EVIDENCE-FIRST SECURITY PORTFOLIO

Automation-first SOC portfolio, repo-backed and verifiable.

I build deployable detections and response workflows with repeatable validation and measurable outcomes, because that's where modern security operations is heading.

Review path: open Proof Pack, run verify, match published outputs.

View Proof Pack Read documented work Open resume
$ verify: pwsh -File .\scripts\verify\verify-counts.ps1
Verified artifacts Reproducible commands
Huntsville-adjacent • North Alabama
Counts and links align to raylee-hawkins/HawkinsOperations (verified, reproducible today).
SOC lab: Windows 11 endpoint and Proxmox systems wired into a detection-to-response loop
Hardware identifiers intentionally redacted View SOC/Lab ->
Review Packs

Choose your verification lane

Pick the reviewer path you need. Every lane ends with reproducible artifacts.

FASTEST
Proof Pack
Fastest path for technical reviewers: scripts, published outputs, and reproducible counts.
 NON-TECH
Recruiter/HR Summary
Role alignment, resume formats, and clear evidence links without deep repo digging.
 SYSTEMS
Technical Summary
SOC integration write-up with telemetry, triage flow, and closed-loop remediation results.
 SOURCE
Repository
Raw structure, commit history, and implementation detail for full-source review.
Who I Am

Self-taught. No degree. Everything verified.

Self-taught North Alabama security engineer. Every count on this site is reproducible with a single command against a public repo—because claims without proof aren't claims at all.

I chose the automation side of security because that's where modern SOC operations is heading. The goal isn't just detection—it's detection you can reproduce, explain, and hand off.

Open to SOC Analyst / Detection Engineer roles — Huntsville, AL
2024 – Present
HawkinsOps: self-directed SOC portfolio
Wazuh SIEM, Proxmox lab, 139 verified detections across Sigma / Wazuh / Splunk, 10 IR playbooks.
Ongoing
CVE triage and patch verification
Documented detect → triage → patch → verify workflow. CVE-2025-55130 cross-referenced with the Node.js security advisory.
Target
Huntsville / MSFC contractor ecosystem
Defense-adjacent environment. Documentation-first approach aligns with clearance-track role requirements.
What This Is

A workflow-shaped SOC portfolio

HawkinsOps is a security operations portfolio built like a real workflow: collect telemetry, detect, triage, respond, investigate, and improve.

Open SOC/Lab ->
SOC concept mapped to my actual machines and workflow
Windows 11 endpoint + Proxmox systems wired into a repeatable detection-to-response loop with evidence capture at each stage.
CollectDetectTriageRespondInvestigateImprove
  • Wazuh agent on a primary Windows 11 endpoint wired to Proxmox-hosted Wazuh Manager and Splunk
  • 139 verified detections active across Sigma, Wazuh, and Splunk
  • Detection scenarios run end-to-end: trigger → alert → evidence capture → verify counts
DET
139
Verified detections
→ browse
Σ
103
Sigma rules
→ browse
WAZ
28
Wazuh rule blocks
→ browse
SPL
8
Splunk queries
→ browse
IR
10
IR playbooks
→ view
Last verified: 02-24-2026
Verify commands 
pwsh -NoProfile -File .\scripts\verify\verify-counts.ps1
pwsh -NoProfile -File .\scripts\verify\generate-verified-counts.ps1 -OutFile .\PROOF_PACK\VERIFIED_COUNTS.md
Documented Work

Report-first, repo-last

Short case studies, lab briefs, and detection reports. Each section explains what the rule/workflow does, the purpose it serves, and ends with artifacts plus a verification path.

Case studies
Triage-to-resolution write-ups with evidence, timelines, and what changed afterward.
Read case studies
SOC lab brief
How my lab mirrors collect -> detect -> triage -> respond -> improve, with diagrams and workflows.
View lab brief
Detections report
Deployable detections across Sigma, Wazuh, and Splunk, mapped and tested for reuse.
Open detections
IR playbooks
Playbooks with steps, decision points, expected outputs, and each playbook's purpose.
View playbooks
Proof pack
Verification kit: scripts + outputs so reviewers can reproduce counts quickly.
Open proof pack
Source repository
Raw structure and history for full-context technical review after reading reports.
Browse repository
CVE credibility: CVE-2025-55130 with documented detect -> triage -> patch -> verify, cross-referenced with Node.js security advisories.