Former Navy Corpsman to cybersecurity with real-world combat experience. I bring military discipline, high-pressure decision-making skills, and a systematic approach to threat detection and incident response.

Purple Team & SOC Focus — building both offensive and defensive capabilities
Operating a 22+ VM home lab for attack simulation and detection engineering
Pursuing PSAA → PSAP → Security+ → CCDL1 → PAPA → PJPT → PNPT certification path
(Inactive) TryHackMe Top 1% - 270+ rooms completed
Actively seeking SOC Analyst & Purple Team roles

$\color{Red}\normalsize{\textsf{Red Team}}$

• Penetration Testing & Security Research
• Red team operations & exploitation
• Active Directory & Windows exploitation
• Network security & privilege escalation

$\color{LightSkyBlue}\normalsize{\textsf{Blue Team}}$

• Threat detection & incident response
• SIEM analysis & log correlation
• Threat hunting & malware analysis
• Security monitoring & alerting

$\color{MediumOrchid}\large{\textsf{Nebula Forge Detection Suite v2}}$

All 20 tools are part of Nebula Forge — an open-source SOC platform covering the full workflow: Detect → Normalize → Hunt → Drift → Cluster → Simulate → Investigate → Respond → Report. The Detection Suite v2 runs as a fully containerized stack — 7 tools, a shared Postgres backend, and a central dashboard — a single docker compose up -d starts all services with a shared Postgres backend. The dashboard (port 5010) provides live status, one-click launches, and pipeline monitoring across all 20 tools in the org.

Nebula Forge includes two automated pipelines:

• Drift-scan — scheduled Sigma rule drift analysis across your detection library
• Purple-loop — end-to-end purple team cycle: discover (VulnForge) → simulate (AtomicLoop) → detect (Wazuh/Splunk) → validate (DriftWatch) → hunt (HuntForge) | Pipeline validated end-to-end April 2026

YaraForge - YARA Rule Generator & Testing Platform
Build, manage, test, and visualize YARA detection rules with MITRE ATT&CK mapping and a detection dashboard.
Python Flask YARA MITRE ATT&CK Detection Engineering

SnortForge - SnortForge - Snort IDS/IPS Rule Generator — Flask web app with multi-content chaining, Snort 2/3 syntax toggle, rule performance scoring, 12 detection templates, inline help tooltips, PCRE flag checkboxes, HTTP URI/Header matching, rule validation, and .rules file import/export. Dark-themed UI with real-time live preview. v1.2.0. Python Flask Snort IDS/IPS Network Security

SigmaForge — Vendor-Agnostic Sigma Rule Generator Custom conversion engine (no pySigma dependency) generating Sigma rules to 6 SIEM backends: Splunk SPL, Elastic KQL, EQL, Sentinel KQL, Wazuh XML, and QRadar AQL — plus Detection-as-Code JSON. MITRE ATT&CK mapping, 12 pre-built templates, rule library, and standalone CLI. Python Flask Sigma SIEM Detection Engineering CLI Python Flask Sigma SIEM Detection Engineering CLI

Azure-SOC-mini-lab — Azure Cloud Detection Lab KQL detections, attack simulations (12 MITRE ATT&CK techniques mapped), and IR documentation for the Azure control plane — identity, compute, and key vault planes. Built on Microsoft Sentinel / Log Analytics with anomaly-based detection, synthetic log samples, and an automated NSG response playbook. Azure KQL Microsoft Sentinel MITRE ATT&CK Detection Engineering Cloud Security

AWS-SOC-lab — AWS Cloud Detection Lab CloudTrail-based detections in CloudWatch Logs Insights and Athena SQL, attack simulations for IAM privilege escalation, credential exfiltration, S3 enumeration and public exposure, CloudTrail disable, and EC2 post-exploitation via SSM RunCommand — with GuardDuty finding integration, 5 IR reports, and a Lambda auto-response playbook. AWS companion to Azure-SOC-mini-lab. AWS CloudTrail GuardDuty CloudWatch Logs Insights Athena MITRE ATT&CK Detection Engineering Cloud Security

LogNorm - Log Source Normalizer (port 5006)
Normalizes log sources from disparate inputs into a consistent ECS-lite schema for downstream detection and analysis pipelines.
Python Flask Log Normalization ECS SIEM

