SOC leadership built from the data center up.
Eight years across IT operations and security. Now leading shift coverage in a multi-tenant MSSP — mentoring analysts and building the runbooks, training environments, and tools that turn shift knowledge into team capability.
/ dashboard · live
The full picture.
Credentials, projects, activity, capabilities, and writing — the things that hold up under scrutiny.
// credentials · 04 active
Full list →CompTIA
Security+
VerifyCompTIA
CySA+
VerifyEC-Council
CEH
VerifyMicrosoft
Azure Fundamentals
Active// throughline
Making tribal SOC knowledge teachable.
My background runs from county government IT and vocational instruction through data center administration at Aptum. I eventually moved into an InfoSec analyst role there before joining CyberSheath in 2022.
Read the long version →// project
ActiveBASTION
KQL investigation toolkit that ends the rebuild-from-scratch loop
- 20+ KQL hunt templates
- 7 detection categories
- Single-file HTML deploy
// project
ActiveCARL
Offline SOC knowledge base that captures what lives in analysts' heads
- 500+ knowledge entries
- 8 dispatch engines
- 11 alert playbooks
// project · featured
ActiveKQL Sentinel Lab
Synthetic Sentinel environment for analysts to practice on real attack data
- 55 attack scenarios
- 14 MITRE techniques
- 6 tactic groups
// capabilities
Full breakdown →What I work on.
Leadership & Mentorship
- Shift leadership
- Junior analyst mentoring
- Incident command
- Stakeholder communication
Enablement & Training
- Onboarding curriculum
- Runbook authorship
- Lab and training environment design
- Knowledge base curation
Detection & Response
- KQL
- Microsoft Sentinel
- Google SecOps
- Alert triage
SOC Operations
- Coverage planning
- Analyst coaching
- Alert volume tuning
- Metrics reporting
// writing · 03 recent
All →Notes from the shift.
-
How I built a CMMC-compliant SOC analyst assistant without sending data to an LLM
Most AI-in-the-SOC pitches start with an LLM and try to make it safe. I started with the compliance constraint and worked backward — here's the architecture.
-
Why I built a deterministic SOC assistant (instead of an LLM one)
LLM assistants are useful. They're also wrong sometimes, in ways that are hard to audit. Here's why I went the other direction.
-
What I've learned running a shift handoff
A shift handoff in an MSSP context is harder than it looks. Four behaviors that separate handoffs that help from handoffs that just transfer anxiety.
// now · may 2026
More →Currently on the desk.
Running shift coverage at CyberSheath — coordinating triage across analysts, owning runbook drift, and pulling escalations when the queue gets noisy. Refining detection content in Sentinel and Google SecOps with a focus on tuning out the alerts that always end in dismissal.
// experience · recent
Full history →- Oct 2022 – Present Current
CyberSheath
Cyber Security Analyst · SOC Shift Lead
- May 2021 – Oct 2022
Aptum
Information Security Analyst
- Jun 2019 – May 2021
Aptum
Data Center Administrator
- Oct 2022 – Present Current
CyberSheath · Cyber Security Analyst · SOC Shift Lead
- May 2021 – Oct 2022
Aptum · Information Security Analyst
- Jun 2019 – May 2021
Aptum · Data Center Administrator
/ activity · 661 contributions
Building in the open.
May 2025 – May 2026
/ contact
Got an interesting SOC problem?
I'm always open to hiring conversations, collaboration, or comparing notes on detection programs and SOC tooling.