United States
I am a blue team focused security engineer who likes the hard problems: noisy telemetry, unclear signals, and figuring out how to turn all of that into high value detections and faster response. Day to day, my work revolves around detection engineering, threat hunting, and security platform administration. I build and tune detections in tools like Azure Sentinel and Elastic, act as a CrowdStrike and endpoint platform SME, and partner closely with SOC, CTI, and engineering teams to improve signal quality, reduce false positives, and close real coverage gaps mapped to MITRE ATT&CK. My path into cybersecurity has not been linear. I started in retail and hands on repair work, moved through wind and nuclear energy and entry level IT, and grew into security roles without relying on a traditional degree. That experience taught me how to learn quickly, adapt to new environments, and stay grounded in how technology and security decisions actually affect people. I am now completing a BS in Cybersecurity and Information Assurance to formalize what I have learned on the job. I enjoy owning problems end to end. That means taking a threat scenario or noisy alert queue, designing or improving detections, documenting the logic and playbooks so others can use them, and mentoring analysts so the whole team levels up. When I find myself doing the same task multiple times, I look for a way to script it, automate it, or at least document it clearly so it becomes a repeatable process. Technically, I am strongest in cloud and endpoint detection and response, SIEM and EDR tuning, KQL and log analysis, and platform work around Azure, Elastic, CrowdStrike, and Microsoft Defender. I am comfortable working across teams, translating between engineers, analysts, and leadership, and backing decisions with data rather than just intuition. Looking ahead, I am interested in senior and lead roles in detection and response, cyber defense engineering, and security platform ownership where I can keep my hands on the keyboard while also helping to shape strategy, mentor others, and build programs that make security teams more effective over time. If that sounds like the kind of person you are looking for, I am always open to a conversation.
• Designed and maintained Azure-focused detections for identity and device abuse (e.g., anomalous sign-ins, token/PRT misuse patterns, risky device behavior) using KQL across Entra ID/Azure AD, Defender, and Log Analytics telemetry. • Rebuilt identity detections into layered correlation logic across cloud identity, device, and endpoint signals to improve coverage, reduce noise, and better align with SOC triage workflows. • Partnered with Threat Intelligence, SOC, and IR to translate active campaigns into detection use cases; mapped behaviors to MITRE ATT&CK and documented assumptions, data sources, and tuning decisions. • Validated detection performance through deep-dive analysis across Azure and Elastic datasets; tuned thresholds, exclusions, and correlation windows prior to production promotion. • Authored operational “wiki-style” detection documentation (threat behavior, query logic, false-positive drivers, triage steps, response guidance) to standardize investigations and accelerate analyst onboarding. • Contributed to improving the Amex MITRE ATT&CK coverage repository by filling in missing techniques, clarifying cloud specific behaviors for Azure and GCP, and adding links to training, research and sandbox resources for analysts. • Built reusable investigation assets (KQL/CQL queries, dashboards, and runbooks) to convert one-off investigations into repeatable workflows and reduce time-to-root-cause. • Developed hardening guidance and best-practice standards for identity and endpoint telemetry readiness (logging baselines, alerting prerequisites, and security control configuration recommendations). • Evaluated and piloted security use cases for AI-assisted triage and detection tuning, focusing on repeatable enrichment, summarization, and analyst workflow acceleration while accounting for privacy and risk constraints.
• Owned the CrowdStrike Falcon platform for a global environment, driving policy design, module configuration, integrations, and continuous tuning to balance fidelity, performance, and coverage. • Led Falcon Complete onboarding and operationalization, coordinating cross-functional stakeholders on scope, escalation paths, testing, and handoff to ensure reliable incident response readiness. • Executed multi-module tuning initiatives using alert analytics, SOC feedback, and threat intelligence to reduce noise while maintaining detection value and response speed. • Produced enablement content (runbooks, FAQs, training guides) to ensure analysts and IT partners could interpret telemetry accurately and respond consistently. • Integrated threat intelligence and IOC workflows to support targeted hunting and faster response to emerging campaigns through collaboration with Anomali and internal CTI • Supported major incident response by coordinating evidence collection, assisting scoping and containment, and translating lessons learned into improved detections, policies, and playbooks. • Authored security hardening guidelines and implementation best practices for endpoint controls and security tooling configuration to improve prevention and reduce operational risk. • Performed endpoint and log investigations during and after the incident to reconstruct attack paths, validate containment, and feed lessons learned into tuning, policies and new detections. • Evaluated and tested AI-assisted approaches for triage, enrichment, and workflow automation to improve analyst efficiency and consistency, while maintaining appropriate controls and governance.
• Led and coached a small team of repair technicians on troubleshooting standards and customer service communication, improving repair quality and service scores. • Handled complex technical and escalated customer cases with minimal guidance, protecting store reputation, and resolving issues efficiently. • Trained new hires on tools, processes, privacy, and data handling best practices, reinforcing secure handling of customer devices.
• Conducted proactive threat hunts across client endpoints, network data, and server logs, identifying stealthy or emerging threats that bypassed existing alert rules. • Developed and refined hunting hypotheses using CTI, IOC feeds, and client risk profiles, focusing efforts on the most relevant attacker behaviors. • Performed IOC and behavioral analysis using SIEM, EDR, WHOIS, VirusTotal, and other OSINT tools, enriching client detections and blocklists with newly identified indicators. • Investigated security incidents from initial alert through root cause, delivering detailed reports with remediation recommendations tailored to each client environment. • Collaborated with vulnerability management and incident response stakeholders, sharing findings that informed patching priorities, logging improvements, and new monitoring use cases.
• Supported a CrowdStrike Falcon proof of concept and deployment, helping prepare endpoints, refine policies, and align global stakeholders on rollout strategy and security objectives. • Worked with security architects to assess application and infrastructure risk, recommending hardened configurations and secure profiles using tools such as Microsoft Threat Modeler. • Led secure profile development as a project, coordinating requirements, approvals, and timelines across local and global teams to enforce consistent security baselines. • Created Power BI dashboards and security reporting for leadership, increasing transparency into control coverage, vulnerabilities, and project progress. • Contributed to internal phishing campaigns and security awareness content, helping improve user behavior and reduce susceptibility to email borne threats.