Sam Stoneley. Let's Connect
Welcome to my portfolio

Hi, I'm Sam.

I'm a security professional focused on engineering robust detections, staying ahead of evolving threats, and turning noisy alerts into clear, actionable signals.

View My Work More About Me

About Me

I started my career in cybersecurity as an apprentice triaging security alerts. Nearly a decade later, I'm still focused on the same fundamental problem: how do you detect the threats that actually matter without burying analysts in noise?

That question has shaped my career, taking me from frontline incident response on ransomware and nation-state investigations to leading a UK Security Operations Centre supporting more than 50 enterprise customers. Today, I work in detection engineering, building and improving the systems that decide whether an alert is worth an analyst's attention.

I'm most interested in the gap between what's technically correct and what's operationally useful. A detection that fires constantly but never catches anything meaningful isn't a detection, it's noise. Some of the work I'm proudest of is deliberately unglamorous: auditing hundreds of existing detections, improving detection quality at scale, and building CI/CD pipelines that prevent broken or low-quality rules from ever reaching production.

I also enjoy the translation side of security: turning complex incidents into clear decisions for leadership, or helping transform a junior analyst's instinct into a reliable detection. Outside of work, you'll usually find me on the golf course or taking my home espresso setup far too seriously.

Core Technologies

Microsoft Defender Microsoft Sentinel SenseOn Python Splunk SQL KQL GCP AWS VMware ESXi

Featured Portfolio

// LummaC2 Triage Engine — Sample SHA256: 80741061ccb6a337...

$ python3 dynamic_analyzer.py --sample ./malware/lumma_build.exe

DBG: Base64 PowerShell stager detached. Invoking .NET Reflection API

NTDLL: Dynamic API Hash Resolving via Process Environment Block (PEB).

INJECT: Process hollowing successful into targeted memory container

[C2_POST: hxxps://snail-r1ced[.]cyou/c2/sock

[!] EXFIL: Harvesting Chromium Cookies, Crypto Wallets, and Session Tokens into memory zip.

Blog

Fake CAPTCHAs, Real Threats

How Lumma Stealer Tricks Users into Self-Inflicted Malware

// Production API Gateway Engine

$ npm run start:prod

[info] Server successfully listening on port 3000

[info] PostgreSQL Database cluster connection: ONLINE

[info] Redis Cache cluster replication synchronized: OK

[api] 22:47:12 UTC - GET /api/v1/dashboard/metrics - 200 OK (42ms)

[auth] JWT Session Validated successfully for User ID #48291

Website

FISH

A website developed for a Fish and Chip shop in Huddersfield

// Front-End Dev Server Instance

$ npm run dev

VITE v5.2.0 ready in 245 ms

➜ Local: http://localhost:5173/

➜ Network: use --host to expose

[vite] hmr update /src/styles/main.css

[vite] hot module replacement active (DOM synchronized)

Website

Heywood Christadelphians

A website developed for a Christadelphian church

// Cron Worker #04 - Active Task Execution

$ python3 bypass_solver.py --target accounts.auth_portal

[14:40:14] WARN: Captcha challenge detected [SiteKey: 6LeWwYshAAAAAG...].

[14:40:15] INFO: Dispatching payload hash to background solver API...

[14:40:22] DBG: Waiting for token resolution (Polling try #1)...

[14:40:28] SUCCESS: Token received, Injecting DOM token response.

[14:40:29] INFO: Form submitted successfully. Session authenticated.

Python Automation

CAPTCHA Bypass

A Python script to bypass CAPTCHA verifications

// Cron Worker #04 - Active Task Execution

$ python3 automation/purchase_worker.py --env production

[14:32:01] INFO: Initializing headless browser engine...

[14:32:03] INFO: Target inventory matched. Processing SKU-8841.

[14:32:05] DBG: Injecting customer checkout payloads...

[14:32:08] SUCCESS: API transaction cleared. Order #99412A confirmed.

[14:32:09] INFO: Notification receipt dispatched via Webhook.

Python Automation

Palace Automated Purchase

Automations for purchasing items from online stores

// Recent Exploit Analysis

$ steghide extract -sf monalisa.jpg

[i] Target container unraveled successfully.

$ target_flag_captured_

Hack the Box Challenge

Da Vinci

Hack The Box challenge extracting hidden information from images

// Dump pane - ds:[00403000] (Data Section)

00403000  48 54 42 7B  4F 6C 6C 79   HTB{Olly

00403008  44 62 67 5F  52 33 76 33   Dbg_R3v3

00403010  72 73 31 6E  67 5F 21 7D   rs1ng_!}

EAX: 00000001  EBX: 7FFDF000  ECX: 00403000

EIP: 0040102C  ESP: 0022FF40  EBP: 0022FF60

Hack the Box Challenge

Find The Easy Pass

Hack The Box challenge extracting a password hidden within an executable

// Begin wfuzz behaviour

$ wfuzz -c -z range,0-30 --hs="Error: flag not found"

[i] Fuzzing /api/ endpoint.

[i] Fuzzing /account/ endpoint.

$ target_flag_captured_

Hack the Box Challenge

Fuzzy

Hack The Box challenge discovering hidden API endpoints on a website

// Network Reconnaissance Module

$ nmap -sC -sV -O -p- -oN nmap/initial_assessment.txt 10.10.10.137

NMAP: Host is up (0.042s latency). Initiating SYN Stealth Scan...

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1

80/tcp open http Apache httpd 2.4.52

[i] OS Detection: Linux 5.4 - 5.15 (Confidence: 96%)

[!] VULN: NSE Script triggered -> CVE-2017-7494 (Remote Code Execution)

Hack the Box Machine

Luke

Hack the Box machine involving vulnerability exploits to gain root access

// Framework Exploit Matrix — Core Console v6.3

$ msfconsole -q -x "use exploit/PRTG/rce_050; set RHOSTS 10.10.10.45; run"

[*] Started reverse TCP handler

[i] Target validation: Host meets kernel vulnerability conditions.

[*] Target OS selected: Windows 7 Ultimate SP1 (x64)

[*] Sending payload deployment fragments (Stage 1)...

[*] Meterpreter session 1 opened

Server username: NT AUTHORITY\SYSTEM (Pwnage Verified)

Hack the Box Machine

Netmon

Hack The Box machine involving command injection and file manipulation to gain root access

// Interactive Web Shell Handler

$ curl -X POST /uploads/cmd.php -d "cmd=id; pwd; uname -a"

/var/www/html/uploads

$ curl -X POST /uploads/cmd.php -d "cmd=ls -la ../"

-rw-r--r-- 1 www-data www-data 142 Jul 5 18:21 index.php
drwxrwxrwx 2 www-data www-data 4096 Jul 5 18:25 uploads

[+] Status: Target web server interactive file upload path fully verified.

Hack the Box Machine

Traceback

Hack The Box machine which involves exploiting a web shell to gain SSH access

Certifications & Credentials

Formal validations of my skills and continuous professional learning.

CompTIA CySA+ (Cybersecurity Analyst)

CompTIA

Issued: April 2023 Verify

Microsoft AZ-500 (Azure Security Engineer)

Microsoft

Issued: January 2024 Verify

Microsoft AZ-900 (Azure Security Engineer)

Microsoft

Issued: June 2023 Verify

Cyber Intrusion Analyst (level 4)

BCS

Issued: January 2020

CISMP (Certificate in Information Security Management Principles)

BCS

Issued: November 2019