Framework-Mapped Capabilities

Skills & Expertise

Cybersecurity and AI security capabilities mapped to MITRE ATT&CK, MITRE ATLAS, and D3FEND frameworks

Core Expertise

Four domains, each mapped to a framework below — click through for the full technique-level breakdown

šŸŽÆ

Offensive Security & Adversary Emulation

Full kill-chain coverage from reconnaissance through impact, mapped to MITRE ATT&CK — attack simulation, threat intelligence, and adversary emulation across 12 tactic categories.

MITRE ATT&CK BAS Purple Team
View ATT&CK Mapping
šŸ›”ļø

Defensive Engineering

Countermeasures and detection engineering mapped to MITRE D3FEND — hardening, detection, isolation, deception, and eviction across enterprise environments.

D3FEND Detection Engineering SIEM
View D3FEND Mapping
šŸ”§

Tooling & Technology Stack

Hands-on depth across DFIR, SIEM/analytics, network analysis, malware analysis, EDR/XDR, offensive tooling, BAS/purple team platforms, threat intel, and cloud security.

DFIR Splunk/ELK Cloud Security
View Tools & Technologies
šŸ¤–

AI Security

Extending 17 years of cybersecurity fundamentals into the AI threat landscape — AI red teaming, LLM/prompt injection testing, AI-powered detection, and deepfake defence.

MITRE ATLAS LLM Security AI Red Team
View AI Security Skills

My MITRE ATT&CK Profile

How my skills, experience, and personality map to the ATT&CK framework — because defending networks requires both technical chops and human insight

ā–¼
šŸ”Ž

Reconnaissance & Resource Development

  • Threat Intelligence - OSINT, TTPs, IOC hunting (T1592, T1593)
  • Malware Analysis - Reverse engineering & sandbox detonation (T1587)
  • Attack Simulation - BAS scenario design (T1587)
  • Pattern Recognition - Anomaly detection mindset (T1595)

Understanding how attackers gather intel and build their arsenal. This phase combines reconnaissance techniques with resource development — from OSINT to malware analysis.

I'm naturally curious and love digital detective work. Whether it's hunting down obscure IOCs or reverse-engineering malware samples, I approach threats proactively rather than reactively. My background in BAS means I think like both attacker and defender.

ā–¼
🚪

Initial Access

  • Phishing Analysis - Email forensics & campaign tracking (T1566)
  • Web App Security - Exploitation detection (T1189, T1190)
  • Social Engineering - User behavior analytics (T1598)
  • Network Traffic Analysis - Protocol-level inspection (T1071)

Detecting and preventing the initial breach. Covers phishing, social engineering, web exploits, and delivery mechanisms attackers use to get their foot in the door.

I have a sharp eye for detail and can spot phishing attempts that others miss. My communication skills help me explain complex social engineering tactics to non-technical teams, building human firewalls alongside technical ones.

ā–¼
āš™ļø

Execution & Persistence

  • PowerShell Analysis - Script-based execution detection (T1059.001)
  • Persistence Mechanisms - Registry, scheduled tasks (T1547, T1053)
  • Memory Forensics - Volatility analysis (T1055, T1203)
  • Artifact Timeline Analysis - KAPE workflows (T1136)

Identifying how malware executes and maintains its foothold. From PowerShell obfuscation to registry manipulation, this covers the technical methods attackers use to run code and survive reboots.

I geek out on digital forensics. Tracing execution timelines and finding hidden persistence mechanisms is like solving a puzzle. KAPE and Volatility are my go-to tools for uncovering what attackers thought they deleted.

ā–¼
🄷

Defense Evasion

  • Obfuscation Detection - Deobfuscation & unpacking (T1027)
  • Process Injection - Memory manipulation detection (T1055)
  • Log Analysis - Indicator removal detection (T1070)
  • Timestomp Detection - Timeline integrity validation (T1070.006)

Catching attackers trying to hide their tracks. This includes detecting obfuscation, anti-forensics techniques, and methods used to evade EDR and AV solutions.

