Retro vault-terminal defensive security triage for local logs.
This is a Fallout/Pip-Boy inspired portfolio project, but it is not a website and not a game. It is a safe blue-team terminal tool that analyzes local telemetry, ranks suspicious behavior, and exports an interview-friendly incident report.
Unofficial fan-inspired work. This project is not affiliated with Bethesda, Fallout, or Pip-Boy.
I like the feeling of old terminals, vault computers, and Pip-Boy style interfaces. VaultWatch turns that aesthetic into something useful for cybersecurity interviews:
- local-only SOC triage
- readable detection logic
- terminal dashboard output
- JSON and Markdown reporting
- tests and GitHub Actions
- no live scanning, exploitation, credential testing, or external network calls
python -m pip install -e .
vaultwatch demo --no-colorExample output:
+----------------------------------------------------------------------------------------------+
| VAULTWATCH TERMINAL :: LOCAL DEFENSIVE TRIAGE |
| EVENTS 014 | FINDINGS 08 | CRIT 1 | HIGH 3 | MED 4 |
+----------------------------------------------------------------------------------------------+
| CRITICAL 092 Successful login after repeated failures |
| overseer succeeded after 4 failed attempts within 20 minutes. |
| HIGH 084 Large outbound transfer |
| vault-101 sent 62,000,000 bytes to 203.0.113.66. |
+----------------------------------------------------------------------------------------------+
Analyze a JSONL, JSON, or CSV file:
vaultwatch scan samples/wasteland_telemetry.jsonlReturn JSON for automation:
vaultwatch scan samples/wasteland_telemetry.jsonl --format jsonWrite a Markdown report:
vaultwatch report samples/wasteland_telemetry.jsonl --output reports/vaultwatch-report.mdVaultWatch currently detects:
- repeated failed authentication attempts
- successful login after repeated failures
- privileged role or admin changes
- large outbound transfers
- suspicious DNS labels and risky-looking domains
- secret-shaped values in telemetry with masking
- beacon-like outbound timing
JSONL example:
{"timestamp":"2026-05-17T08:05:00Z","kind":"auth","actor":"overseer","host":"vault-101","action":"login","outcome":"success","src_ip":"198.51.100.44","message":"interactive session started"}Supported fields include:
timestamp, source, kind, actor, host, target, action, outcome, src_ip, dest_ip, bytes_out, process, message
src/vaultwatch/
analyzer.py orchestrates detection and summary counts
cli.py command-line interface
detectors.py defensive detection rules
io.py JSONL/JSON/CSV loading
models.py Event and Finding dataclasses
renderer.py dashboard, JSON, and Markdown rendering
samples/ demo telemetry
tests/ pytest coverage
python -m pip install -e . pytest
pytest -qThis project is designed to show both personality and engineering:
- theme: retro vault/Pip-Boy terminal energy
- cybersecurity: SOC-style log triage and defensive reporting
- code quality: package structure, typed dataclasses, testable rules
- safety: local files only, no offensive capability