First, thank you for your interest in contributing to Nation-State Lab.
Nation-State Lab is an enterprise-focused adversary emulation, detection engineering, threat hunting, and incident response platform designed for cybersecurity education, research, and purple-team exercises. Contributions from security practitioners, students, researchers, and defenders are welcomed.
This document outlines the standards, workflows, and expectations for contributing to the project.
The primary goals of Nation-State Lab are:
- Reproducibility
- Technical accuracy
- Realistic attack simulation
- Detection-focused learning
- Secure documentation practices
- Community-driven improvement
Every contribution should enhance one or more of these objectives.
Contributions are not limited to source code.
We welcome improvements in the following areas:
- Kibana detection rules
- Sigma rules
- Sysmon configurations
- Elastic dashboards
- Threat detection playbooks
- MITRE ATT&CK mappings
- Velociraptor artifacts
- VQL queries
- Hunt methodologies
- Investigation workflows
- IOC and TTP analysis
- MITRE ATT&CK technique implementations
- Atomic Red Team integrations
- Caldera abilities and adversary profiles
- Attack-chain enhancements
- Purple-team exercises
- Architecture diagrams
- Deployment guides
- Detection engineering documentation
- Threat hunting reports
- Incident response procedures
- Troubleshooting guides
- Deployment scripts
- Infrastructure-as-Code templates
- Log collection automation
- Validation and testing utilities
Before opening an issue or submitting a pull request:
- Review the existing documentation.
- Search open and closed issues.
- Verify the problem has not already been reported.
- Ensure the contribution aligns with the project's scope.
Contributors are encouraged to discuss significant changes through an issue before beginning implementation.
High-quality issue reports help maintain project stability and reproducibility.
When reporting a bug, include:
| Item | Example |
|---|---|
| Host Operating System | Windows 11 Pro |
| Hypervisor | VMware Workstation 17 |
| Lab Version | Current release |
| Elastic Version | 8.14.0 |
| Velociraptor Version | 0.76.5 |
- Description of the issue
- Expected behavior
- Actual behavior
- Steps to reproduce
- Screenshots (if applicable)
- Relevant logs
- Error messages
Docker container logs
Winlogbeat logs
Filebeat logs
Velociraptor logs
Windows Event Logs
Sysmon logs
Issues that cannot be reproduced may be closed pending additional information.
Feature requests should focus on improving:
- Detection coverage
- Adversary realism
- Automation
- Documentation quality
- Operational usability
When proposing a feature, explain:
- The problem being solved.
- Why the feature is valuable.
- Potential implementation approach.
- Expected impact on the lab.
- Fork the repository.
- Create a dedicated feature branch.
- Implement your changes.
- Validate functionality.
- Update documentation.
- Submit a pull request.
feature/add-sigma-rules
feature/velociraptor-hunt-pack
fix/winlogbeat-config
docs/architecture-update
enhancement/elastic-dashboard
Documentation should be:
- Technically accurate
- Easy to reproduce
- Vendor-neutral when possible
- Written in professional English
- Consistent with existing project structure
- Use descriptive headings.
- Include diagrams where beneficial.
- Specify code block language identifiers.
- Use tables for structured information.
- Keep formatting consistent throughout the repository.
All detection content should include:
title:
description:
severity:
mitre_tactic:
mitre_technique:
data_source:
author:- Minimize false positives.
- Include testing procedures.
- Map to MITRE ATT&CK where applicable.
- Provide investigation guidance.
- Include tuning recommendations.
#!/bin/bash
set -euo pipefail#Requires -RunAsAdministrator
Set-StrictMode -Version Latest- Avoid hardcoded values.
- Use variables and configuration files.
- Include comments for complex logic.
- Validate user input.
- Handle errors gracefully.
Security is a core principle of this project.
- Passwords
- API keys
- Private certificates
- Authentication tokens
- Encryption keys
- Real customer data
- Production indicators
The repository may contain:
Password123!
LabAdmin123!
example.local
192.168.1.10
These values exist solely for demonstration and educational purposes.
Contributors should validate changes before submission.
Verify:
- Rules execute successfully
- Alerts trigger correctly
- False positives are documented
- MITRE mappings are accurate
Verify:
- Deployment succeeds
- Existing functionality remains operational
- Documentation reflects configuration updates
Verify:
- Markdown renders correctly
- Links function properly
- Commands are accurate
- Screenshots remain relevant
Major changes must include documentation updates.
Pull requests that modify functionality without updating relevant documentation may be rejected until documentation is provided.
Documentation is considered a deliverable, not an afterthought.
Nation-State Lab is intended exclusively for:
- Cybersecurity education
- Detection engineering
- Threat hunting
- Purple-team exercises
- Security research
Contributors must not use the project to:
- Conduct unauthorized testing
- Attack third-party systems
- Deploy malware outside controlled environments
- Perform illegal activities
All activities should remain within isolated and authorized lab environments.
Pull requests are reviewed for:
| Category | Evaluation Criteria |
|---|---|
| Accuracy | Technical correctness |
| Security | Safe implementation |
| Quality | Readability and maintainability |
| Consistency | Alignment with project standards |
| Documentation | Completeness and clarity |
Maintainers may request revisions before approval.
All accepted contributors will be acknowledged through:
- GitHub contribution history
- Release notes (for significant contributions)
- Project acknowledgements where appropriate
Every contribution, regardless of size, helps improve the learning experience for the cybersecurity community.
By submitting a contribution, you agree that your work will be licensed under the same license governing this repository.
Please review the project's LICENSE file before contributing.
For questions, suggestions, or discussions:
- Open a GitHub Issue
- Start a GitHub Discussion (if enabled)
- Contact the project maintainers
Constructive feedback and collaboration are always encouraged.
Thank you for contributing to Nation-State Lab and helping build a practical platform for cybersecurity learning, detection engineering, threat hunting, and incident response.