Attackers think they're sneaky, but I'm sneakier. I've built detections for obfuscation techniques that bypass commercial tools. Finding timestomped files or log deletions gives me the same satisfaction as checkmate in chess.

ā–¼
šŸ”‘

Credential Access

  • Credential Dumping Detection - LSASS protection (T1003.001)
  • Mimikatz Detection - Memory forensics (T1003)
  • Brute Force Detection - SIEM correlation rules (T1110)
  • Network Sniffing - Encrypted vs cleartext detection (T1040)

Stopping credential theft in its tracks. From Mimikatz to brute force attacks, this covers detection and prevention of techniques used to steal passwords and authentication tokens.

Credentials are the crown jewels. I've hunted Mimikatz in memory dumps and built SIEM rules that catch brute force attempts before the 3rd failed login. Protecting authentication is personal—attackers won't get the keys on my watch.

ā–¼
šŸ”

Discovery & Lateral Movement

  • Network Scanning Detection - Internal recon monitoring (T1046)
  • Lateral Movement Detection - SMB/RDP analysis (T1021)
  • Active Directory Forensics - DC logs & Kerberos (T1078)
  • Account Discovery - Enumeration detection (T1087)

Catching attackers as they explore the network and move between systems. Combines reconnaissance within compromised networks and techniques for pivoting to additional hosts.

I love AD forensics—every logon event tells a story. Spotting lateral movement patterns in DC logs is second nature. When attackers try to blend in with normal network traffic, my correlation rules light them up like a Christmas tree.

ā–¼
šŸ“”

Command & Control

  • C2 Traffic Detection - Beacon analysis & anomalies (T1071)
  • SIEM Correlation - Multi-source threat detection (T1071, T1095)
  • DNS Tunneling - Covert channel detection (T1071.004)
  • Encrypted Channels - SSL/TLS inspection (T1573)

Identifying covert communication channels. From HTTP beaconing to DNS tunneling, detecting C2 requires understanding both normal network behavior and creative hiding techniques.

C2 detection is my bread and butter. I've built Splunk dashboards that visualize beacon patterns and detect DNS tunneling with scary accuracy. When I see periodic callbacks at 3-minute intervals, I know it's game on.

ā–¼
ā¬†ļø

Privilege Escalation

  • Process Injection Detection - Memory analysis (T1055)
  • Token Manipulation - Access token abuse detection (T1134)
  • Exploit Detection - Vulnerability-based priv esc (T1068)
  • Scheduled Task Abuse - Persistence + priv esc (T1053.005)

Preventing attackers from gaining higher-level permissions. Covers exploitation of vulnerabilities, token manipulation, and abuse of legitimate system features to elevate privileges.

Privilege escalation attempts trigger my competitive side—it's a direct challenge. I've analyzed everything from kernel exploits to creative scheduled task abuse. Understanding both Windows internals and attacker creativity is key.

ā–¼
šŸ“¦

Collection & Exfiltration

  • Data Staging Detection - Archive analysis (T1074, T1560)
  • DLP Controls - Data exfiltration prevention (T1041)
  • Traffic Anomaly Detection - Unusual data transfers (T1048)
  • Cloud Exfiltration - SaaS & cloud storage abuse (T1567.002)

Detecting data theft before it leaves the network. Combines identifying how attackers gather and stage data with catching exfiltration attempts across various channels.

Data is what attackers came for—stopping exfiltration is the ultimate win. I monitor for compression, staging, and abnormal outbound transfers. Cloud exfiltration is especially tricky, but behavioral baselines make the impossible possible.

ā–¼
šŸ’£

Impact

  • Ransomware Analysis - Detection & behavioral indicators (T1486)
  • Data Destruction - Wiper malware analysis (T1485)
  • Service Disruption - DoS & availability attacks (T1499)
  • Defacement Detection - Integrity monitoring (T1491)

Mitigating destructive attacks. From ransomware to wipers, this category focuses on detecting and responding to techniques designed to cause damage, disruption, or ransom demands.

