Detection Engineering Experience

The platform is a cloud-native digital banking provider serving roughly eight million consumer accounts across ninety financial institutions. Security here sits where banking compliance, cloud-native infrastructure, and real-time threat detection converge, with detection and response capabilities aligned to the regulatory requirements and control frameworks the industry demands.

This is not a traditional SOC analyst seat. AI-driven triage and SOAR handle the bulk of routine alert processing; the work is building the detections those platforms execute, authoring the automation that keeps the SOC operating at machine speed, and hunting for the threats that evade automated pipelines. Detection coverage is mapped to MITRE ATT&CK and maintained as a living matrix. I surface gaps proactively from threat intelligence, red team findings, and incident post-mortems, and track them through the detection backlog.

When I joined National Audubon Society in 2024, there was no SOC, no formal detection program, and security tooling spread across disconnected point solutions. The first architectural decision was SOC model: traditional MDR vs. AI-native. MDR requires analyst headcount to triage, a model that fails on cost before it fails on coverage for a single-person security team. I selected an AI-native platform that could deliver consistent detection fidelity without the analyst-to-alert ratio that makes MDR viable only at scale. The result: 99.2% detection fidelity and a 95% reduction in false positives.

Detection coverage was built MITRE ATT&CK-first, starting with the highest-probability attack paths for a hybrid cloud environment: identity-based attacks, credential stuffing, OAuth abuse, and business email compromise. Okta is the enterprise IdP and I led the rollout of phishing-resistant MFA across 1,000+ users, removing the credential-theft risk that email compromise campaigns rely on. SAML and OAuth integrations provided detection visibility into identity-based lateral movement that endpoint telemetry alone misses.

The $32,000 MDR contract savings were reinvested into Tenable One, building a vulnerability management program across endpoint, cloud, web application, and attack surface management domains. A program that can only detect is incomplete; understanding the full attack surface is what lets you prioritize detection coverage correctly.

CrowdStrike's TIDE (Threat Intelligence and Detection Engineering) team defends the company's own internal infrastructure, a threat model distinct from most enterprise environments, since sophisticated adversaries actively go after security vendors for the access and intelligence that comes with it. The structural change with the most lasting impact was implementing Detection-as-Code via Bitbucket pipelines. Detection logic that previously lived in a UI moved into version-controlled files with peer review, syntax validation, and automated deployment. Deployment cycle time dropped 80%. Peer review consistently caught logic errors and coverage gaps that single authors missed.

Scattered Spider presented a specific detection challenge. The campaign used social engineering via SMS phishing and SIM swapping to compromise Okta and Azure AD environments. I engineered targeted detections against those exact TTPs: not broad behavioral rules, but specific patterns drawn from threat intelligence. Precision matters: broad rules generate noise that burns analyst capacity; precise rules that fire accurately are the ones analysts actually act on. During the Splunk to Falcon LogScale migration, I covered 30% of the enterprise alerting rules, improving detection latency on high-volume telemetry streams. Tines SOAR automation reduced analyst response time 80% by converting repetitive triage steps into automated playbooks.

Cloud migrations create detection coverage gaps. Legacy SIEM rules written for on-prem telemetry don't translate to cloud-native log sources. Azure Monitor, Defender for Cloud, and Entra ID produce different formats and expose different attack patterns than on-prem Active Directory. Attackers know defenders are distracted during migrations. The work at U.S. Bank was specifically about closing those gaps as the data center moved to Azure: rebuilding detection coverage for Azure-specific attack paths including service principal abuse, conditional access policy bypass, and storage account misconfiguration.

Detection backlog dropped 39% in three months. Coverage grew 20% with every new detection mapped to a MITRE ATT&CK technique, not just for optics, but to systematically surface remaining gaps and communicate coverage to security leadership in a framework they could act on.

Sunbelt Rentals operates across industrial environments including OT sites, a threat surface most security tooling isn't designed for. The detection challenge was foundational: without reliable endpoint telemetry, you can't write meaningful detection rules. Deploying Sysmon across 10,000+ endpoints standardized collection. Sysmon's process creation, network connection, file creation, and registry modification events provided the raw telemetry data that Windows Event Logs don't capture by default. Custom SIEM parsers normalized log formats across an environment with mixed OS versions, network architectures, and application stacks. PowerShell workflows automated repetitive triage steps.

CyberMaxx is a managed detection and response provider. I worked across 10–15 healthcare and banking clients simultaneously, which meant understanding the difference between a detection that's technically correct and one that's operationally useful for a specific environment. Vendor-default SIEM rules generate thousands of false positives in any real deployment because they don't account for baseline behavior. Administrative login activity looks different in a hospital than in a financial institution. Detection tuning is the work of encoding each client's real baseline and threat model into detection logic, not the theoretical baseline the vendor assumed when writing the default rule. Automated KPI reporting in Bash and Python replaced a manual process that was consuming several analyst hours per week, improving accuracy and freeing capacity for actual detection work.

Seven years in systems and network engineering across retail, OT, and finance built the infrastructure knowledge that makes detection engineering possible. Understanding how Active Directory authentication works at a protocol level, how traffic flows across network segments, how Windows services interact with the registry: that foundation is what lets a detection engineer write rules specific enough to catch real threats without generating false positives. Most detection engineers come from one of two directions: security operations (strong threat knowledge, weaker infrastructure) or infrastructure (strong systems, weaker threat modeling). That background is what made the security work possible. You can't define anomalous until you know exactly what normal looks like.