Scope. Led an enterprise EDR migration from a rigid platform with limited customization into a solution capable of native SIEM integration, automation, and custom detection logic. Required building detection logic, playbooks, and alert tuning from the ground up within a new platform.

Ownership. Developed custom detection content mapped to multiple stages of the attack lifecycle. Tuned alert logic using behavioral baselines and structured aggregation to reduce high-volume, low-value alerts without losing true positives. Built incident response playbooks from scratch, defining clear investigative steps so responders could follow a consistent sequence rather than relying on memory or individual style.

Outcome. Reduced alert fatigue and improved triage consistency across the team. Investigations became more repeatable and defensible, with documented response paths replacing ad hoc decision making. Detection engineering shifted from reactive alert handling to structured program ownership.

Skills proved. Detection engineering, alert tuning, investigation design, IR documentation, EDR migration, threat hunting.

Scope. Inherited a vulnerability management platform during a SOC provider transition and built the program structure around it. The tool existed in the new environment.

Ownership. Led the platform migration, then built the vulnerability management program from the ground up. Defined remediation SLAs, prioritized findings, and assigned clear ownership across teams so findings had a path forward rather than sitting in a queue. Trained SecOps on both the tooling and the discipline. Stood up leadership reporting so posture was visible and reviewable on a consistent schedule.

Outcome. Introduced formal SLA tracking for vulnerability remediation across the organization. Established clear ownership of findings across teams and created a reporting rhythm leadership could rely on. Transitioned vuln management from reactive to structured — work that had previously been ad hoc became repeatable.

Skills proved. Vulnerability management, SLA design, cross-functional ownership, SecOps training, executive reporting.

Scope. Full replacement of a deprecated enterprise password manager across a 3,000+ user environment — from vendor selection through long-term adoption.

Ownership. Ran the RFP and vendor comparison, negotiated pricing directly, secured budget and executive approval, and managed the contract. Migrated the credential vault, rebuilt provisioning workflows, deployed SSO and browser extensions org-wide, and implemented policy-based controls to prevent unapproved credential storage. Delivered hands-on training for help desk staff and external agency users so the rollout held after go-live. Ongoing training ownership retained.

Outcome. Standardized credential management at enterprise scale across 3,000+ users. Procurement negotiation delivered a contract at a price point that received direct executive acknowledgment. Adoption enforced at the policy level, with training structured to support it — not left to self-selection.

Skills proved. Procurement and vendor negotiation, identity management, SSO integration, policy enforcement, change management, end-user training.

Scope. Led successive secure access migrations as organizational requirements and security maturity outgrew each prior solution — progressing from a legacy VPN with reliability and performance issues through increasingly capable platforms toward a unified SASE architecture. Two full production migrations completed; third in phased rollout.

Ownership. Evaluation, selection, and implementation across each transition. Every phase included MFA enforcement from day one, intentional policy configuration, and deployment runbooks written so investigations and troubleshooting did not rely on individual memory.

Outcome. Restored reliable connectivity for a fully remote workforce and advanced the network architecture toward zero-trust principles with each generation. MFA enforced at the network layer. Documentation standardized across all three transitions so institutional knowledge lived in the runbook, not in any one person.

Skills proved. Network security architecture, zero-trust design, MFA enforcement, vendor evaluation, technical documentation.

Scope. Public-facing interactive security awareness content, built independently. You can take this quiz in the Writing Samples section.

Ownership. Designed and built an interactive phishing simulation and awareness quiz from scratch. Covers social engineering recognition, QR code phishing, and cloud storage risks. Built for non-technical users — the audience most likely to need it and least likely to read a policy document.

Outcome. Publicly accessible with no login required. Awareness content that meets users where they are rather than where security teams wish they were. Try it below.

Skills proved. Security awareness program design, user education, content development.

Scope. Publicly available scripts written for real investigative and operational use cases, not textbook examples. Built to solve problems that came up in actual work.

Ownership. Authored KQL queries for malicious IP detection by domain, locked account reporting, and URL click history for specific users during investigations. Wrote PowerShell and batch scripts for Tenable agent detection and remediation. Built an SQL script for sorting browser history by local time in DB Browser, which is useful for incident timelines.

Outcome. Each script solves a specific solution; either the vendor documentation falls short, the native tooling requires a package tier most orgs don't have, or the investigation workflow needed something custom. All scripts publicly available and documented on GitHub Gist linked below in the Writing Samples section.

Skills proved. KQL, PowerShell, SQL, detection scripting, incident investigation, Tenable, Microsoft Sentinel.