Ransomware is personal—it's digital terrorism. I've analyzed countless ransomware families and built detections for encryption behavior patterns. Nothing is more satisfying than catching ransomware BEFORE encryption starts.

ā–¼
šŸ‘ļø

Detection & Analysis

  • SIEM Mastery - Splunk, ELK Stack correlation
  • EDR/XDR - CrowdStrike, SentinelOne expertise
  • Threat Hunting - Hypothesis-driven investigations
  • UEBA - User & entity behavior analytics

The defensive backbone. This category represents the continuous monitoring, threat detection, and security analytics that enable early identification of malicious activity across all other categories.

This is where I thrive—active defense. I build detection rules that catch threats others miss. My Splunk dashboards are works of art. Threat hunting isn't a job; it's a passion. I wake up excited to hunt bad guys.

ā–¼
🚨

Incident Response & Recovery

  • Incident Triage - Rapid assessment & containment
  • Digital Forensics - Evidence collection & analysis
  • Root Cause Analysis - Finding the 'why' behind the 'what'
  • Lessons Learned - Continuous improvement mindset

Managing the full incident lifecycle. From initial detection to recovery and lessons learned, this encompasses the structured approach to handling security incidents and improving defenses.

Under pressure, I excel. Incident response requires calm leadership, technical precision, and clear communication—all my strengths. I don't just clean up incidents; I ensure we learn and improve so they don't happen again. Resilience is my superpower.

D3FEND Framework

Defensive cybersecurity countermeasures and detection techniques

ā–¼
šŸ”’

Harden

  • Application Hardening - Secure code practices, ASLR, DEP
  • Credential Hardening - MFA, password policies, PKI
  • Platform Hardening - OS hardening, patch management
  • Network Hardening - Segmentation, micro-segmentation

Building robust defensive foundations. Hardening reduces attack surface by securing applications, credentials, platforms, and networks before threats arrive.

I'm a believer in "shift left" security. Why wait for attacks when you can prevent them? I've hardened everything from cloud configs to AD environments. Defense in depth starts with making every layer tough to crack.

ā–¼
šŸ‘ļø

Detect

  • File Analysis - Static/dynamic malware analysis
  • Network Traffic Analysis - IDS/IPS, DPI, protocol analysis
  • Process Analysis - EDR, behavior monitoring
  • User Behavior Analysis - UEBA, anomaly detection

The eyes and ears of security operations. Detection capabilities span file, network, process, and user analysis to identify threats as they emerge.

Detection is my sweet spot—it's where technical expertise meets pattern recognition. My SIEM correlation rules and EDR detections have caught threats that bypassed traditional defenses. I see what others miss.

ā–¼
🧱

Isolate

  • Network Isolation - VLAN, firewall rules, ACLs
  • Execution Isolation - Sandboxing, containers, VMs
  • Broadcast Domain Isolation - Network segmentation
  • Logical Link Isolation - Port security, 802.1X

Containing threats before they spread. Isolation techniques limit attacker movement through network segmentation, sandboxing, and access controls.

Isolation is the defensive containment game. I design network segmentation that limits blast radius and deploy sandboxes for malware detonation. When threats are cornered, they can't cause widespread damage.

ā–¼
šŸŽ­

Deceive

  • Decoy Environment - Honeypots, honeynets
  • Decoy Object - Honeyfiles, honeytokens
  • Network Decoy - Fake services, breadcrumbs
  • Credential Decoy - Canary credentials

Turning the tables on attackers with deception technology. Honeypots and decoys provide early warning while wasting attacker time and revealing TTPs.

Deception is my favorite defensive wildcard. I love deploying honeytokens and watching attackers trigger alerts. It's like setting traps in a digital maze—attackers think they're winning until they realize they've been caught.

