Hi, I'm
SOC Analyst | Detection Engineering | Threat Hunting
I specialize in Security Operations, with a focus on Detection Engineering and Threat Hunting. Backed by a strong analytical foundation in mathematics, I don't just respond to alerts; I deconstruct them. My approach centers on understanding system behavior at a granular level, allowing me to identify the subtle patterns that differentiate a false positive from a critical breach.
Using SIEM and EDR platforms, I translate complex environment activity into actionable intelligence for rapid incident response. For me, effective SOC work isn’t just about clearing a queue; it’s about precision, context, and the continuous improvement of detection quality to eliminate noise and surface real-world attack scenarios. I am driven by a curiosity for attacker tradecraft and a commitment to maintaining resilient, well-monitored environments.
The Mission: To master the "Detection Lifecycle" by simulating real-world attacker workflows and building high-fidelity detection logic.
The Technicals: Instrumented a Windows 10 Pro environment with Sysmon to capture granular telemetry. Emulated LSASS credential dumping and PowerShell download cradles using Atomic Red Team.
The Analytical Edge: Reconstructed "Living off the Land" (LotL) execution chains (cmd.exe → powershell.exe → rundll32.exe). Authored custom Sigma rules to detect these patterns, moving beyond static IoCs to behavioral-based alerting verified via Hayabusa.
The Mission: Standardized security logic across diverse operating systems to solve the challenge of fragmented telemetry in a modern SIEM.
The Technicals: Developed a centralized repository of platform-agnostic Sigma rules and automated their transpilation into production-ready Wazuh (XML) detections.
The Analytical Edge: Focused on reducing alert fatigue by refining rule logic for SSH brute-force, Sudo abuse, and scheduled task creation. Validated the pipeline using wazuh-logtest to ensure 100% trigger accuracy before deployment.
The Mission: Conducted a multi-stage attack simulation; from initial access to privilege escalation; to practice full-spectrum incident triage.
The Technicals: Correlated auth.log and Linux Auditd telemetry within Wazuh to detect SSH brute-forcing (T1110) and sensitive file access (T1005).
The Analytical Edge: Solved a critical visibility gap by engineering a custom
The Mission: Architected a lightweight, high-performance monitoring stack (Promtail, Loki, Grafana) to centralize Linux authentication telemetry.
The Technicals: Configured Promtail for log scraping and Loki for metadata-indexed storage, creating a scalable alternative to traditional heavyweight SIEMs.
The Analytical Edge: Developed advanced LogQL queries to visualize brute-force patterns and anomalous sudo spikes in real-time. This project demonstrated the "Collect → Aggregate → Analyze" lifecycle, transforming raw /var/log/auth.log data into actionable SOC dashboards.