Back to portfolio
Specialized Expertise
6+ YRS · L1/L2/L3

SOC Operations

6+ years managing L1/L2/L3 SOC operations for numerous clients, detecting and responding to advanced threats in real-time.

What I deliver

  • 24x7 monitoring, triage & escalation
  • Use-case engineering & SIEM tuning
  • Threat hunting with MITRE ATT&CK mapping
  • Playbook design and SOAR automation
⟩ real-world projects

Selected engagements

Sanitized highlights from real client work — approach, the bug we found, and the fix shipped. Names redacted under NDA.

01

Built greenfield 24x7 SOC for MENA bank — 120+ Sigma detections, MTTD reduced 8h → 11min

02

Splunk-to-Sentinel migration for SaaS enterprise — 2.4 TB/day pipeline, parser rebuild, zero detection regression

03

Threat hunting engagement uncovered dormant Cobalt Strike beacon active 47 days — full IR & eradication

04

SOAR automation for tier-1 retail — 70% of phishing tickets auto-triaged via TheHive + Cortex

⟩ common vulnerabilities & how I find them

Top bugs I hunt — and the steps

The recurring weaknesses I see in this domain, with the repeatable workflow I run from discovery to fix.

01

Detection Gap — Living off the Land

High
  1. STEP 1Inventory current detections vs MITRE ATT&CK matrix
  2. STEP 2Hunt powershell.exe, rundll32, mshta, certutil for anomalous parents
  3. STEP 3Author Sigma rules + validate with Atomic Red Team
  4. STEP 4Tune false positives and ship to production SIEM
02

Log Source Blind Spots

High
  1. STEP 1Map crown-jewel assets to required telemetry (EDR, DNS, proxy, auth)
  2. STEP 2Identify missing or sampled log sources
  3. STEP 3Onboard via Universal Forwarder / connectors with parser validation
  4. STEP 4Add daily health alerts for log volume anomalies
03

Alert Fatigue / Noise

Medium
  1. STEP 1Pull 90-day alert metrics — close-rate, TP/FP ratio per rule
  2. STEP 2Re-baseline high-noise rules with allow-lists + thresholds
  3. STEP 3Cluster duplicates into single incidents via SOAR
  4. STEP 4Decommission rules with 0% TP over 60 days
⟩ arsenal

Tools & frameworks

Splunk
SIEM Platform
QRadar
SIEM Platform
Sentinel
Cloud SIEM
Wazuh
Open-Source XDR
ELK
Log Analytics
Graylog
Log Management
TheHive
Case Management
Cortex
Observable Analysis
MISP
Threat Intel Sharing
Sigma
Detection Rules
Suricata
IDS/IPS
Zeek
Network Monitor
Snort
IDS Engine
Osquery
Endpoint Visibility
Velociraptor
DFIR Platform
Chronicle
Cloud SIEM
⟩ engage

Need soc operations expertise?

Get in touch
⟩ related

More in Specialized Expertise