What started as "let me see what's actually on my network" turned into a proper security engineering exercise.

Post-AtlSecCon, a conversation with a friend pointed me toward AI tooling. Claude was the recommendation. What followed was a full audit, hardening, and monitoring initiative on my home network.

The speed of implementation genuinely surprised me.

The environment: segmented multi-VLAN network behind a FortiGate, with a dedicated DMZ, media segment, and management LAN.

What I built with Claude Code:

► SIEM — Grafana + Loki + Promtail in Docker, ingesting Suricata IDS, fail2ban, FortiGate UTM, auth logs, and Windows Sysmon telemetry. Five dashboards: SSH threat activity, IDS alerts, network traffic by segment, app visibility, and Windows endpoint behaviour.

► Endpoint detection — Sysmon with the olafhartong modular config on Windows hosts, forwarded via NXLog with MITRE ATT&CK technique tagging.

► Active threat response — Documented an ongoing distributed SSH brute force campaign across multiple ASNs. Deployed fail2ban with a recidive jail (3 bans in 24h = week-long all-ports block). Hardened SSH to key-only auth globally.

► Vulnerability management — Greenbone/OpenVAS credentialed scans across all four /24 subnets weekly. 95,000+ NVT signatures feeding a live remediation backlog.

► Firewall review — Full FortiOS policy and VIP audit. Found over-permissive NAT, stale VIP objects, and segmentation gaps. Remediated and documented the complete policy matrix.

► DNS visibility — Pi-hole as the network-wide resolver with full query logging into the SIEM. Identified and closed segments bypassing DNS filtering.

What turned up: active botnet brute force campaigns, stale firewall objects, EOL software on internal hosts, cleartext management interfaces on trusted segments, unknown hosts on the management LAN.

None of this is exotic. It's the same discipline as a production environment: asset inventory, segmentation enforcement, log pipeline architecture, detection tuning, continuous remediation. The tooling is all human-doable. The AI just collapsed the implementation timeline dramatically.

The network is never done.

Tools: FortiOS · Suricata · Grafana · Loki · Promtail · Greenbone/OpenVAS · fail2ban · Sysmon · NXLog · Pi-hole · Kali · Docker

Image is the prompt I use for the PERSONALITY 😉