WhatsApp · Quick response
HomeAboutSOC Projects PortfolioServicesAcademy CertificationsCAI Initiative BlogContact →
import socket, re, requests def scan_port(host, port): s = socket.socket() return s.connect_ex((host, port)) == 0 def extract_ips(log): return re.findall(r'\d{{1,3}}(?:\.\d{{1,3}}){{3}}', log) PYTHON · SECURITY AUTOMATION LOG PARSING · PORT SCANNING · IOC AUTOMATION · API INTEGRATION
← Back to Blog
PythonAutomation · 6 min read · January 2026 · Nathaniel T.O, AMICDFA

Using Python for Cybersecurity: Automating Threat Detection

Python is the most practical tool in a working SOC analyst's automation arsenal — not for building malware or exploitation frameworks, but for the unglamorous and genuinely valuable work of log parsing, IOC extraction, API integration, and repetitive threat detection tasks. These are the four Python workflows I use or have directly built in active SOC environments.

Key Findings
  • Log parsing with Python's re module reduces manual analysis time from hours to seconds on large log files
  • A basic port scanner in under 30 lines teaches networking fundamentals while producing a genuinely useful security tool
  • VirusTotal API automation enables bulk IOC lookups that would be manually infeasible during active incident response
  • All four workflows here are real SOC use cases — not academic exercises

1. Log Analysis and Parsing

Security logs are noisy. A busy web server generates tens of thousands of events per hour. Python's re module lets you extract specific patterns from raw log files in seconds — work that would take hours manually.

Log IP Extractor — Python
import re

def extract_ips(log_file):
    with open(log_file) as f:
        content = f.read()
    ip_pattern = r'(?:\d{{1,3}}\.){{3}}\d{{1,3}}'
    return list(set(re.findall(ip_pattern, content)))

# Usage: extract_ips('apache_access.log')

2. Password Policy Enforcer

One of my published GitHub projects is a Python password policy enforcer that evaluates passwords against complexity rules using regex. This is an excellent beginner project that demonstrates regex, conditional logic, and security thinking simultaneously. Available open source on my GitHub.

3. Basic Port Scanner

Using Python's socket module, you can write a functional port scanner in under 30 lines. It teaches networking fundamentals — TCP handshakes, connection states, timeout handling — while producing a tool with genuine reconnaissance utility.

Port Scanner — Python (28 lines)
import socket
from datetime import datetime

def scan(target, ports):
    results = []
    for port in ports:
        s = socket.socket()
        s.settimeout(0.5)
        if s.connect_ex((target, port)) == 0:
            results.append(port)
        s.close()
    return results

# scan('192.168.1.1', range(1, 1025))

4. Automating VirusTotal IOC Lookups

During active incident response, you may have 40 suspicious IP addresses and 15 file hashes to check. Doing this manually on VirusTotal is not feasible. With a free API key and 20 lines of Python, you can automate bulk IOC lookups and receive reputation scores for all of them in under a minute.

VirusTotal IP Lookup — Python
import requests

API_KEY = "your_vt_api_key"

def check_ip(ip):
    url = f"https://www.virustotal.com/api/v3/ip_addresses/{{ip}}"
    headers = {"x-apikey": API_KEY}
    r = requests.get(url, headers=headers)
    data = r.json()
    stats = data['data']['attributes']['last_analysis_stats']
    return stats['malicious'], stats['suspicious']

Learning Path

SoloLearn Python (free, mobile-friendly) → TryHackMe Python basics room → build the password checker → build the port scanner → build the VirusTotal automation. That path takes 4–6 weeks and produces three portfolio-ready GitHub projects at the end.

Written by Nathaniel T.O, AMICDFA, CBTP (93%), CCEP (98%)
IT/Cyber Intelligence Analyst · FG-LEA Lagos · SOC Analyst · NexSecure · Founder, Cyber Nate
← All Articles SOC Projects Hire Me