Extras

The stuff that doesn't fit a nav label

Background, approach, what I'm building next, and a SOC triage simulator you can actually use.

My Story

Self-taught, North Alabama, no degree

I didn't come up through a CS program. I came up through obsession with how systems break, and a compulsion to document everything so I could reproduce it.

Security clicked because it's the intersection of "how does this actually work" and "what happens when it doesn't." The adversary mindset — understanding attack chains well enough to write detections for them — is the part I keep returning to.

Everything on this site is self-directed. The lab, the rules, the playbooks, the verification pipeline — built because I wanted to understand how a real SOC workflow holds together, not because a course told me to.

Open to SOC Analyst / Detection Engineer roles — Huntsville, AL • Sept 2026 target
2024 – Present
Built HawkinsOps from scratch
Proxmox lab, Wazuh SIEM, Splunk, 139 verified detections, 10 IR playbooks. All public, all reproducible.
Ongoing
Real detection runs
CVE-2025-55130 detected by live Wazuh monitoring, triaged, patched, verified closed. 15,052 alerts observed in a 24h window during active testing.
Target
Defense-adjacent Huntsville ecosystem
MSFC contractor environment. Documentation-first workflow aligns with clearance-track role requirements.
Why Automation

Manual doesn't scale. Documented does.

I gravitated toward the automation side of security because that's where the leverage is. One well-written detection catches the same behavior a thousand times. One IR playbook keeps a responder from having to rebuild triage logic under pressure.

Detection as code
Rules in YAML and SPL aren't "security theater" — they're testable, version-controlled, and deployable across platforms. Sigma's platform-agnostic format means a rule written once can be converted to Wazuh, Splunk, or Elastic without rewriting the logic.
SigmaYAMLMulti-backend
Reproducibility as credibility
A count that can't be reproduced isn't a count — it's a claim. Every number on this site traces back to a script that walks the repo and counts files. That's not extra work. That's the only work that matters.
Verification scriptsCI gatesPublic repo
IR playbooks as runbooks
A playbook that exists only in someone's head isn't a playbook. A written, structured playbook with explicit steps, decision points, and expected outputs is something a responder can execute at 2am on no sleep.
Structured7-section templateEscalation logic
Evidence capture by default
Every detection run in my lab produces an artifact. Screenshots are redacted and filed. Counts are verified before publishing. The workflow forces documentation because documentation is the deliverable.
Evidence-firstPROOF_PACK/Sanitized
What I'm Building Next

Current pipeline

Active work in progress. Nothing ships to the public site until it has verified counts and at least one artifact.

Building
Broader Sigma tactic coverage
Adding rules to underrepresented ATT&CK tactics. Goal is a verifiable detection story across the full matrix, not just the easy ones.
Building
IR playbook expansion
More threat scenarios following the 7-section template. Each one will include a detection reference and a MITRE technique tag.
Planning
Threat hunt playbooks
Hypothesis-driven hunt workflows with SPL pivots for common Windows threat scenarios. Structured to match how a real tier 2/3 analyst would approach a hunt.
Planning
ATT&CK coverage map
Visual representation of current detection coverage generated from the rule inventory. So reviewers can see gaps without reading 100+ YAML files.
Triage Simulator

SOC workflow practice

Lightweight triage practice: select an alert, review severity context, execute next steps, and capture evidence cleanly. Each scenario maps to actual detection rules in the repo.

Select an alert
How this maps to the repo (evidence-first)
  • Use the triage flow to validate detections in detection-rules/.
  • Escalation and containment steps map to IR playbooks in incident-response/playbooks/.
  • Each scenario output is purpose-driven so analysts know why each step exists.