From SQL Recon to ATT&CK: Building Database-Aware Deception Telemetry for MySQL and PostgreSQL: Demo

Database-Aware Deception & MITRE ATT&CK Mapping | Project Demo This video demonstrates a database-aware deception pipeline that monitors SQL activity in MySQL and PostgreSQL using protocol-aware proxies. Instead of treating SQL queries as ordinary database logs, the system analyzes them as attacker behavior, maps suspicious activity to the MITRE ATT&CK framework, and generates risk-based security telemetry. The demo showcases how SQL queries are captured before reaching the backend database, processed through a Kafka-compatible event pipeline, evaluated using rule-based detections, and summarized into both event-level and session-level evidence. What you'll see in this demo MySQL and PostgreSQL proxy-based monitoring SQL query interception and normalization Kafka (Redpanda) telemetry pipeline MITRE ATT&CK event generation Session-based risk scoring Table enumeration detection Account and permission discovery detection Multi-statement SQL analysis SQL parser safety validation Honeytoken (trap-table) detection Critical risk classification and session summaries One of the highlights of the project is the detection of access attempts to a honeytoken table (`api_keys_backup`). Even though the table does not exist in the backend database, the proxy captures the request, identifies it as suspicious, and generates a MITRE ATT&CK-aligned critical security event, demonstrating how attacker intent can be detected independently of backend execution. Technologies Used MySQL PostgreSQL Docker Compose Redpanda (Kafka) Redis Python MITRE ATT&CK Framework Prometheus Grafana Loki This project was developed as part of research into database-aware deception, protocol-level telemetry, and attacker behavior analysis. If you found this project interesting, consider liking the video, sharing it, and subscribing for more content on cybersecurity, database security, system design, and backend engineering. #CyberSecurity #DatabaseSecurity #MITREATTACK #MySQL #PostgreSQL #Kafka #Redpanda #Docker #ThreatDetection #DeceptionTechnology #BlueTeam #SOC #Python #InformationSecurity