Manish Pandey Manish Pandey Cybersecurity Architect & Researcher

ls ./lab

Lab.

Work in progress. Open-source contributions, research notes, experiments. Some becomes writing; some stays here.

How it all connects.

A force-directed map of the methods, areas, and concepts on this site and how they relate. Drag a node to explore; hover to see neighbours.

Threat Modeling STRIDE PASTA OCTAVE Trike Five-Zone Method MAESTRO OWASP ASI Top 10 Kill Chain Attack Trees AI Security LLM Security Agentic AI ML Security RAG Generative AI Prompt Injection Jailbreak EchoLeak Tool Misuse Goal Hijack Data Poisoning Red Teaming Adversary Simulation Penetration Testing PyRIT PromptFoo OWASP Threat Dragon Microsoft TMT Application Security Secure Code Review Vulnerability Management DevSecOps Cloud Security IoT Security ISO 27001 Data Science (M.Tech)

Open-source & demos.

The first two are the work I'd point someone at first. The rest are smaller utilities. Useful if you need them, optional reading otherwise. Data pulled from github.com/Antak108 at build time.

chatbot-app

Featured JavaScript

Educational LLM red-teaming demo. Defense and offense in one repo.

A locally-run LLM chatbot (Node.js + Express) with five layers of defense (rate limiting, prompt-injection detection, content filtering, regex guardrails, output sanitization) and 35 PromptFoo adversarial test cases across jailbreak, system-prompt extraction, harmful content, PII leakage, and XSS/SQLi categories.

Why this matters: The clearest practitioner demo of LLM application security I've shipped. Defense and offense side by side, with reproducible adversarial tests anyone can run.

llm-security red-teaming promptfoo

github.com/Antak108/chatbot-app →

Fake-PHI-PII

Featured Jupyter Notebook

Synthetic patient health record + invoice generator.

Lets you test PII / PHI controls and DLP rules without touching real patient data. Built originally for a healthcare-vertical engagement.

Why this matters: Reusable scaffolding for anyone doing data-classification work in regulated industries.

privacy data-science healthcare

github.com/Antak108/Fake-PHI-PII →

Smaller utilities

TopPassList

Python

Narrows common-password corpora by length, character class, and structural criteria. Small utility with an outsized contribution to test efficiency.

Useful for tailoring credential-spray tests during purple-team exercises.

pentesting_scripts

Python

Living scratchpad of Python helpers (reconnaissance, parsing, payload generation) accumulated across engagements.

Useful as reference, not as a library. Ages slowly because the tradecraft does.

Current threads.

What I'm actively thinking about right now. Subject to change.

  1. Five-zone threat modeling for production agentic systems

    Translating the method from the STRIDE-breaks post into a runnable worksheet engineering teams can use without me in the room.

  2. Adversarial test corpora for domain-specific LLMs

    PromptFoo and PyRIT are great generic harnesses. The interesting gap is per-vertical (healthcare, finance) test sets that reflect the actual exploit space of those systems.

  3. What ML-security reviews look like when you actually read the model

    Most ML security work today stops at the model boundary. IAM, inference endpoint, training pipeline. The Data Science background says there's more to find inside the weights and data. Working on what that looks like as a practitioner workflow.

esc

Type to search. to navigate, to open.