From 5da4d1ce41c03907e5634a7ff2814ed3aa0b3d80 Mon Sep 17 00:00:00 2001
From: Joseph Goydish II <josephgoyd@proton.me>
Date: Wed, 10 Dec 2025 18:12:11 -0500
Subject: [PATCH] Enhance README with purpose and usage instructions

Added purpose and intended use sections to README.
---
 README.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 README.md

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..6dfb028
--- /dev/null
+++ b/README.md
@@ -0,0 +1,15 @@
+# ShadowShells | Observed Indicators (Confirmed Malicious)
+
+## Purpose
+This package contains **sanitized traces and echoes** of observed entities | domains, UUIDs, processes, and signature strings | directly linked to confirmed command-and-control activity.  
+
+All data here is **metadata only**. No raw logs, PCAPs, or sensitive artifacts are included. ShadowShells acts as a **watchtower**, cataloging and guiding detection of hostile infrastructure.
+
+## Intended Use
+- Ingest `iocs.csv` into monitoring tooling, SIEM rules, DNS tracking, or threat-hunting routines.  
+- Apply `blocklist.txt` for defensive blocking or sinkholing.  
+- Consult `key_hits.txt` to track behaviors or patterns: shell anomalies, proxy/tunnel strings, beacon pulses.
+
+
+## License
+**Defensive use only. Provided as-is. No warranty.**