Building NERF: A Security Engineering Assistant That Actually Knows Things
The Problem
Security work is context switching. You're writing a Sigma rule, someone pulls you into a threat model review, then a Slack message about GDPR Article 33 timelines. Every task reaches into a different part of your brain and a different set of bookmarks.
I had the same cheat sheets and reference docs scattered across Notion, Firefox tabs, and random markdown files. MITRE ATT&CK mappings here, hardening baselines there, IR playbooks somewhere else. What I wanted was one tool with all of it loaded — something that could think at a senior practitioner level across the full security domain without me having to find the right bookmark first.
So I built one.
What It Is
NERF is a security engineering assistant that runs on Claude. 1,500+ techniques across 64 domains — red team, blue team, incident response, forensics, privacy, architecture, the whole stack. Each technique follows the AgentSkills spec so Claude discovers and loads them automatically.
The knowledge base is 96 deep-dive docs. Not tutorials. Dense reference material — the kind of thing you'd want a senior security engineer to have internalized. When you ask a question, the relevant material gets pulled from memory and injected into context before the LLM responds. It's not making up attack techniques — it's working from documented, verified material.
Seven Modes
There are 7 operating modes: RED, BLUE, PURPLE, PRIVACY, RECON, INCIDENT, ARCHITECT. Mode detection is automatic based on keywords in your query. Mention Kerberoasting and you're in RED. Mention Sigma rules and you're in BLUE. Mention GDPR and you're in PRIVACY. If it's ambiguous, it asks.
Every RED output includes detection opportunities — how a blue team would catch what you just described. Every BLUE output includes evasion considerations — how an attacker bypasses the detection. Privacy implications get flagged everywhere. That cross-pollination is the point.
The CLI
# Bare query
nerf "how do I detect lateral movement via PsExec"
# Compliance report
nerf compliance SOC2 --format markdown
# Health check
nerf doctor
29 commands. All native Node.js — no Python, no subprocess bridge. 25ms cold start. Installs with npm install -g @defconxt/nerf.
For Claude Code users, it ships as 34 slash commands. /nerf:hunt kerberoasting, /nerf:sigma T1059.001, /nerf:ir ransomware on file server. You stay in your terminal. No context switch.
The Knowledge Base on blacktemple.net
The 96 knowledge docs live on blacktemple.net/nerf as a browsable KB. Three-column layout with a collapsible sidebar, scroll-spy TOC, and prev/next between articles.
Building it was an interesting problem. The docs are plain markdown, not MDX, so they couldn't go through Contentlayer. I built a separate remark/rehype pipeline that processes them at build time. The KB cross-links with the blog — posts about SQL injection link to the web security doc, forensics docs link to breach coverage. 214 blog posts mapped to KB articles.
Under the Hood
The whole thing is Node.js. better-sqlite3 with FTS5 for the memory engine, Nuclei and Katana (Go binaries) for scanning, vitest for testing. 1,097 tests across 47 files. REST API with 14 endpoints, MCP server with 14 tools, Docker image on node:22-slim.
39 compliance frameworks with 1,151 control IDs. You give it scan findings, it maps them to SOC2 or NIST 800-53 or the EU AI Act and tells you what's passing, what's failing, and what to fix first.
The Goal
Be the last security tool a professional needs. Every interaction should leave the operator more capable, better informed, and faster to action. That hasn't changed since the first skill file.