HuntForge - MITRE ATT&CK Hunt Playbook Generator (port 5007)
Generates structured threat hunting playbooks mapped to MITRE ATT&CK techniques, providing analyst-ready queries and investigation checklists.
Python Flask MITRE ATT&CK Threat Hunting Detection Engineering

DriftWatch - Sigma Rule Drift Analyzer (port 5008)
Analyzes Sigma rule libraries for drift — identifying stale, misconfigured, or coverage-gapped rules over time. Feeds the drift-scan pipeline.
Python Flask Sigma Detection Engineering Rule Management

ClusterIQ - Contextual Alert Clustering Engine (port 5009)
Groups and contextualizes alerts using behavioral clustering to reduce noise and surface high-fidelity incident signals for SOC triage.
Python Flask Alert Clustering SOC Incident Response

AtomicLoop — Atomic Red Team Test Runner (port 5011) Executes Atomic Red Team tests in controlled loops for purple team validation, feeding results into the purple-loop pipeline for detection coverage measurement. Dedicated purple loop target: Win10x2 (Wazuh agent 005, AtomicLoop-Test). Python Flask Atomic Red Team Purple Team MITRE ATT&CK

VulnForge - Vulnerability & Exploit Intelligence Tool (port 5012)
Aggregates exploit intelligence from ExploitDB, NVD, and Metasploit, maps findings to MITRE ATT&CK techniques, and feeds results into the purple team pipeline — generating hunt playbooks, LogNorm-ready exports, and AtomicLoop simulation triggers from a single search.
Python Flask MITRE ATT&CK Vulnerability Intelligence Purple Team

WifiForge - Wireless Network Security Analyzer (port 5013)
Passively scans wireless networks, assesses security posture, detects deauth attacks and rogue configurations, maps findings to MITRE ATT&CK techniques, and exports results to the Nebula Forge LogNorm pipeline.
Python Flask Scapy Wireless Security MITRE ATT&CK

AgentWatch — Wazuh Agent Health Monitor** Lightweight Rust binary that polls the Wazuh REST API, surfaces disconnected and never-connected agents in real time, detects state transitions, and emits structured JSON log events compatible with Wazuh log ingestion. Runs as a persistent monitor alongside the Nebula Forge stack. Rust Wazuh Lab Infra SOC SIEM Agent Monitoring

EndpointForge - Cross-Platform Endpoint Security Monitor
Host-based intrusion detection and endpoint triage across 5 modules: process execution, file integrity (SHA-256 FIM), network connections, registry persistence (Windows), and autoruns — all MITRE ATT&CK mapped. Includes Wazuh export integration: POST /api/wazuh/export writes NDJSON picked up by the Wazuh agent using bundled decoder and rules (IDs 100200–100265) with ATT&CK technique tags — no manual log shipping. Markdown/JSON report generation for IR workflows.
Python Flask MITRE ATT&CK HIDS Endpoint Security Wazuh

EndpointTriage - Windows Endpoint Forensic Artifact Collector
Automated PowerShell-based IR triage script that collects volatile and non-volatile forensic artifacts — running processes with hashes, network connections, registry persistence checks, scheduled tasks, event log extraction (Security, Sysmon, PowerShell, Defender), named pipe enumeration, and suspicious indicator flagging. Outputs a structured triage package with HTML summary report.
PowerShell Incident Response Forensics DFIR Endpoint Security

Log-Analyzer - Security Log Analyzer
Python-based log analysis tool designed for SOC analysts with pattern matching and anomaly detection.
Python Flask SIEM Log Analysis SOC

Phishing-Analyzer - Phishing Email Analyzer
Email header and content analysis tool for identifying phishing campaigns and malicious indicators.
Python Email Security Phishing Detection Blue Team

Threat-Intel-Dashboard - Threat Intelligence Dashboard
Real-time threat intelligence platform with IOC tracking, feed aggregation, and visual analytics for SOC operations.
HTML JavaScript Threat Intelligence OSINT SOC

