Detection, response, and hardening — the defensive capability that makes the difference between an incident and a breach. Security Cyber's primary area of expertise and the foundation of all ongoing development work.
Offensive security gets the attention — red teams, exploit chains, and CVE drops make the headlines. But the most operationally critical skill in cybersecurity is the ability to detect, analyse, contain, and recover from attacks that have already succeeded.
Blue team work is Security Cyber's primary development area and long-term career direction. Current practice is presented through supplied CV evidence, certificate evidence, public labs, write-ups, and portfolio work rather than unsupported credential claims.
Understanding how attackers operate directly improves defensive judgement. The goal is to become a practitioner who can recognise the path an attacker might take and then build the controls, alerts, and response notes that make sense.
These areas reflect current study, lab work, and practical notes. They are useful as learning evidence and as starting points for scoped conversations where written permission exists.
Tier 1 and Tier 2 SOC analysis work — working through alert queues, triaging events, distinguishing true positives from false positives, and documenting findings with full chain of evidence. Structured around the NIST Incident Response lifecycle.
Alert Ingestion → Triage & Classification → Log Correlation → IOC Extraction → Threat Intelligence Lookup → True/False Positive Determination → Escalation Documentation → Analyst Notes
Hypothesis-driven threat hunting across log sources — looking for attacker activity that bypassed automated detection. Uses MITRE ATT&CK TTP mapping to build hunting hypotheses, then searches across endpoint, network, and authentication logs for indicators of compromise or pre-attack staging.
Hypothesis Creation (ATT&CK TTP) → Data Source Identification → Hunt Query Development → Log Search & Analysis → Anomaly Investigation → IOC Documentation → Detection Rule Creation
Structured support during and after a security incident — working through the NIST IR phases: preparation, detection, containment, eradication, recovery, and post-incident lessons learned. Produces a written incident timeline, root cause analysis, and recommendations to prevent recurrence.
Preparation → Detection & Analysis → Containment → Eradication → Recovery → Post-Incident Activity (Lessons Learned Report)
Deep-dive log analysis across Windows Event Logs, Sysmon, firewall logs, web server logs, and authentication records. Identifying attack patterns, anomalous behaviour, and missed detections. Includes SIEM query development, dashboard creation, and detection rule (Sigma/KQL/SPL) writing.
Windows Event Logs (4624/4625/4688/4698/7045) · Sysmon (Event IDs 1/3/7/11/13) · Linux Syslog/Auth · Apache/Nginx Access Logs · Firewall/DNS Logs · PowerShell ScriptBlock Logging
Forensic examination of digital artefacts — disk images, memory dumps, network captures, and file system artefacts. Identifying attacker TTPs, persistence mechanisms, data accessed, and timeline reconstruction. All findings documented in a forensic report with chain of custody maintained.
Memory Dumps (Volatility) · Disk Images (Autopsy) · PCAP Analysis (Wireshark/Zeek) · Prefetch / Shimcache / Amcache · Registry Hives · Browser Artefacts · $MFT / $LogFile
Reviewing system and application configuration against CIS Benchmarks, NIST guidance, and security best practices. Identifying misconfigurations, excessive permissions, disabled security controls, and logging gaps — before an attacker finds them. Produces a prioritised hardening checklist.
Windows Baseline (CIS Level 1/2) · Linux Hardening · Web Server Config · TLS/SSL Review · Firewall Rule Analysis · Logging & Monitoring Coverage · User Privilege Review · Patch State Assessment
The NIST SP 800-61r2 lifecycle is used here as a learning and note-taking structure for incident response thinking.
The three dominant SIEM platforms — each practised through hands-on labs, TryHackMe rooms, and structured study. Detection rules, queries, and dashboards written in native query languages.
Widely deployed SIEM platform. SPL (Search Processing Language) is used for log search, correlation, and dashboard creation in lab and learning contexts.
Elasticsearch, Logstash, and Kibana — the most widely deployed open-source log stack. KQL (Kibana Query Language) used for threat hunting. Elastic Defend provides EDR capability. Winlogbeat and Filebeat for log shipping from endpoints.
Cloud-native SIEM built on Azure Log Analytics. KQL is used for hunting and detection, with native integration across Microsoft 365, Defender for Endpoint, Azure AD, and data connectors.
The tools that define modern blue team practice — all actively used in lab environments, TryHackMe rooms, and structured DFIR study.
// All tools practised in isolated lab environments and authorised TryHackMe / HackTheBox ranges. Destructive or active-scanning tools used only within agreed engagement scope.
Only CV-backed credentials, certificate evidence, and public learning evidence are listed here. Future targets are intentionally not shown as claims.
Supplied CV evidence lists 149+ TryHackMe rooms, 26 badges, top 3% TryHackMe ranking, and Hack The Box practice.
ISC2 Certified in Cybersecurity (CC), completed 2026, backed by the supplied ISC2 certificate.
Listed in the supplied profile export alongside Web Fundamentals Certificate and Introduction to Cybersecurity.
Understanding attack techniques at the depth required to execute them — IDOR chains, auth bypass, living-off-the-land techniques, C2 patterns — directly improves defensive capability. Here's how.
Writing Sigma rules and SIEM detections is more effective when you understand how the attack actually works — what process creates what event, what the normal vs malicious pattern looks like. Offensive lab work drives better detection engineering.
Threat hunting hypotheses built on real attacker methodology — not just MITRE ATT&CK IDs. Knowing how lateral movement actually appears in Sysmon Event 3 logs, or what living-off-the-land looks like in process creation events, makes hunts more targeted.
When investigating an incident, understanding offensive techniques allows faster identification of the attack vector, the full lateral movement path, and all persistence mechanisms — rather than finding the obvious indicator and stopping there.
Security hardening recommendations grounded in real attack paths — not generic checklists. Knowing that attackers target LSASS via Mimikatz means recommending Credential Guard specifically, not just "enable all security features."
Whether you need threat hunting, incident response support, log analysis, or a SIEM review — let's scope it properly and get started.