Case 03 2019 — 2021 Engineering & Tool Building

Agentic Email Systems
& Security Tooling

Before AI pipelines had a name, a fully automated agentic email processing suite was built from scratch in Bash and Python — reading emails, routing them through AI disambiguation engines, and replying with structured results. Alongside it, a set of original security tools built for real operational needs.

Bash Python Rust AI Integration Email Automation Security Tooling All original work
5
Pipeline scripts
4
Security tools built
3
Languages used
72h
Pipeline delivery time

Building what didn't exist yet

In 2019 and 2020, the concept of an agentic AI pipeline — an automated system that receives input, routes it to an intelligent processing engine, and returns structured output — existed only in research labs. Large language models were not yet publicly available. The tools that developers use today to build these systems in an afternoon simply did not exist.

The challenge was to build exactly this kind of system using the tools that were available: Bash scripting, Python, raw API calls, email infrastructure, and a proprietary AI disambiguation engine. The result was a working suite of agentic email applications — each one listening for incoming email, processing it intelligently, and replying automatically with useful output.

What the team said

"That's how a hacker works. We knew this wouldn't be an easy task when we asked you to do it, but you kept at it until you figured it out and made it work."

The system was built under pressure, across sleepless nights, and delivered in under 72 hours. It was not a prototype in the academic sense. It worked. It ran in production. Emails went in. Intelligent responses came out.

How the pipeline worked

The core system was built as a chain of small, focused scripts — each responsible for one step in the pipeline. This modular design meant each component could be tested independently and reused across different applications.

01

Email detection mailmon.sh

A continuous daemon monitors the mail directory using file system comparison with comm. Every 5 seconds it detects newly arrived emails and logs the file path — triggering the rest of the pipeline. No external dependencies. Pure Bash.

02

Email parsing reader.sh

Raw email files are parsed using formail and sed. The script detects whether the email is a forwarded message or a direct message, strips headers, MIME boundaries, and HTML tags, and extracts clean plain-text body content for processing.

03

AI disambiguation reader.sh

The cleaned email body is sent via HTTP POST to the Urvin AI eigen-disambiguation API. The API returns a weighted concept list — what the email is about, ranked by relevance. The response is parsed, sorted, and formatted into a human-readable summary.

04

Sender investigation lookup.sh

For the Lookup prototype, the original sender's email address is extracted from a forwarded email header using regex and cut. That address is sent to a domain scraping API which returns intelligence about the sender's organization. The result is formatted and sent back to the user.

05

Attachment analysis neo.sh

For the NEO prototype, attachments are extracted from incoming emails using ripmime, fed to a Python AI analysis script, and the JSON output is converted to formatted HTML via a Java renderer. The complete risk analysis is returned to the sender by email.

06

Response delivery resendit.sh

Processed results are delivered back to the original sender automatically. The system handles both plain-text responses and attachment forwarding — completing the full agentic loop from incoming email to intelligent reply.

Three working applications built on the pipeline

MSG

Message Mate

Forward any email to Message Mate and receive an AI-generated summary of what the email is about — its concepts, intent, and key topics — returned automatically to your inbox.

reader.sh + Urvin AI API
LKP

Lookup

Forward a suspicious email to Lookup and receive intelligence about the original sender — who they are, what their domain represents, and what their organization does.

lookup.sh + domain scraping API
NEO

NEO

Email NEO with an attached document marked "Risk Disclosure" and receive a structured HTML risk factor analysis generated by AI — automatically extracted, analyzed, and returned.

neo.sh + Python + Java renderer
reader.sh — AI disambiguation call (excerpt) bash
# Extract clean email body and send to Urvin AI for disambiguation
ebd=$(cat /home/msgmate/emailbody.txt)

curl -X POST \
  -H "Content-type: text/plain" \
  -H "Authorization: Basic $(echo -n prototype:*** | base64)" \
  "https://marvin.urvin.ai:53117/matching/eigen_disambiguate\
?nca_scaling=2&nca_impact=1&pa_scaling=2&pa_impact=1\
&total_accepted_variance=0.5&minimum_concept_weight=0.0" \
  -d "{\"${ebd}\"}" \
# Parse weighted concept list from JSON response
  | sed $'s/},{/},\\\n{/g' \
  | sed $'s/^.*concepts/concepts/' \
  | cut -d "," -f 2,3 \
  | sort -nr \
  | sed '/^.*count/d' \
  >> /home/msgmate/response.txt

Built because the need existed

The projects on this page were not created as part of a single initiative or at the same point in my career. They were built over many years, in different contexts, to solve different problems.