ThreatTape - Live IOC Threat Intel Feed (port 5014)
Aggregates indicators of compromise from AbuseIPDB and AlienVault OTX, displays live IOC data with severity scoring, country of origin, community report counts, and MITRE ATT&CK technique tags. Falls back to curated mock data with no API keys required.
Python Flask Threat Intelligence IOC MITRE ATT&CK AbuseIPDB OTX

SIREN - Security Incident Response Engine & Notation
Professional incident report generator following NIST 800-61 framework with severity scoring, IOC tracking, timeline management, and Markdown/JSON export.
Python Flask NIST 800-61 Incident Response SOC

WarGameForge - SOC Investigation Scenario Generator Generates realistic SOC investigation scenarios from MITRE ATT&CK techniques — complete with SIEM alert blocks, investigation clues, red herring artifacts, and step-by-step solution walkthroughs. Difficulty-scaled from easy to hard, 12 built-in techniques plus custom input. Python Flask SOC Training MITRE ATT&CK Detection Engineering Blue Team

Security-Awareness-Training - Security Awareness Platform Enterprise-style platform with phishing simulations, training modules, and progress tracking. Python Flask Security Training Phishing Simulation

Hidden-Rogue-AP-Detector - Rogue Access Point Detector Python-based wireless security tool for detecting unauthorized access points using RSSI signal strength analysis, whitelist management, and active/passive scanning modes. Python Scapy Wireless Security Network Monitoring Rogue AP Detection

Wi-Fi-Probe-Request-Sniffer - Wi-Fi Probe Request Analyzer Captures and analyzes wireless probe requests from nearby devices with SSID extraction, MAC vendor identification, and CSV/JSON export for network visibility and device enumeration. Python Scapy 802.11 Network Security Device Enumeration

SMB-RDP-Exploitation-Scanner — SMB & RDP Vulnerability Scanner Python-based exploitation scanner for authorized penetration testing. Detects and validates SMB vulnerabilities (EternalBlue MS17-010, SMBGhost CVE-2020-0796, null session enumeration) and RDP vulnerabilities (BlueKeep CVE-2019-0708) with credential brute forcing, multi-format reporting (JSON/CSV/TXT), and threaded subnet scanning. Designed for Kali Linux. Python Penetration Testing SMB RDP Network Security Vulnerability Assessment

Network-Security-Toolkit — PathFinder & PathGuard Unified red/blue team network security toolkit built on a shared core library (NetworkMapper). PathFinder maps attack paths, lateral movement routes, and exfiltration channels with Shodan integration and MITRE ATT&CK coverage. PathGuard provides defensive choke point analysis, CIS/NIST-mapped hardening recommendations, baseline change detection, and a prioritized remediation roadmap. Python Red Team Blue Team Network Security MITRE ATT&CK Shodan PathFinder PathGuard

• Nebula Forge Detection Suite v2 — 7 tools containerized and live (LogNorm, HuntForge, DriftWatch, ClusterIQ, AtomicLoop, VulnForge, WifiForge) + dashboard (5010) + Postgres — single docker compose up -d
• Purple team automation pipelines: drift-scan and purple-loop validated end-to-end April 2026
• PSAP 2026 — SOC analyst and detection engineering roles
• Expanding Wazuh SIEM detections and Splunk correlation rules

In Progress:

• 🔹 PSAA (Practical SOC Analyst Associate) - 2026*
• 🔹 PSAP (Practical SOC Analyst Professional) - Scheduled Q4 2026

Certification Roadmap: PSAA → PSAP → Sec+ → CCDL1 → PAPA → PJPT + PNPT

22+ VM Purple Team Lab:

• Active Directory lab (attack & defense)
• Snort IDS/IPS network monitoring
• Web vulnerability testing environment
• Malware analysis sandbox
• WiFi penetration testing lab
• Flipper Zero / Pwnagotchi
• Wazuh SIEM with Sysmon integration & MITRE ATT&CK-mapped detections (5 agents: Windows, Linux)
• Splunk Free on Ubuntu for detection and hunt workflows

$\color{red}\normalsize{\textsf{Offensive }}$

$\color{CornflowerBlue}\normalsize{\textsf{Defensive }}$

$\color{CornflowerBlue}\normalsize{\textsf{Hardware }}$

Breaking to Build. Defending to Endure.