SOC Advisory
Cogswell Award-winning SOC leadership. Build, mature, or transform your security operations.
Anomalies in the clouds...
Cybersecurity research, threat intelligence, and detection engineering.
Expertise
Detection & Threat Intel
Build and mature detection engineering and threat intelligence programs. Detection as Code from its original authors.
Due Diligence & MDR Testing
Breach detection for acquisitions and MDR/MSSP provider evaluation.
Products
Custom tooling for MSSPs and XDR providers.
Credentials
Cogswell Award-Winning SOC Manager
SOC manager for the security team at Corvid Technologies when the team was recognized with the 2021 James S. Cogswell Outstanding Industrial Security Achievement Award — the highest honor the Defense Counterintelligence and Security Agency (DCSA) bestows upon cleared industry, awarded to just 40 of approximately 13,000 cleared contractor facilities nationwide.
Previously built and managed SOC operations for a managed detection and response (MDR) provider across classified and unclassified programs, and established a security operations center for a regional internet service provider.
Detection as Code
Authored the first publicly available white paper on the Detection as Code methodology (2019), defining a framework for applying CI/CD pipeline practices to security detection development. The paper introduced a full lifecycle approach — from detection engineering and automated testing to version-controlled deployment — enabling security teams to build, test, and continuously deploy high-fidelity detectors at scale with comprehensive audit trails and change control.
Read the white paper (opens in new tab)SigmaHQ Contributions
Active contributor to the SigmaHQ open-source detection rule project — the industry standard for platform-agnostic detection signatures.
Active Rules
- Svchost Execution Without Expected CLI Flags (opens in new tab) Windows
- Execution of Binary from Hidden Path (opens in new tab) Linux
- Suspect Pnscan Port Scanner CLI Pattern (opens in new tab) Linux
- HTTP Download of Suspect File Extension from Suspect TLD (opens in new tab) Zeek
Deprecated
CelesTLSH Hash Database
Maintainer of CelesTLSH, an open-source TLSH fuzzy-hash datafeed tracking red teaming and penetration testing tools. Unlike traditional cryptographic hashes, TLSH (Trend Micro Locality Sensitive Hash) measures file similarity — enabling detection of modified, repackaged, or derivative tool variants that evade exact-match signatures.
Continuously updated from official GitHub repositories, supporting threat hunting, detection engineering, and incident response workflows.
View on GitHub (opens in new tab)Latest Research
EDR Telemetry Project: From Misleading to Actively Deceptive?
The EDR Telemetry Project's website tells visitors to "validate detection logic" and endorses its use for guiding procurement decisions. The disclaimers saying it shouldn't be used for that exist only on GitHub. Public feedback suggesting it be clarified it can't be used for detection were ignored.
A.I. Cybersecurity Tool Marketing: Insanity vs Reality
A.I. insanity has reached no heights. As vendors scream about AI super threats while the reality is boring.
"That Can be Evaded" and the Imperfect Detector
Every detection can be evaded. So what's worse: missing an attack or drowning in noise? The Base-Rate Fallacy shows that false positives are the true limiting factor. The goal isn't to be perfect; it's to be a difficult target. Each layer that forces an adversary to adapt is a win.
Fuzzy Hashing Research: A Paper Highlight with Practitioner's Notes
A new paper questions fuzzy hashing, but real-world data tells a different story. I share practical lessons for reducing false positives and argue that the future of TLSH isn't in alerting, it's in enriching events to create high-fidelity detections.
The intel is out there...
Subscribe to receive threat intelligence and research.