Tools, scripts, and research PoCs for Purple Team, Red Team, AI Security, Forensic, and Cloud security. Authorized use only.
Security Research Labs is the official Guardz repo for open-source security tooling: config analyzers, Microsoft 365 / Entra recon scripts, purple-team detection emulations, and AI skill security. MIT-licensed; each tool lives in a dedicated folder with its own README.
|
Autonomous red-team platform for Microsoft Entra ID. MCP server that wraps 238 AADInternals cmdlets into 65 purpose-built tools across 12 MITRE ATT&CK phases, with 13 kill chains, OPSEC governance, evasion engine, and auto-reporting.
|
Scan AI skill files for malicious patterns. Detects prompt injection, malware delivery, code execution, suspicious URLs, and obfuscated content in AI skill definitions — local files or URLs. Ships with CLI, local server, and browser UI.
|
|
Security configuration analyzer for OpenClaw deployments. Single-file web app with a 68-point checklist, risk detection, and attack-path visualization. No server required — open the HTML in a browser.
|
Cookbook for dafthack/GraphRunner. One-file quick reference and runnable command set: auth, tenant recon, Conditional Access enumeration, mailbox / SharePoint / Teams search, and token utilities.
|
See repository layout for the full catalog.
Clone and pick a tool — every folder ships with its own README.
git clone https://github.com/guardzcom/security-research-labs.git
cd security-research-labsTry SkillScan in 30 seconds — no tenant, no auth, no cloud required:
cd AI-Cloud-Tools/AI/skillscan
python3 skillscan.py scan file path/to/skill.md
# or scan a whole folder
python3 skillscan.py scan dir ./skills/ --pattern "*.md"
# or a URL
python3 skillscan.py scan url https://example.com/skillTry OpenClaw Analyzer in 10 seconds — zero install:
open AI-Cloud-Tools/AI/OpenClaw-Analyzer/openclaw-security-analyzer/openclaw-analyzer.htmlRun EntraReaper against a tenant you own / are authorized to test:
cd AI-Cloud-Tools/M365-Tools/EntraReaper
bash install.sh # installs PowerShell 7, AADInternals, uv
uv run python server.py # standalone
# or wire it into Claude Code as an MCP server:
claude mcp add entrareaper -- uv run --directory "$PWD" python server.pyAuthorized use only. Run these tools only against systems and tenants you own or have explicit permission to test. See Security model.
| Category | Folder | Contents |
|---|---|---|
 |
AI-Cloud-Tools/ | AI: OpenClaw Analyzer, SkillScan. M365-Tools: OAuth IOCs checker, EntraReaper (MCP + AADInternals for authorized Entra ID red team). |
 |
Purple-Team-Emulation/ | Endpoint: certutil, EDR telemetry simulator, Office macro tampering, BloodHound emulation, Nmap scanning emulation. |
 |
CloudAdversary/M365/ | DeviceStrike, Entra ID Smart Lockout (Entra-ID-DOS), SPO Ext Recon, GraphRunner QuickStart. |
 |
Purple-Team-Emulation/GWS/ | Google Workspace security tools (placeholder). |
 |
Threat-Intel/ | IOCs, detection artifacts, threat intelligence. |
 |
Research/ | Research outputs, landscape studies, and reference materials (e.g. M365 AiTM, hybrid AD MFA gap). |
| Category | Audience | Use case |
|---|---|---|
 |
Cloud Security | Microsoft 365 and Google Workspace. |
|
AI security | Securing AI assistants and agents: config hardening, exposure detection, supply-chain and skill safety. |
|
Purple team | Hardening checks, config review, detection-oriented recon. |
 |
Red team | Authorized recon, token flows, M365/cloud attack-surface mapping. |
 |
Forensic | Evidence gathering, mailbox/SharePoint/Teams search patterns, audit trails. |
Authorized use only. Use only on systems and tenants you own or have explicit permission to test.
Compliance & authorized use
- Authorized use only. These tools are for security research, authorized testing, and defensive operations. Use them only on systems and tenants you own or have explicit permission to test.
- No misuse. Do not use this repo to gain unauthorized access, exfiltrate data, or violate laws or organizational policies. Misuse is your responsibility.
- Operational risk. Recon and auth scripts can trigger alerts or rate limits. Coordinate with stakeholders and follow change management where required.
- Data handling. Output may contain sensitive information. Handle and retain it according to your classification and retention policies.
By using this repository you agree to use it in a lawful and authorized manner. See SECURITY.md for how to report vulnerabilities in the repo itself.
- Bugs and features: Open an issue. Use the issue templates when possible.
- Security vulnerabilities: Do not report in public issues. See SECURITY.md for private reporting.
- Discussions: Use GitHub Discussions for questions and ideas if enabled; otherwise open an issue.
- Contributions: Pull requests welcome. Read CONTRIBUTING.md and CODE_OF_CONDUCT.md first.
We do not provide formal SLAs or commercial support; we respond when we can.
MIT License. Subdirectories may contain their own license files; where present, they apply to that project.