diff --git a/DeepBlue.ps1 b/DeepBlue.ps1
new file mode 100644
index 0000000..c56d296
Binary files /dev/null and b/DeepBlue.ps1 differ
diff --git a/regexes.txt b/regexes.txt
new file mode 100644
index 0000000..c06c663
--- /dev/null
+++ b/regexes.txt
@@ -0,0 +1,27 @@
+# DeepBlueCLI command regex CSV file
+# Include only regex CSV entries or comments beginning with "#"
+#
+# Format: Match type, regex, output string
+# Match types:
+#   0: Image Path - regex
+#   1: Service Name - regex
+#
+Type,regex,string
+0,^cmd.exe /c echo [a-z]{6} > \\\\.\\pipe\\[a-z]{6}$,Metasploit-style cmd with pipe (possible use of Meterpreter 'getsystem')
+0,^%SYSTEMROOT%\\[a-zA-Z]{8}\.exe$,Metasploit-style %SYSTEMROOT% image path (possible use of Metasploit 'Native upload' exploit payload)
+0,powershell.*FromBase64String.*IO.Compression.GzipStream,Metasploit-style base64 encoded/compressed PowerShell function (possible use of Metasploit PowerShell exploit payload)
+0,DownloadString\(.http,Download via Net.WebClient DownloadString
+0,mimikatz,Command referencing Mimikatz
+0,Invoke-Mimikatz.ps,PowerSploit Invoke-Mimikatz.ps1
+0,PowerSploit.*ps1,Use of PowerSploit
+0,User-Agent,User-Agent set via command line
+0,[a-zA-Z0-9/+=]{500},500+ consecutive Base64 characters
+0,powershell.exe.*Hidden.*Enc,Base64 encoded and hidden PowerShell command
+# Generic csc.exe alert, comment out if experiencing false positives
+0,\\csc\.exe,Use of C Sharp compiler csc.exe
+0,\\csc\.exe.*\\Appdata\\Local\\Temp\\[a-z0-9]{8}\.cmdline,PSAttack-style command via csc.exe
+# Generic cvtres.exe alert, comment out if experiencing false positives
+0,\\cvtres\.exe.*,Resource File To COFF Object Conversion Utility cvtres.exe
+0,\\cvtres\.exe.*\\AppData\\Local\\Temp\\[A-Z0-9]{7}\.tmp,PSAttack-style command via cvtres.exe
+1,^[a-zA-Z]{22}$,Metasploit-style service name: 22 characters, [A-Za-z]
+1,^[a-zA-Z]{16}$,Metasploit-style service name: 16 characters, [A-Za-z]
diff --git a/whitelist.txt b/whitelist.txt
new file mode 100644
index 0000000..1707c21
--- /dev/null
+++ b/whitelist.txt
@@ -0,0 +1,9 @@
+# DeepBlueCLI command whitelist
+# Currently: one entry (regex) per line
+# Read as a CSV file for future growth (may want to add options to each entry)
+#
+# Include only regex CSV entries, or comments beginning with "#"
+#
+regex
+^"C:\\Program Files\\Google\\Chrome\\Application\\chrome\.exe"
+^"C:\\Program Files\\Google\\Update\\GoogleUpdate\.exe"
\ No newline at end of file