⟩ Specialized Expertise
6+ YRS · L1/L2/L3
SOC Operations
6+ years managing L1/L2/L3 SOC operations for numerous clients, detecting and responding to advanced threats in real-time.
What I deliver
- 24x7 monitoring, triage & escalation
- Use-case engineering & SIEM tuning
- Threat hunting with MITRE ATT&CK mapping
- Playbook design and SOAR automation
⟩ real-world projects
Selected engagements
Sanitized highlights from real client work — approach, the bug we found, and the fix shipped. Names redacted under NDA.
01
Built greenfield 24x7 SOC for MENA bank — 120+ Sigma detections, MTTD reduced 8h → 11min
02
Splunk-to-Sentinel migration for SaaS enterprise — 2.4 TB/day pipeline, parser rebuild, zero detection regression
03
Threat hunting engagement uncovered dormant Cobalt Strike beacon active 47 days — full IR & eradication
04
SOAR automation for tier-1 retail — 70% of phishing tickets auto-triaged via TheHive + Cortex
⟩ common vulnerabilities & how I find them
Top bugs I hunt — and the steps
The recurring weaknesses I see in this domain, with the repeatable workflow I run from discovery to fix.
01
HighDetection Gap — Living off the Land
- STEP 1Inventory current detections vs MITRE ATT&CK matrix
- STEP 2Hunt powershell.exe, rundll32, mshta, certutil for anomalous parents
- STEP 3Author Sigma rules + validate with Atomic Red Team
- STEP 4Tune false positives and ship to production SIEM
02
HighLog Source Blind Spots
- STEP 1Map crown-jewel assets to required telemetry (EDR, DNS, proxy, auth)
- STEP 2Identify missing or sampled log sources
- STEP 3Onboard via Universal Forwarder / connectors with parser validation
- STEP 4Add daily health alerts for log volume anomalies
03
MediumAlert Fatigue / Noise
- STEP 1Pull 90-day alert metrics — close-rate, TP/FP ratio per rule
- STEP 2Re-baseline high-noise rules with allow-lists + thresholds
- STEP 3Cluster duplicates into single incidents via SOAR
- STEP 4Decommission rules with 0% TP over 60 days
⟩ arsenal
Tools & frameworks
Splunk
SIEM Platform
QRadar
SIEM Platform
Sentinel
Cloud SIEM
Wazuh
Open-Source XDR
ELK
Log Analytics
Graylog
Log Management
TheHive
Case Management
Cortex
Observable Analysis
MISP
Threat Intel Sharing
Sigma
Detection Rules
Suricata
IDS/IPS
Zeek
Network Monitor
Snort
IDS Engine
Osquery
Endpoint Visibility
Velociraptor
DFIR Platform
Chronicle
Cloud SIEM
⟩ engage
Need soc operations expertise?
⟩ related
More in Specialized Expertise
VAPT & WAPT
6+ years leading 100+ real-world projects, identifying critical vulnerabilities in complex enterprise networks and web applications.
AI & GenAI Security
6+ years pioneering AI/GenAI security assessments, uncovering novel vulnerabilities in LLMs and securing AI-driven architectures.
Mobile App Security
6+ years of deep-dive mobile testing for 100+ iOS/Android apps, uncovering critical vulnerabilities.