Threat hunting and incident handling. I dig through raw telemetry to find what automated tools miss, handle incidents from triage to resolution, and build the platforms that make security operations actually work. Currently at Secnap Network Security.
Hypothesis-driven hunts across endpoint, cloud, and identity environments. Digging through raw EDR telemetry to surface threats that automated tools don't catch.
Triage, investigation, containment, and escalation. Working incidents from first alert to resolution, including direct customer communication during declared incidents.
Built the SOC dashboard, workflow system, and response processes from the ground up. Keeping the operation running and making it better every day.
Caught a ClickFix attack through callstack analysis. Explorer.exe with shell32.dll was spawning untrusted processes. Stopped it before NetSupport RAT could deploy.
Found a threat actor sitting in a customer's VPN for two months, undetected, running AD brute force. Built a recurring hunt to cover the gap.