I deploy SIEMs, write detection rules, design SOAR playbooks, and set honeypot traps. Turning logs into signal across fintech and critical infrastructure.
[siem]
platforms = chronicle, qradar, splunk
architecture = multi-tenant log pipelines, built to not fall over
log_engineering = ingestion design, parsing, cost optimization (99.9% cloudtrail reduction)
correlation = misp → siem (real-time ioc matching)
[detection]
languages = yara-l, sigma, spl
approach = detection-as-code (yaml → siem + edr)
tuning = data-driven false positive reduction
[soar]
platform = chronicle soar
scope = playbook design, enrichment workflows, automated containment
philosophy = if you are doing it twice, it should be a playbook
[adversary_engagement]
honeypots = thinkst canary, cowrie, custom deployments
honeytokens = credential canaries, aws keys, dns tokens, breadcrumbs
program = led company-wide adversary engagement program
philosophy = let them in. on your terms.
[incident_response]
biggest_day = ransomware on 3000+ endpoints → root cause in 72h
automation = python tooling for triage, enrichment, containment
csirt = built one from scratch → listed by cert.br
[infrastructure]
cloud = aws, gcp
os = linux (since 2005)
init = systemd (service hardening, journald)
firewall = nftables
config_mgmt = ansible
containers = podman
tools = nmap, git, netbox, terraform
[programming]
primary = python
systems = rust
glue = bash, sql
ibm_security_summit.log:1 # panelist — threat detection & IR
certbr_csirt_forum.log:3 # 2014, 2018, 2019 — csirt, siem, netsec
brazilian_army_hq.log:1 # scada systems security
itaipu_colloquium.log:1 # soc practices for ot/ics