minimum (4096 MB recommended) CPU: 2 cores Disk: 20 GB Network: NAT
Profile: name=Stephen | hostname=threat-demo-vm | user=ubuntu Password: your choice SSH: Install OpenSSH Server = YES
VMware Workstation: VM → Settings → Options → Guest Isolation → tick both clipboard options VMware Fusion: Virtual Machine → Settings → Isolation → Allow copy and paste
# After clean install: Snapshot → clean-install
# After apt upgrade: Snapshot → updated-clean
# After full demo setup: Snapshot → demo-ready# Inside the VM terminal
git clone https://github.com/Herculis411/threat-detection-demo.git
cd threat-detection-demopython3 -m venv venv
source venv/bin/activate
pip install -r requirements.txtcp config.example.py config.py
nano config.pyReplace the placeholder values:
ABUSEIPDB_API_KEY = 'your-real-abuseipdb-key'
SLACK_WEBHOOK_URL = 'https://hooks.slack.com/services/your/real/webhook'
LOG_FILE = '/tmp/demo_auth.log'touch /tmp/demo_auth.logpython3 test_slack.py
# Expected: SUCCESS: Test alert sent — check #threat-alertspython3 -c "
from config import ABUSEIPDB_API_KEY
import requests
r = requests.get(
'https://api.abuseipdb.com/api/v2/check',
headers={'Accept':'application/json','Key':ABUSEIPDB_API_KEY},
params={'ipAddress':'8.8.8.8','maxAgeInDays':90}
)
print('Status:', r.status_code)
print('Score:', r.json()['data']['abuseConfidenceScore'])
"
# Expected: Status: 200 | Score: 0- Open Slack #threat-alerts on your phone AND in a browser tab
- Open two terminal windows inside the VM — both in the project folder
- Increase terminal font size to 16pt — audience must read the output
cd ~/threat-demo
source venv/bin/activate
python3 threat_detector.pyExpected output:
2026-05-22 10:00:00 [INFO] Threat detector started — watching: /tmp/demo_auth.log 2026-05-22 10:00:00 [INFO] Alert threshold: 3 failed attempts 2026-05-22 10:00:00 [INFO] Waiting for suspicious activity...
cd ~/threat-demo
source venv/bin/activate
python3 simulate_attack.pyExpected output (one line per 0.8 seconds):
Simulating attack from: 185.220.101.42 (This IP scores 100% on AbuseIPDB) [SIMULATOR] Attempt 1/8: Failed password for root from 185.220.101.42 port 22 [SIMULATOR] Attempt 2/8: Failed password for admin from 185.220.101.42 port 2222 [SIMULATOR] Attempt 3/8: Failed password for ubuntu from 185.220.101.42 port 22
2026-05-22 10:01:05 [INFO] Failed login from 185.220.101.42 — attempt #1 2026-05-22 10:01:06 [INFO] Failed login from 185.220.101.42 — attempt #2 2026-05-22 10:01:07 [WARNING] THRESHOLD REACHED for 185.220.101.42 2026-05-22 10:01:07 [INFO] AbuseIPDB score: 100% 2026-05-22 10:01:08 [INFO] Slack alert sent — Level: CRITICAL
The #threat-alerts channel receives a CRITICAL alert containing:
- Attacker IP
- Threat level
- Abuse confidence score
- Country and ISP
- Total reports from AbuseIPDB
- Recommended action
# Stop detector: Ctrl+C in Terminal 1
> /tmp/demo_auth.log # clear log
> threat_detector.log # clear detector log
python3 threat_detector.py # restart
python3 simulate_attack.py # re-run attack in Terminal 2If anything breaks mid-demo:
VMware Workstation: VM → Snapshot → Snapshot Manager → demo-ready → Restore VMware Fusion: Virtual Machine → Snapshots → demo-ready → Restore
Full restore in under 30 seconds.
Switch from simulated to real SSH monitoring:
# Edit config.py
LOG_FILE = '/var/log/auth.log'
# Run with elevated permissions
sudo ~/threat-demo/venv/bin/python3 threat_detector.pyAny real failed SSH login on the VM will trigger the pipeline.
| Variable | Description | Source |
|---|---|---|
ABUSEIPDB_API_KEY |
Threat intel API key | abuseipdb.com/account/api |
SLACK_WEBHOOK_URL |
Slack incoming webhook | api.slack.com/apps |
LOG_FILE |
Log file to monitor | Default: /tmp/demo_auth.log |
ALERT_THRESHOLD |
Attempts before alert fires | Default: 3 (in threat_detector.py) |
ABUSEIPDB_MIN_SCORE |
Score to confirm threat | Default: 25 (in threat_detector.py) |
| Issue | Fix |
|---|---|
| Slack alert not arriving | Check SLACK_WEBHOOK_URL starts with https://hooks.slack.com/services/ |
| AbuseIPDB returns 401 | API key wrong — verify at abuseipdb.com/account/api |
| AbuseIPDB returns 429 | Rate limit — free tier 1000/day — wait or use different IP |
| ModuleNotFoundError: requests | Run: source venv/bin/activate |
| No detector output | Confirm /tmp/demo_auth.log exists: touch /tmp/demo_auth.log |
| VM has no internet | VMware network adapter must be set to NAT — not Host-only |
| Clipboard paste not working | VM Settings → Guest Isolation → enable clipboard sharing |
This demo illustrates three foundational SOAR principles:
1. Automated detection — the pipeline checks every log line, every time, without fatigue or delay. A human analyst triaging 10,000 alerts per day cannot match this consistency.
2. Threat intelligence enrichment — a raw IP address becomes rich context: geographic origin, ISP, abuse history, confidence score. Context is what turns an alert into actionable intelligence.
3. Automated response — the alert fires in under 10 seconds. An enterprise SOC team averages 28 minutes for initial detection. Automation eliminates that gap.
Mentor: Pravin Mishra (Lead) — CloudAdvisory Programme: DevNet Automation in Cybersecurity
Join the community: https://lnkd.in/euNeyWnr
MIT — free to use, adapt, and share.