ā–¼
🚪

Evict

  • Process Termination - Kill malicious processes
  • Connection Termination - Block C2 communications
  • Credential Revocation - Disable compromised accounts
  • File Deletion - Remove malware artifacts

Active removal of threats from the environment. Eviction techniques forcibly terminate malicious processes, connections, and access to restore security.

Eviction is the moment of truth—kicking attackers out requires precision and confidence. I've terminated C2 connections mid-exfiltration and revoked credentials seconds before escalation. It's surgical and satisfying.

ā–¼
ā™»ļø

Restore

  • System Restore - Backup recovery, snapshots
  • File Restoration - Data recovery, version control
  • Configuration Restoration - Known-good states
  • Credential Restoration - Reset compromised accounts

Recovery and resilience operations. Restore capabilities ensure business continuity through backups, snapshots, and returning systems to known-good states.

Restoration is where resilience shines. I've orchestrated recoveries from ransomware and data destruction. Good backups and tested recovery procedures are the difference between business disruption and business continuity.

Tools & Technologies

The arsenal—tools I've mastered across defensive and offensive security operations

ā–¼
šŸ”¬

DFIR & Forensics

  • Volatility Proficient
  • KAPE Proficient
  • EnCase / FTK Proficient
  • X-Ways Forensics Familiar

Digital forensics and incident response tools for memory analysis, artifact collection, and evidence preservation.

DFIR is where I live. Volatility profiles are my crossword puzzles, and KAPE workflows are muscle memory. There's nothing like finding the smoking gun in a memory dump—it's digital archaeology with stakes.

ā–¼
šŸ“Š

SIEM & Analytics

  • Splunk Expert
  • ELK Stack Proficient
  • QRadar Familiar
  • Chronicle Familiar

Security information and event management platforms for correlation, detection, and threat hunting at scale.

Splunk is my second language—SPL queries flow faster than English sometimes. My dashboards have caught threats that traditional tools missed. When I see correlated events light up across data sources, that's when the hunt gets real.

ā–¼
🌐

Network Analysis

  • Wireshark Expert
  • Zeek (Bro) Proficient
  • tcpdump Proficient
  • NetworkMiner Familiar

Packet capture and protocol analysis tools for deep network traffic inspection and C2 detection.

Wireshark is where I learned to speak network fluently. Reading PCAPs is meditation—every packet tells a story. Zeek logs have saved me countless hours, and tcpdump is my trusty command-line companion for quick captures.

ā–¼
🦠

Malware Analysis

  • IDA Pro Familiar
  • Ghidra Familiar
  • Cuckoo Sandbox Proficient
  • REMnux Proficient

Reverse engineering and dynamic analysis platforms for dissecting malicious code and understanding attacker capabilities.

Malware RE is my chess game—anticipating the adversary's next move. Ghidra's decompiler is a gift to humanity, and watching malware detonate safely in Cuckoo never gets old. Every sample teaches something new.

ā–¼
šŸ›”ļø

EDR / XDR

  • CrowdStrike Proficient
  • SentinelOne Familiar
  • Microsoft Defender Proficient
  • Carbon Black Familiar

Endpoint detection and response solutions providing behavioral monitoring, threat prevention, and automated remediation.

EDR is the front line of modern defense. CrowdStrike's Falcon OverWatch is phenomenal—I've watched it catch in-memory attacks in real-time. These tools make endpoint visibility a reality, not a dream.

ā–¼
āš”ļø

Offensive Security

  • Metasploit Proficient
  • Burp Suite Proficient
  • Cobalt Strike Familiar
  • BloodHound Proficient

Penetration testing and red team tools for vulnerability exploitation, web app testing, and attack path discovery.

Knowing the attacker's toolset makes me a better defender. Metasploit modules teach exploitation realities, Burp Suite reveals web app weaknesses, and BloodHound's AD path visualization is pure genius. Think like the enemy, defend like a champion.

