I build detection programs engineered for real-world adversaries and stay quiet on everything else. Sigma, XQL, SPL, KQL, YARA-L across the full kill chain. I close the telemetry gaps your EDR misses and deliver the runbooks for what comes after.
I’m a detection engineer who treats SOC tooling as a product and adversary behavior as a backlog. Every detection I deliver is paired with a test, a runbook, and an exit criterion because untested detections are just expensive noise.
Most of my work lives at the seam between threat intel, data engineering, and incident response. I’ve stood up greenfield detection pipelines, reduced years of accumulated detection debt, and tracked APTs across three continents’ worth of cloud logs.
Outside of work I write a quiet newsletter on detection-as-code, maintain a few open-source Sigma packs, and lose at CTFs with enthusiasm.
Catches OAuth phishing where a user consents to a multi-tenant app
from an unverified publisher with delegated Mail.Read /
offline_access scopes. Joins Entra AuditLogs with the
ServicePrincipal directory to suppress vetted apps.
title: Entra Illicit Consent — Unverified Publisher logsource: product: entra service: auditlogs detection: selection: OperationName: 'Consent to application' Result: 'success' TargetResources.modifiedProperties.displayName|contains: - 'Mail.Read' - 'offline_access' - 'User.Read.All' AppPublisher.verifiedPublisher: null filter_known: AppId|in: %vetted_apps% condition: selection and not filter_known level: high tags: [ attack.t1528, attack.persistence ]
Long-tail GCP persistence: a user-managed JSON key is created on a service account that holds Owner / Editor / SecurityAdmin elsewhere in the org, outside an approved Terraform pipeline.
title: GCP — Service Account Key Issued for Privileged SA id: dr-2025-054 status: stable logsource: product: gcp service: gcp.audit detection: selection: data.protoPayload.methodName: 'google.iam.admin.v1.CreateServiceAccountKey' data.protoPayload.resourceName|endswith: '@privileged.iam.gserviceaccount.com' filter_iac_principal: data.protoPayload.authenticationInfo.principalEmail|endswith: '@iac.gserviceaccount.com' filter_ci_egress: data.protoPayload.requestMetadata.callerIp|cidr: - '10.50.0.0/16' condition: selection and not (filter_iac_principal or filter_ci_egress) fields: [ principalEmail, resourceName, callerIp ] level: high tags: [ attack.persistence, attack.t1098 ]
Detects ≥ 4 denied MFA prompts on a single user within 10 minutes followed by an accepted prompt — the classic push-bombing TTP. Enriches with sign-in risk + impossible-travel flags.
title: Entra — MFA Fatigue Followed by Successful Sign-in id: dr-2025-049 status: experimental logsource: product: entra service: signinlogs detection: denied: ResultType: - '50074' # MFA challenge not passed - '50076' # MFA required, denied - '50158' # external security challenge failed success: ResultType: '0' AuthenticationDetails|contains: 'MFA succeeded' timeframe: 10m condition: denied | count() by UserPrincipalName > 3 and success fields: [ UserPrincipalName, IPAddress, RiskLevelAggregated ] level: high tags: [ attack.credential_access, attack.t1621 ]
Flags sts.googleapis.com token exchanges where the
external subject does not match an approved CI provider / repo
binding — i.e. someone abusing a misconfigured WIF pool to mint
access tokens for a GCP service account.
title: GCP — WIF Token Exchange with Unexpected External Subject id: dr-2025-037 status: experimental logsource: product: gcp service: gcp.audit detection: selection: data.protoPayload.serviceName: 'sts.googleapis.com' data.protoPayload.methodName: 'GenerateAccessToken' filter_allowed_pool: data.protoPayload.request.audience|contains: '/workloadIdentityPools/github-oidc/' data.protoPayload.request.subjectTokenClaims.sub|startswith: - 'repo:alex-burst/' condition: selection and not filter_allowed_pool fields: [ principalEmail, audience, subjectTokenClaims.sub, callerIp ] level: medium tags: [ attack.persistence, attack.t1078.004 ]
A full simulated enterprise — fictional employees, business systems, mail, and identity — designed to surface the real human behaviors that produce incidents. The range runs adversary playbooks against staged users so detections, runbooks, and tabletop muscle get tested against actual mistakes instead of synthetic ones. Used to validate Sigma rule packs end-to-end before they ship to production tenants.
AI-powered toolkit leveraging Google Gemini to automate Sigma rule generation, forensic reporting, and log analysis — cutting alert fatigue and producing actionable tuning strategies.
Led enterprise migration from Sumo Logic to Palo Alto XSIAM. Optimized correlation rules and reduced false positives by 40%, significantly enhancing SOC visibility and analyst efficiency.
Secure application that builds 3+ hop SSH tunnels via dynamically deployed VMs across AWS and GCP regions — full traffic passthrough while preserving anonymity.
Ansible playbooks automating ES cluster deployment and node scaling with optimized storage configuration for dynamic shard distribution.
Sandbox infrastructure supporting defensive and offensive cyber operations for the Louisiana National Guard CPT, ensuring confidentiality and availability for mission forces.