Security engineering
meets precise communication.

Scope. Led an enterprise EDR migration from a rigid platform with limited customization into a solution capable of native SIEM integration, automation, and custom detection logic. Required building detection logic, playbooks, and alert tuning from the ground up within a new platform.

Ownership. Developed custom detection content mapped to multiple stages of the attack lifecycle. Tuned alert logic using behavioral baselines and structured aggregation to reduce high-volume, low-value alerts without losing true positives. Built incident response playbooks from scratch, defining clear investigative steps so responders could follow a consistent sequence rather than relying on memory or individual style.

Outcome. Reduced alert fatigue and improved triage consistency across the team. Investigations became more repeatable and defensible, with documented response paths replacing ad hoc decision making. Detection engineering shifted from reactive alert handling to structured program ownership.

Skills proved. Detection engineering, alert tuning, investigation design, IR documentation, EDR migration, threat hunting.

Scope. Inherited a vulnerability management platform during a SOC provider transition and built the program structure around it. The tool existed in the new environment.

Ownership. Led the platform migration, then built the vulnerability management program from the ground up. Defined remediation SLAs, prioritized findings, and assigned clear ownership across teams so findings had a path forward rather than sitting in a queue. Trained SecOps on both the tooling and the discipline. Stood up leadership reporting so posture was visible and reviewable on a consistent schedule.

Outcome. Introduced formal SLA tracking for vulnerability remediation across the organization. Established clear ownership of findings across teams and created a reporting rhythm leadership could rely on. Transitioned vuln management from reactive to structured, work that had previously been ad hoc became repeatable.

Skills proved. Vulnerability management, SLA design, cross-functional ownership, SecOps training, executive reporting.

Scope. Configured and tuned the full MDO email security stack across a 3,000+ user environment, covering policy enforcement, threat investigation, and email authentication.

Ownership. Deployed and managed Safe Links, Safe Attachments, anti-phishing policies, and spoof intelligence. Used Threat Explorer for phishing incident triage and investigation, correlating email signals with broader endpoint telemetry to build a more complete picture of what actually happened. Tuned alert thresholds iteratively to reduce noise without creating blind spots. Validated and maintained email authentication records (SPF, DKIM, DMARC) to harden the org's sending posture and close spoofing vectors.

Outcome. Tighter email filtering with fewer false positives reaching end users. Improved investigation fidelity by correlating email and endpoint signals. Email authentication posture validated and documented. Alert tuning reduced analyst fatigue without sacrificing detection coverage.

Skills proved. Email security policy, Safe Links/Attachments, anti-phishing, threat investigation, SPF/DKIM/DMARC, alert tuning.

Scope. Configured Proofpoint Targeted Attack Protection (TAP) and built automated user notification workflows natively within the Proofpoint platform to reduce response lag on delivered threats.

Ownership. Set up TAP detection and built the end-to-end automated response workflow. When TAP identifies malware in a delivered message, the workflow fires automatically: the affected user receives a notification with context on what was found and clear next steps, without requiring manual triage from the security team. Entire workflow built and managed within the Proofpoint platform, no external tools or SOAR dependency.

Outcome. Eliminated the manual bottleneck between detection and user notification. Response lag on delivered threats cut significantly. Security team freed from chasing down every alert individually, with consistent, documented communication going to affected users every time.

Skills proved. Proofpoint TAP, automated workflow design, threat notification, email security operations.

Scope. Full replacement of a deprecated enterprise password manager across a 3,000+ user environment, from vendor selection through long-term adoption.

Ownership. Ran the RFP and vendor comparison, negotiated pricing directly, secured budget and executive approval, and managed the contract. Migrated the credential vault, rebuilt provisioning workflows, deployed SSO and browser extensions org-wide, and implemented policy-based controls to prevent unapproved credential storage. Delivered hands-on training for help desk staff and external agency users so the rollout held after go-live. Ongoing training ownership retained.