ā–¼
šŸŽÆ

BAS & Purple Team

  • Security Validation Expert
  • Attack Simulation Expert
  • MITRE Caldera Proficient
  • Atomic Red Team Proficient

Breach and attack simulation platforms for continuous security validation and detection engineering feedback loops.

BAS is my professional passion—it bridges offense and defense perfectly. I've built detection pipelines that validate in real-time using these platforms. Purple team exercises are where theory meets reality and gaps get closed.

ā–¼
šŸ”®

Threat Intelligence

  • MISP Proficient
  • OpenCTI Familiar
  • VirusTotal Expert
  • ThreatConnect Familiar

Threat intelligence platforms for IOC sharing, campaign tracking, and contextual threat analysis.

TI isn't just collecting IOCs—it's understanding the 'why' behind attacks. MISP feeds have enriched my investigations countless times. VirusTotal is my first stop for hash checks, and community intelligence makes us all stronger.

ā–¼
ā˜ļø

Cloud Security

  • AWS Security Tools Proficient
  • Azure Security Center Familiar
  • CloudTrail / GuardDuty Proficient
  • Prowler Proficient

Cloud-native security tools for configuration auditing, threat detection, and compliance monitoring in cloud environments.

Cloud security is the new frontier. GuardDuty alerts have caught crypto miners and data exfiltration attempts. Prowler audits keep cloud configs tight. The cloud moves fast—security has to move faster.

AI Security Skills

Extending 17 years of cybersecurity fundamentals into the AI threat landscape — mapped loosely to MITRE ATLAS alongside ATT&CK

ā–¼
āš”ļø

AI Red Team Operations

  • Model Evasion - Adversarial examples & input manipulation
  • Data Poisoning - Training data integrity attacks
  • Model Extraction - IP theft via query abuse
  • MITRE ATLAS - AI-specific TTP mapping

Adversarial testing of AI and ML systems, mapping AI-specific attack techniques to MITRE ATLAS alongside traditional ATT&CK.

Red teaming an LLM feels like red teaming an application and a person at the same time — it has both an attack surface and something resembling judgement you can manipulate. That combination is what makes this field genuinely new.

ā–¼
šŸ¤–

LLM & Prompt Injection Testing

  • Prompt Injection - Direct & indirect injection testing
  • Jailbreaking - Guardrail and policy bypass
  • RAG Attacks - Retrieval pipeline poisoning
  • OWASP LLM Top 10 - Risk-based assessment

Testing LLM-integrated applications against prompt injection, jailbreaking, and data exfiltration via model outputs.

The same instinct that made me good at hunting injection flaws in web apps applies here — except the "input validation" layer is a probabilistic model, which makes the problem genuinely harder to bound.

ā–¼
šŸ”¬

AI-Powered Threat Detection

  • Anomaly Detection - ML-driven behavioural baselines
  • AI-SIEM - LLM-assisted alert triage
  • Automated Hunting - AI-augmented threat hunting workflows
  • Model Monitoring - Drift & abuse detection

Operationalising AI defensively — using ML for anomaly detection, triage, and threat hunting without adding new attack surface.

Blue team work taught me to be skeptical of any tool that promises to replace analyst judgement. AI is excellent at surfacing signal faster; it's still the analyst who decides what the signal means.

ā–¼
šŸŽ­

Deepfake & Synthetic Media Defence

  • Voice Cloning Detection - CEO fraud & vishing defence
  • Synthetic Identity - KYC/verification bypass research
  • Video Deepfakes - Detection methods & limitations
  • Verification Protocols - Out-of-band confirmation design

Researching AI-generated voice cloning, video deepfakes, and synthetic identity fraud used in CEO fraud and MFA bypass.

Social engineering was always about exploiting trust. Generative AI just collapsed the cost of producing a convincing fake to near zero — the defence has to be procedural (verification protocols), not just technical.

Let's Collaborate

Looking for security validation expertise, threat hunting capabilities, or architecture consulting?

Get in Touch View Experience