/ about · 01
Security operations, practiced and documented.
/ background
My background runs from county government IT and vocational instruction through data center administration at Aptum. I eventually moved into an InfoSec analyst role there before joining CyberSheath in 2022. That path gave me a working understanding of the infrastructure layers that sit below the alerts SOC analysts triage every day. At CyberSheath I stepped into a shift lead role. That means triage coordination, coaching analysts mid-shift, and owning the runbooks and tooling that keep the team consistent across client tenants.
/ philosophy
I think of detection as a product — it has users, it can be well-designed or poorly-designed, and it degrades if nobody maintains it. Writing a detection rule is the easy part. Getting it tuned to a workable signal-to-noise ratio, documenting the expected behavior, and reviewing it when the environment changes — that is the actual work. Analyst experience matters too. An alert queue where most triage ends in dismissal is not a detection problem, it is a workflow problem. I write tooling — BASTION, CARL, the KQL Sentinel Lab, ThreatWatch — because manual investigation steps repeated by hand are time the team can never recover. Good tooling compounds over time. So does bad tooling.
/ currently
Leading shift operations at CyberSheath. Active focus areas: mentoring T1 analysts on investigation workflow, CMMC-aligned SOC process, detection content refinement in Sentinel and Google SecOps, and expanding the CARL analyst toolset.
/ interested in
Team Lead, SOC Manager, or Security Engineer roles at organizations that take mentorship and detection-program building seriously. Teams where the SOC is treated as a capability to grow, not a cost center to staff.
/ next