Outcome. Standardized credential management at enterprise scale across 3,000+ users. Procurement negotiation delivered a contract at a price point that received direct executive acknowledgment. Adoption enforced at the policy level, with training structured to support it, not left to self-selection.

Skills proved. Procurement and vendor negotiation, identity management, SSO integration, policy enforcement, change management, end-user training.

Scope. Led successive secure access migrations as organizational requirements and security maturity outgrew each prior solution, progressing from a legacy VPN with reliability and performance issues through increasingly capable platforms toward a unified SASE architecture. Two full production migrations completed; third in phased rollout.

Ownership. Evaluation, selection, and implementation across each transition. Every phase included MFA enforcement from day one, intentional policy configuration, and deployment runbooks written so investigations and troubleshooting did not rely on individual memory.

Outcome. Restored reliable connectivity for a fully remote workforce and advanced the network architecture toward zero-trust principles with each generation. MFA enforced at the network layer. Documentation standardized across all three transitions so institutional knowledge lived in the runbook, not in any one person.

Skills proved. Network security architecture, zero-trust design, MFA enforcement, vendor evaluation, technical documentation.

Scope. Configured Microsoft Defender for Cloud Apps to extend security visibility into SaaS activity and email-adjacent risk, covering the layer between endpoint detection and cloud-only behavior.

Ownership. Set up mail alerts and policies to surface suspicious behavior, anomalous access patterns, and shadow IT across connected applications. Configured app governance and activity policies to enforce expected behavior and flag deviations. Integrated MDCA signals into the broader security monitoring workflow.

Outcome. Extended detection coverage into SaaS and cloud app activity that endpoint tooling cannot see. Shadow IT surfaced and documented. Anomalous access alerts integrated into triage workflow alongside endpoint and email signals.

Skills proved. Cloud app security, SaaS visibility, policy configuration, anomaly detection, shadow IT governance.

Scope. Built and managed Data Loss Prevention policies in Microsoft Purview covering email, endpoints, and cloud storage across the organization.

Ownership. Configured policy rules around sensitive information types, set enforcement actions appropriate to each scenario, and tuned false positive rates to keep policies enforceable without disrupting legitimate workflows. Monitored policy hits and adjusted thresholds based on real user behavior rather than theoretical risk models.

Outcome. DLP coverage extended across email, endpoint, and cloud storage channels. False positive rate tuned to a level that kept policies in enforcement rather than monitor-only mode. Policies documented with rationale so future changes have a clear baseline to work from.

Skills proved. Purview DLP, sensitive information type configuration, policy enforcement, compliance operations, M365 data governance.

Scope. Public-facing interactive security awareness content, built independently. You can take this quiz in the Writing Samples section.

Ownership. Designed and built an interactive phishing simulation and awareness quiz from scratch. Covers social engineering recognition, QR code phishing, and cloud storage risks. Built for non-technical users, the audience most likely to need it and least likely to read a policy document.

Outcome. Publicly accessible with no login required. Awareness content that meets users where they are rather than where security teams wish they were. Try it below.

Skills proved. Security awareness program design, user education, content development.

Scope. Publicly available scripts written for real investigative and operational use cases, not textbook examples. Built to solve problems that came up in actual work.

Ownership. Authored KQL queries for malicious IP detection by domain, locked account reporting, and URL click history for specific users during investigations. Wrote PowerShell and batch scripts for Tenable agent detection and remediation. Built an SQL script for sorting browser history by local time in DB Browser, which is useful for incident timelines.

Outcome. Each script solves a specific problem: either the vendor documentation falls short, the native tooling requires a package tier most orgs don't have, or the investigation workflow needed something custom. All scripts publicly available and documented on GitHub Gist linked below in the Writing Samples section.

Skills proved. KQL, PowerShell, SQL, detection scripting, incident investigation, Tenable, Microsoft Sentinel.