SOC Analyst · Detection Engineer · Pune, India
"I don't just use security tools — I build them."
Detection-as-code over dashboards. Kill-chain correlation over alert fatigue.
Currently sharpening DetectionForge coverage on initial-access techniques and tuning Prod-SIEM's correlation logic against fresh APT replay data.
DetectionForge — Detection-as-code that survives contact with a benign corpus. Sigma rules in, three SIEM backends out (Splunk SPL · Elastic EQL · Sentinel KQL), validated on every commit. 0.997 mean precision across 21 ATT&CK techniques · 1,648-event benign corpus.
Prod-SIEM — Self-hosted SOC platform with kill-chain correlation. Eight containers wiring TheHive, Cortex, and MISP into a workflow that actually closes cases. 5,800+ alerts triaged · 7 kill-chain phases reconstructed in one APT scenario.
MailSentinel — Phishing triage pipeline: SPF/DKIM/DMARC, display-name spoofing, typosquatting checks against 20 brand targets, VBA extraction, HTML-smuggling detection, STIX 2.1 export. Zero false positives across 40 labeled emails.
NullClass · SOC Analyst Intern (Mar–Apr 2026) Walked a full APT kill-chain end to end — spear-phishing through DNS-tunneled exfil — with PCAP forensics on a HawkEye Keylogger infection. Authored 8 EQL/KQL detections with sub-72s MTTD on validation.
| Platform | Standing |
|---|---|
| TryHackMe | Top 1% globally · Rank 587 · 590 rooms · 64 badges (SOC L1 + AI Security) |
| Splunk BOTS | BOTSv1 18,977 · Corelight NDR 8,215 · Dragos ICS/OT 9,679 |
- Detect & investigate — Splunk (SPL/ES) · ELK · Wazuh · Security Onion · Wireshark · Sysmon
- Build & automate — Python · Sigma/pySigma · YARA · Docker · GitHub Actions · Bash
- Triage & enrich — TheHive · Cortex · MISP · VirusTotal · AbuseIPDB · URLScan
- Frameworks — MITRE ATT&CK · NIST 800-61 · Cyber Kill Chain · Diamond Model
TryHackMe SOC L1 · TryHackMe AI Security · Palo Alto Cortex XDR Analyst · Splunk Fundamentals & Security · Cisco Endpoint Security