Some originated from security assessments where existing tools did not provide the functionality or visibility I needed. Others were created to automate operational workflows, explore new technologies, or better understand the systems involved. The phishing simulator, for example, was developed while learning Rust, while other utilities were written years earlier in Bash or Python for entirely different engagements.

What connects them is not the technology or the timeline, but the approach. When an existing solution was insufficient or when building one offered a deeper understanding, I designed and implemented my own.

This reflects a mindset often associated with the original meaning of "hacker": understanding systems well enough to create new solutions instead of relying solely on existing ones.

Bash

Overwatch

overwatch.sh — Personal IDS / connection monitor

A lightweight intrusion detection system built entirely in Bash. Monitors active network connections and listening ports in real time, performs WHOIS lookups on all connected IPs, and sends immediate email alerts when new ports start listening or new connections are established.

Real-time port and connection monitoring via ss
Automatic WHOIS geolocation on connected IPs
Differential comparison to detect state changes
Immediate email alert on new listening port or established connection
Designed to detect reverse shells on compromised servers
Bash

Eve

eve.sh — SMTP email existence verifier

An email account existence verifier that works without sending any email. Eve performs MX record lookup on the target domain, connects directly to the SMTP server, and uses the EHLO/RCPT TO handshake to determine whether an email account exists — supporting both netcat and telnet as transport utilities.

MX record resolution via host lookup
Direct SMTP handshake without sending mail
Supports nc and telnet transport
Handles multiple response states: accepted, rejected, unavailable
Useful for OSINT and pre-engagement reconnaissance
Python

Centbruteon

centbruteon.py — Centreon API brute-forcer

A credential brute-forcing tool targeting the Centreon network monitoring platform API (tested on v19.04). Written in Python 3 with a clean CLI interface, supporting single-user and multi-user wordlist modes, HTTPS with custom CA bundle support, and color-coded terminal output.

Targets Centreon REST API authentication endpoint
Single-user and multi-user wordlist modes
HTTPS support with optional SSL verification bypass
Custom CA bundle support for internal PKI environments
Colored output with token display on success
Clean argparse CLI — production-ready interface
Rust

Phishing Simulator

Custom build — Social engineering training tool

A phishing simulation tool written in Rust — a compiled, memory-safe systems language chosen deliberately for performance and reliability. Built for controlled security awareness training engagements, allowing teams to test and measure their organization's susceptibility to phishing attacks in a safe environment.

Written in Rust for performance and memory safety
Designed for authorized security awareness campaigns
Simulates realistic phishing scenarios for training
Demonstrates depth across compiled and scripted languages
overwatch.sh — Connection monitoring and alert logic (excerpt) bash
# Capture all established external connections
watchE=$(ss -tuepn | cut -d ":" -f 2,4 \
  | sed -e 's/://g' -e 's/*//g' \
  | cut -d " " -f 1 | sort -nr)

# WHOIS lookup on every connected IP
for ip in $(cat .who.txt); do
  whois $ip | grep "address\|country" \
    | sort -u >> .whois.txt
done

# Alert on new established connections (size increase = new connection)
elif [[ ! -z $(diff <(echo $watchE) <(cat .EstaP.log)) \
  && $(echo $LEV) -gt $(echo $LEF) ]]
then
  echo -n $bodyE "________" $wth \
    | mail -s "Starry, New Connection is just Established!" "$email"
What this demonstrates

These projects were built from first principles rather than by assembling existing tools. They include a Bash-based intrusion detection system, an SMTP email verifier that works directly from the protocol, a brute-force testing utility built from API documentation, and a phishing simulation platform written in a compiled systems language.

Together, they demonstrate an approach centered on understanding how systems work internally and building the right solution for the problem at hand.

What this work represents

Every project on this page exists because of a real operational need. When an existing solution was unavailable, unsuitable, or too limited, I built one instead. The agentic email system, for example, was developed before today's frameworks made similar workflows commonplace. The security tools were created to solve practical problems encountered during research and live engagements.

For me, engineering begins with understanding the system itself. Technologies and programming languages change over time, but the process remains consistent: identify the problem, study it thoroughly, and design a solution that addresses it with precision.

All of this work was completed independently, remotely, and delivered in production environments. That has been the common thread throughout more than two decades of hands-on technical work.

← Previous: Service Stories Pentest Next case: Plia Pentest →