Nov 2023 – Aug 2024 · 9 mos

• I manage the SecOps team at Robinhood, which encompasses Detection & Response, Insider Threat, Threat Intelligence, and the Security Platform engineering team. Blue Team, basically.

Jul 2023 – Nov 2023 · 4 mos

• I manage the team of engineers responsible for developing the infrastructure ("pipes and engines") that make Detection & Response possible, with plans to support all of Security soon. I also manage the Threat Intelligence team, responsible for tracking threat actor groups, providing IoCs and TTPs to the rest of the org, and driving security awareness and action based on real attackers across Robinhood Security.

Apr 2022 – Jul 2023 · 1 yr 3 mos

• I manage the Detection & Response team at Robinhood.

Nov 2021 – Apr 2022 · 5 mos

Jan 2020 – Nov 2021 · 1 yr 10 mos · Bellevue, WA

• My team writes detection rules to catch attackers. We are pursuing some unusual strategies to try to radically improve our ability to detect attackers and speed of detection. Too often detection has become a checkbox exercise, trying to write rules that cover some fraction of ATT&CK TTPs without really achieving anything. We're taking a different approach. Maybe someday I'll be able to talk publicly about it. :)
• Other key areas our team is focused on include:
• Growing from an operational culture driven by manual labor to an engineering culture focused on automation and high fidelity detection
• Developing a mature insider threat program
• Validating detection efficacy using simulated attacks
• Maturing the Salesforce process for detecting attacks against recently acquired companies (M&A)

Feb 2016 – Jan 2020 · 3 yrs 11 mos · Kirkland, WA

• My Detection and Response team at Google Kirkland built new and revolutionary ways to detect and disrupt advanced attackers, with a focus on Google Cloud. My team was the first Google Cloud detection team and the first Google detection team in Kirkland. My team identified unique and interesting attacks against Google Cloud and cloud technologies in general and created detection capabilities to detect them. We also contributed substantially to the launch of Google Cloud's Event Threat Detection product, GCP's equivalent to AWS GuardDuty.
• I also managed the Automation, Triage & Compliance team, which operates and automates high volume, low to moderate complexity security processes. The ATC team is also a training program: we hire engineers with little or no experience in the security industry and help them grow to be fully qualified for a range of security positions.
• The ATC team gave >10 team members their start in security and helped many grow towards promotion, transferring to other teams and contributing throughout Google security. Also, 50% of team members were from URM groups. Too many DEI initiatives fail, but we found a way that works.
• I also created other internal training programs to further expand the security training pipeline. Together, education programs I started were responsible for recruiting 25 people, >10% of all Security Engineers at Google.
• At peak, I managed up to 21 individuals including 1 manager across 3 teams and 2 locations.
• I was also co-author of Incident Response chapter in Google's Secure & Reliable Systems book.

Jun 2005 – Jan 2016 · 10 yrs 7 mos · Redmond, WA

• I worked for the Microsoft Security Response Center. My team of 5 managed Microsoft's SSIRP process - our response to the most critical security issues, the ones in the news or where customers are being actively attacked. This role included both PSIRT and CSIRT incident response (IR) functions. Prior to managing the team, I was a responder on it. Before that, I worked on security updates and service packs for Office.
• If you read bad news about Microsoft security between 2010 and 2015, my team was responsible for fixing the problem.

May 2004 – Feb 2005 · 9 mos

• TTC makes telemetry and data acquisition systems, which acquire data from a network of sensors, store it and perform calculations on it. This is used in testing and operating aircraft. I wrote software in C++ to perform calculations on and display the data that was being collected.