Firewall telemetry collection and SQLite-based analysis workflow for reviewing blocked traffic, persistent inbound activity, rule matches, and defensive monitoring patterns.

This case study examined a forged TCP SYN packet using a spoofed internal IP address as its source. The attacker did not attempt to complete a session or deliver a payload — instead, they employed identity deception at the IP layer, crafting traffic designed to resemble trusted internal communication.