Detection,
response, and the hunt
in between.

Security Operations Engineer

Emirates Group

An engineering seat inside a complex aviation enterprise, focused on the Microsoft security stack — Sentinel, Defender for Endpoint, Defender for Cloud, Defender for Cloud Apps, and Entra ID — and the workflows that connect them. The work spans detection content, SOAR automation, endpoint policy, identity, and email security; the day-to-day mix shifts with what's burning, but the underlying capability stays the same — turning each platform into something operators can actually run.

On the detection side, that means authoring KQL content across Sentinel and Advanced Hunting against MDE, mapped to MITRE ATT&CK and tuned for signal rather than volume — including the work that surfaced Windows servers running Defender AV in passive or disabled mode and drove remediation across the estate. On automation, it's Logic App playbooks that take known alert classes from page to closure without paging a human, measurably reducing MTTR. Endpoint hardening sits alongside it: ASR rule design, Exploit Protection (EAF / IAF), AV health monitoring, and the Intune / SCCM policy plumbing that actually delivers it.

The other half of the seat is identity and email. Identity work lives at the unfun edge of Entra ID — SSO and MFA flows, SAML mismatches, B2B guest lifecycles, AADSTS error chains, Conditional Access edge cases — the failure modes support tickets get stuck on. Email work is Mimecast policy engineering: closing Auto Allow override behaviour, tightening URL protection and spam scanning, and building detection for QR-code phishing. Underneath all of it: SSL / TLS certificate lifecycle, runbook authoring, and the detection-engineering documentation that lets the next analyst start where I left off.

Platform Lead II

CyberProof (a UST Global company)

A hybrid platform-engineering role with SOC-support work at an MSSP, serving clients across financial services, government, and enterprise verticals. Some weeks were spent building, others responding; the seat covered both ends. Engineering meant standing up Microsoft Sentinel/EDR end-to-end — analytics rules, workbooks, data connectors, Logic App playbooks. KQL detection content was tailored per client, tuned against their telemetry, and mapped to MITRE ATT&CK. SOAR playbooks were built with real enrichment integrations — VirusTotal, AbuseIPDB, customer CMDB — so triage decisions came back enriched rather than raw.

The response half was L3 escalation and IR-lead work across customer environments. That meant deep-dive investigation across endpoint telemetry on Windows, Linux, and macOS; identity, email, and cloud telemetry; static and dynamic malware analysis on recovered samples; and network forensics over full-packet captures, proxy and DNS data, IDS / IPS alerting, and Zeek / Suricata flow analysis to find C2 beaconing, lateral movement, and exfiltration to enhance the EDR capabilites. EDR fluency extended well past MDE — CrowdStrike Falcon, VMware Carbon Black, Cybereason, SentinelOne, Check Point, and Sophos all sat in the platform fleet, each with its own policy and exclusion regime.

Threat hunting was a programme rather than an ad-hoc activity — ATT&CK-driven, hypothesis-led, with reusable hunt packs across Sentinel and MDE Advanced Hunting. On the side: custom log ingestion pipelines (Logic Apps + Azure Functions) for SaaS APIs that lacked native connectors; HLD / LLD documentation aligned to regulatory compliance; Microsoft Purview DLP frameworks; mentoring junior analysts; and customer executive-level briefings on risk posture and security roadmaps.

Security Analyst (SOC + DFIR)

Newfold Digital · Endurance International Group

The battleground. A global web-hosting environment where the adversary surface was both the corporate network and tens of thousands of customer-facing properties — compromised customer sites, web-shell deployments, automated attacks at scale, and live C2 traffic showing up in telemetry every shift. Core SOC analyst by title, deep DFIR by practice: triage across Microsoft Sentinel, Fireeye Helix, and EDR; investigation through to root cause; and full incident response on confirmed compromises — web-server intrusions, credential abuse, phishing-led account takeover, and the kind of mass-scale activity that doesn't fit a vendor playbook.

Host forensics came up daily, on both Linux and Windows, at the artefact level — $MFT, USN Journal, prefetch, registry hives, bash and auth logs, process timelines — used to reconstruct attacker movement and validate the real scope of compromise rather than the apparent one. Memory forensics with Volatility on live or recovered samples. Static and dynamic malware analysis on droppers and binaries to extract IOCs and pivot across the estate. Network-side reconstruction through web-server access and error logs, proxy and DNS telemetry, and IDS / IPS alerts to map entry vectors, lateral movement, and exfiltration paths. Hunting was ATT&CK-aligned across the hosting fleet — anomalous web shells, lateral patterns, persistence mechanisms — and every incident generated detection content that closed the gap the previous one had used. Each engagement closed with an RCA, chain-of-custody documentation, and a write-up engineering could use to harden the platform.

Security Analyst

NTT Security (MSSP)

The step out of the L1 chair into real investigation work. L2 SOC analyst across a portfolio of global MSSP clients on a 24/7 shift — owning triage, investigation, and escalation across SIEM, EDR, email security, and network telemetry. Where most of the foundational DFIR muscle was built: leading engagements on malware infections, phishing-led credential theft, and insider-threat scenarios, with end-to-end ownership from initial alert through containment guidance, evidence collection, and post-incident reporting.

Underlying capability covered host-level forensic analysis (prefetch, registry, event logs, browser artefacts, process timelines), phishing analysis with static and dynamic malware triage on email payloads, IOC extraction back into client detection content, and hypothesis-driven threat hunts across client tenants using MITRE ATT&CK to surface dormant compromises and detection gaps. SIEM correlation tuning and new detection content came from incident learnings rather than a roadmap. Client-facing communication mattered as much as the technical work — incident reports, RCAs, and threat advisories written for non-technical stakeholders as cleanly as for engineering audiences.

Junior Security Analyst

GSS Infotech

The first chair, and where the security career began. SOC monitoring across SIEM, IDS / IPS, endpoint, and email-security telemetry — alert triage, escalation, and first-pass investigation on malware, phishing, and policy violations. Early hands-on with static and dynamic malware triage on phishing payloads through sandbox and reputation tooling, EDR investigation workflows, and the supporting work that makes the rest possible: DLP policy design, log-source tuning, and correlation rule refinement. The foundation everything else was built on.