Sep 2023 – Jan 2026 · 2 yrs 4 mos · Colorado, United States

Mar 2022 – Sep 2023 · 1 yr 6 mos · Colorado, United States

• Built and led the company's threat hunting capability in order to proactively identify threats that may evade existing security defenses before damage or loss occurs.
• Researched and hunted for attacker tradecraft in order to improve detection coverage for the company's products and cloud, endpoint, messaging, and Identity & Access Management (IAM) systems.
• Designed and built automated workflows to detect and respond to threats to the company’s products, customers, and network.
• Trained others within the security organization in order to enable them to effectively triage, investigate, and respond to threats.

Oct 2019 – Mar 2022 · 2 yrs 5 mos · Colorado, United States

• Researched attacker tradecraft to develop detections and preventions for Elastic's SIEM and Endpoint Security products. Platforms include Windows, macOS, Okta, Google Cloud Platform (GCP), Office 365, Google Workspace, and Azure.
• Developed the Malicious Behavior Protection feature and accompanying rules for Elastic Endpoint Security. Behavior Protection rules can execute response actions to prevent malicious behavior in addition to detecting it.
• Created and released Dorothy, a free tool for security teams to test their visibility and detections for their Okta Single Sign-On (SSO) environment. Presented Dorothy at Black Hat USA 2021.
• Received the Outstanding Contribution Award for the company-wide Engineering team in 2020.
• Contributed several references and techniques to the MITRE ATT&CK knowledge base of adversary behavior.
• Published "The Elastic Guide to Threat Hunting" — a companion guide to help security teams learn methodologies and techniques to proactively hunt for malicious behavior in their organization’s network.
• Developed a machine learning model to classify Windows shortcut (LNK) files as malicious or benign and presented research at BSides Salt Lake City.
• Regularly shared information with the community via blogging, webinars, and conferences to help security practitioners with their understanding of attacker tactics, threat detection, threat hunting, and log analysis.
• Designed and hosted capture the flag (CTF) events for the security community at BSides conferences.

Nov 2018 – Oct 2019 · 11 mos · Colorado, United States

• Endgame was acquired by Elastic in 2019.
• Researched adversary tradecraft to develop behavior-based detections for the company’s Endpoint Detection & Response (EDR) solution.
• Engineered features based on process events and collaborated with data scientists to build ProblemChild, a machine learning model to detect suspicious process relationships. Patent pending.
• Developed automated workflows to triage alerts, address false positives, and improve efficacy of detection rules for customers.

May 2012 – Nov 2018 · 6 yrs 6 mos · San Antonio, Texas, United States

• Developed, implemented, and trained analysts on the SOC’s threat hunting, detection, and incident response processes.
• Led the effort to align the SOC’s detection strategy with the MITRE ATT&CK framework to focus resources on detecting attacker behavior in the organization’s network.
• Developed a tool to automate the monitoring of over 2,000 typosquatting domains that posed a risk of phishing attacks or brand misuse. The custom-built tool helped thwart several attacks and saved 45 minutes of analyst time daily.
• Hypothesized and executed hunt activities to identify use of adversary tactics, techniques, and procedures (TTPs), developed detection rules, and worked with the incident response team for remediation as needed.
• Organized and led incident response identification, containment, eradication, and recovery activities.
• Delivered a live cyber-attack and defense scenario to the fund board to raise security awareness and demonstrate the SOC’s ability to detect and respond to threats to the organization.
• Presented at the annual FS-ISAC summit to share how passive reconnaissance techniques can be used to proactively defend a financial services organization from cyber attacks.
• Designed and built forensics and malware analysis capability.

Jan 2011 – Apr 2012 · 1 yr 3 mos · London, United Kingdom

Dec 2005 – Dec 2010 · 5 yrs · London, United Kingdom