Security Engineer · Detection & Agentic Automation
I build security systems, and the AI agents that run inside them.
Not dashboards and tickets. Pipelines, playbooks, and agents that do the work, documented so you can see how.
01 — Selected Work
Systems I built end to end. Each one is a writeup: the gap, the design, what it actually does.
Agentic SOC Alert Enrichment
buildingAn agent that gathers an analyst's context from three security tools and attaches it to the alert before a human opens it.
Copilot StudioMCPMicrosoft SentinelMicrosoft DefenderCrowdStrike FalconPython 02Sigma to LEQL Detection Pipeline
shippedA pipeline that converts community Sigma rules into Rapid7 InsightIDR's LEQL so detections aren't written twice.
PythonSigmaRapid7 InsightIDRLEQL 03IOC Enrichment CLI
shippedA command-line tool that enriches indicators across four threat-intel sources and keeps a local history so you never look the same one up twice.
PythonVirusTotalShodanAbuseIPDBSQLite 04SOAR Incident Response Playbook
shippedAn automated IR playbook that takes a phishing report from alert to triaged in one flow instead of a dozen manual steps.
SOARProofpointMicrosoft DefenderAutomation02 — Approach
I work the way detection engineering should: start from the adversary behavior, not the alert. I map what I'm defending against to MITRE ATT&CK, write the detection or the automation to close that specific gap, then prove it fires on the thing it was built for and stays quiet otherwise.
Lately that means handing the repetitive parts to agents. An LLM wired into the SOC's real tools, through MCP, can pull the context an analyst would gather by hand and attach it to the alert before a human ever opens it. The interesting engineering is the plumbing and the guardrails, not the model.
Everything here ships with a writeup, because a detection you can't explain is a detection nobody trusts.