Experience

When I joined National Audubon Society in 2024, there was no SOC, no formal detection program, and security tooling spread across disconnected point solutions. The first architectural decision was SOC model: traditional MDR vs. AI-native. MDR requires analyst headcount to triage — a model that fails on cost before it fails on coverage for a single-person security team. I selected an AI-native platform that could deliver consistent detection fidelity without the analyst-to-alert ratio that makes MDR viable only at scale. The result: 99.2% detection fidelity and a 95% reduction in false positives.

Detection coverage was built MITRE ATT&CK-first — starting with the highest-probability attack paths for a hybrid cloud environment: identity-based attacks, credential stuffing, OAuth abuse, and business email compromise. Okta is the enterprise IdP and I led rolling out phishing-resistant MFA across 1,000+ users removing the credential-theft risk that email compromise campaigns rely on. SAML and OAuth integrations provided detection visibility into identity-based lateral movement that endpoint telemetry alone misses.

The $32,000 MDR contract savings were reinvested into Tenable One, building net-new vulnerability management across endpoint, cloud, web application, and attack surface management domains. A program that can only detect is incomplete; understanding the full attack surface is what lets you prioritize detection coverage correctly.

CrowdStrike's TIDE (Threat Intelligence and Detection Engineering) team defends the company's own internal infrastructure — a threat model distinct from most enterprise environments, since sophisticated adversaries actively target security vendors for intelligence and access value. The structural change with the most lasting impact was implementing Detection-as-Code via Bitbucket pipelines. Detection logic that previously lived in a UI moved into version-controlled files with peer review, syntax validation, and automated deployment. Deployment cycle time dropped 80%. Peer review consistently caught logic errors and coverage gaps that single authors missed.

Scattered Spider presented a specific detection challenge. The campaign used social engineering via SMS phishing and SIM swapping to compromise Okta and Azure AD environments. I engineered targeted detections against those exact TTPs — not broad behavioral rules, but specific patterns drawn from threat intelligence. Precision matters: broad rules generate noise that burns analyst capacity; precise rules that fire accurately are the ones that get triaged. During the Splunk to Falcon LogScale migration, I covered 30% of the enterprise alerting rules, improving detection latency on high-volume telemetry streams. Tines SOAR automation reduced analyst response time 80% by converting repetitive triage steps into automated playbooks.

Cloud migrations create detection coverage gaps. Legacy SIEM rules written for on-prem telemetry don't translate to cloud-native log sources — Azure Monitor, Defender for Cloud, and Entra ID produce different formats and expose different attack patterns than on-prem Active Directory. Attackers know defenders are distracted during migrations. The work at U.S. Bank was specifically about closing those gaps as the data center moved to Azure: rebuilding detection coverage for Azure-specific attack paths including service principal abuse, conditional access policy bypass, and storage account misconfiguration.

Detection backlog dropped 39% in three months. Coverage grew 20% with every new detection mapped to a MITRE ATT&CK technique — not cosmetically, but as a systematic way to identify remaining gaps and communicate coverage to security leadership in a framework they could act on.

Sunbelt Rentals operates across industrial environments including OT sites — a threat surface most security tooling isn't designed for. The detection challenge was foundational: without reliable endpoint telemetry, you can't write meaningful detection rules. Deploying Sysmon across 10,000+ endpoints standardized collection. Sysmon's process creation, network connection, file creation, and registry modification events provided the raw telemetry data that Windows Event Logs don't capture by default. Custom SIEM parsers normalized log formats across a heterogeneous environment spanning different OS versions, network architectures, and application stacks. PowerShell workflows automated repetitive triage steps.

CyberMaxx is a managed detection and response provider. I worked across 10–15 healthcare and banking clients simultaneously requiring understanding the difference between a detection that's technically correct and one that's operationally useful for a specific environment. Vendor-default SIEM rules generate thousands of false positives in any real deployment because they don't account for baseline behavior. Administrative login activity looks different in a hospital than in a financial institution. Detection tuning is the work of encoding each client's actual baseline and actual threat model into detection logic — not the theoretical baseline the vendor assumed when writing the default rule. Automated KPI reporting in Bash and Python replaced a manual process that was consuming several analyst hours per week, improving accuracy and freeing capacity for actual detection work.

Seven years in systems and network engineering across retail, OT, and finance built the infrastructure knowledge that makes detection engineering possible. Understanding how Active Directory authentication works at a protocol level, how traffic flows across network segments, how Windows services interact with the registry — this is what lets a detection engineer write rules specific enough to catch real threats without generating false positives. Most detection engineers come from one of two directions: security operations (strong threat knowledge, weaker infrastructure) or infrastructure (strong systems, weaker threat modeling). The systems and network background is the differentiator in detection work that requires understanding exactly what normal looks like before defining what anomalous means.