blue team

A custom Wazuh rule pack and reproducible Docker lab that catches rogue MCP servers, shadow AI agent activity, and indirect prompt-injection chains on engineering endpoints. 5 decoders, 13 rules, MITRE ATT&CK mapped.

How I built an open-source Helm chart that deploys Wazuh agents with CIS, NIST 800-53, PCI-DSS, HIPAA, SOC2 compliance, MITRE ATT&CK runtime detection, admission webhook enforcement, and auto-remediation — replacing 5 tools with one deploy.

What caused historical alerts to disappear from Wazuh dashboards after migration, and the safer reindex workflow that fixed it.