About
Who I am
I'm Nicholai, a researcher and builder focused on the intersection of artificial intelligence and cybersecurity. I operate through AuvaLabs, where I build open-source and private tools for threat intelligence, red team automation, AI compliance, and ML infrastructure.
I started in network security and drifted into AI as the two fields started colliding in ways that actually matter. LLMs lowering the cost of phishing, generative models creating content provenance problems, GPU clusters becoming security-relevant infrastructure. Those overlaps are where I spend most of my time.
My work spans both offensive and defensive security, from building phishing simulation platforms to monitoring threat actor activity at scale. On the AI side, I'm interested in how large models change the threat landscape, and how we build compliance infrastructure for an AI-first world.
I publish weekly research notes documenting what I'm reading, building, and thinking about. No polish, just signal.
What I work on
Aggregating and analysing feeds from dark web sources, CVE databases, and threat actor infrastructure. Building ThreatWatch to make CTI accessible.
LLM attack surfaces, prompt injection, model abuse. EU AI Act compliance tooling via ProvStamp (C2PA content credentials for AI-generated media).
Phishing simulation, credential harvesting research, and adversarial tooling. PhishRig orchestrates Evilginx3, Gophish, and Mailhog for authorised engagements.
GPU VRAM pooling with Moxel, music generation with HeartMuLa, and running large models on constrained hardware.
Translating offensive research into defensive posture. Analysing attacker TTPs, campaign patterns, and tooling to inform detection engineering, incident response, and security architecture decisions.
Examining malicious samples to understand behaviour, persistence mechanisms, and C2 communication patterns. Feeds directly into ThreatWatch detection rules and PhishRig simulation fidelity.
Infrastructure recon, threat actor attribution, and dark web monitoring. Finding signal in open sources before it becomes a feed entry, from domain registration patterns to paste sites to actor forum activity.