Resume
Want to know more about my experience, education, and certifications? Download my full resume - everything is in there.
My path into cybersecurity didn’t start in a classroom — it started in real-world pressure. While working with clients’ websites and servers, I was repeatedly exposed to attacks: suspicious traffic, login attempts, performance anomalies, and exploitation attempts. I wasn’t just observing threats — I had to deal with them.
That experience pushed me to go deeper. I became increasingly focused on understanding how attacks work, how they show up in logs, and how to detect them early. What started as a necessity quickly turned into a genuine interest in defensive security and protecting systems.
Today, I focus on building hands-on SOC skills, including log analysis, threat detection, alert triage, incident investigation, network traffic analysis, and basic containment workflows. I enjoy working with SIEM platforms, especially Splunk and Wazuh, where I simulate real attacks, create detection logic, and analyze security events end-to-end.
My core interests are in Security Operations (SOC), detection engineering, SIEM tuning, network visibility, and threat analysis. I’m particularly interested in understanding attacker behavior and improving detection accuracy through correlation and context.
I continue to build practical experience through hands-on labs, real attack simulations, and platforms like TryHackMe and Hack The Box, always focusing on how detection, analysis, and response come together in real-world environments.
Built a realistic Windows Active Directory attack simulation lab using Kali Linux, Windows 10, Sysmon, and Splunk Enterprise to investigate SMB authentication attacks, remote execution, and lateral movement activity.
Simulated password spraying, SMB authentication abuse, CrackMapExec remote execution, and encoded PowerShell execution to generate realistic attacker telemetry commonly observed during enterprise intrusions and ransomware operations.
Developed detection logic and threat hunting queries using Splunk SPL and Sysmon telemetry to identify suspicious parent-child process relationships, NTLM authentication activity, PowerShell abuse, and service-based lateral movement associated with tools such as PsExec, Impacket, and CrackMapExec.
Built a complete SOC-style detection pipeline to identify and respond to SSH brute-force attacks using Splunk SIEM. Simulated attacks with Hydra from Kali Linux, generating real authentication logs on an Ubuntu system.
Implemented full log ingestion, field extraction, and detection logic using SPL, including threshold-based alerting for repeated failed login attempts. Developed dashboards to visualize attack patterns over time and identify top attacking IPs.
Completed the detection lifecycle with basic incident response by blocking malicious IPs and validating containment effectiveness.
Designed and deployed a multi-host SOC lab integrating Wazuh SIEM and Suricata IDS for centralized detection and correlation. Configured log collection across Linux and Windows endpoints and integrated IDS alerts into SIEM workflows.
Simulated SSH brute-force attacks using Hydra and developed custom correlation rules based on frequency, timeframe, and source IP behavior. Implemented active response to automatically block attacker IPs using firewall rules.
Troubleshot real-world issues including agent communication failures, rule misconfigurations, and response execution errors—mirroring operational SOC environments.
Developed a multi-stage detection model to identify HTTP flood (DoS) attacks using Suricata and Wazuh. Built correlation rules to detect abnormal request rates from a single source, reducing false positives and improving signal accuracy.
Validated attacks across multiple layers: network traffic (Suricata logs), SIEM correlation alerts, and host-level evidence using system tools. Implemented automated response to block attackers via firewall rules and verified containment effectiveness.
Focused on end-to-end SOC workflow including detection tuning, investigation, validation, and response automation.
Simulated a phishing attack using the Social-Engineer Toolkit (SET), including credential harvesting via a spoofed login page. Focused on detecting attacker behavior rather than relying solely on signatures.
Developed custom Wazuh rules to identify suspicious HTTP activity, credential submission patterns, and abnormal server responses. Integrated Suricata for network-level visibility and alert correlation.
Demonstrates practical SOC investigation workflow including detection, analysis of attacker behavior, and improved visibility into phishing-based threats.
Conducted network forensic analysis on a PCAP file identifying a multi-stage malware infection involving IcedID (Bokbot) and Trickbot.
Observed a compromised Windows host downloading malicious payloads disguised as legitimate files over HTTP. Identified suspicious external IP communication and reconstructed infection flow from initial download to command-and-control (C2) activity.
Detected beaconing behavior and analyzed outbound traffic patterns to confirm active malware communication.
Investigated a NetSupport RAT infection through PCAP analysis, identifying the initial infection vector via a malicious website delivering a fake browser update (SmartApeSG campaign).
Traced post-infection activity including repeated outbound HTTP POST requests over TCP 443 to a known malicious C2 server. Correlated traffic patterns with known RAT behavior to confirm compromise.
Documented the full attack chain from initial access to command-and-control communication and produced structured SOC and incident reports.
Performed behavioral analysis of a suspected STRRAT (Java-based RAT) infection using PCAP data. Identified abnormal TLS communication patterns including high-frequency small packet transmissions and abrupt TCP resets.
Detected additional indicators such as unencrypted HTTP requests to geolocation services and lack of normal session termination behavior.
Confirmed active C2 communication through extracted payload data containing identifiable malware signatures, demonstrating advanced traffic inspection and attacker behavior analysis.
Want to know more about my experience, education, and certifications? Download my full resume - everything is in there.