Former Navy Corpsman to cybersecurity with real-world combat experience. I bring military discipline, high-pressure decision-making skills, and a systematic approach to threat detection and incident response.
Purple Team & SOC Focus — building both offensive and defensive capabilities
Operating a 22+ VM home lab for attack simulation and detection engineering
Pursuing PSAA → PSAP → Security+ → CCDL1 → PAPA → PJPT → PNPT certification path
(Inactive) TryHackMe Top 1% - 270+ rooms completed
Actively seeking SOC Analyst & Purple Team roles
- Threat detection & incident response
- SIEM analysis & log correlation
- Threat hunting & malware analysis
- Security monitoring & alerting
- Penetration Testing & Security Research
- Red team operations & exploitation
- Active Directory & Windows exploitation
- Network security & privilege escalation
Nebula Forge is an open-source SOC platform covering the full workflow: Detect → Normalize → Hunt → Drift → Cluster → Simulate → Investigate → Respond → Report. The full suite runs as a fully containerized stack — 13 containerized tools, 15 services total, a shared Postgres backend, and a central dashboard — clone all repos with the included setup script, then a single docker compose up -d starts all services. The dashboard (port 5010) provides live status, one-click launches, and pipeline monitoring across all 18 tools in the org.
Nebula Forge includes two automated pipelines:
- Drift-scan — scheduled Sigma rule drift analysis across your detection library
- Purple-loop — end-to-end purple team cycle: discover (VulnForge) → simulate (AtomicLoop) → detect (Wazuh/Splunk) → validate (DriftWatch) → hunt (HuntForge) | Pipeline validated end-to-end April 2026
| Tool | Description |
|---|---|
| SigmaForge | Vendor-agnostic Sigma rule generator — Splunk SPL, Elastic KQL/EQL, Sentinel KQL, Wazuh XML, QRadar AQL, Detection-as-Code JSON |
| YaraForge | YARA rule generator with ATT&CK mapping and detection dashboard |
| SnortForge | Snort 2/3 rule generator with multi-content chaining, performance scoring, and 12 detection templates |
| Tool | Port | Description |
|---|---|---|
| SigmaForge | 5000 | Custom Sigma conversion engine — 6 SIEM backends, Detection-as-Code JSON, no pySigma dependency |
| YaraForge | 5001 | YARA rule builder with live scanning, MITRE ATT&CK tagging, SQLite storage |
| Threat-Intel-Dashboard | 5002 | IOC reputation lookup — VirusTotal, AbuseIPDB; auto-type detection; demo mode |
| SnortForge | 5003 | Snort 2/3 rule generator — multi-content chaining, PCRE, 0–100 performance scorer |
| SIREN | 5004 | NIST 800-61 IR report builder — timeline, IOC tracking, composite severity scoring |
| EndpointForge | 5005 | Cross-platform HIDS — process, FIM, network, registry, persistence — Wazuh export |
| Tool | Port | Description |
|---|---|---|
| LogNorm | 5006 | ECS-lite log normalizer for disparate SIEM sources |
| HuntForge | 5007 | ATT&CK-mapped threat hunt playbook generator |
| DriftWatch | 5008 | Sigma rule drift analyzer — feeds the drift-scan pipeline |
| ClusterIQ | 5009 | Behavioral alert clustering engine for SOC triage noise reduction |
| AtomicLoop | 5011 | Atomic Red Team runner — feeds the purple-loop pipeline |
| VulnForge | 5012 | Exploit intel aggregator → ATT&CK mapping → pipeline trigger |
| WifiForge | 5013 | 802.11 threat detector with deauth/rogue AP detection → LogNorm export |
| Tool | Description |
|---|---|
| EndpointForge | Cross-platform HIDS — process, FIM, network, registry, autoruns with Wazuh NDJSON export |
| EndpointTriage | PowerShell IR artifact collector — processes, persistence, event logs, Sysmon, HTML report output |
| Tool | Description |
|---|---|
| Log-Analyzer | SOC-focused log analysis with pattern matching and anomaly detection |
| Phishing-Analyzer | Email header and content analysis for phishing campaign identification |
| Tool | Description |
|---|---|
| Threat-Intel-Dashboard | Real-time IOC tracking, feed aggregation, and visual analytics for SOC operations |
| ThreatTape | Live IOC threat intel feed — AbuseIPDB + OTX aggregation with MITRE ATT&CK tagging |
| Tool | Description |
|---|---|
| SIREN | NIST 800-61 incident report generator with severity scoring, IOC tracking, and timeline management |
| Tool | Description |
|---|---|
| WarGameForge | SOC investigation scenario generator — MITRE-driven, difficulty-scaled training |
| Lab | Layer | Description |
|---|---|---|
| Azure-SOC-mini-lab | Azure | KQL detections, 12 ATT&CK-mapped simulations, IR documentation, Sentinel playbooks |
| AWS-SOC-lab | AWS | CloudTrail detections, IAM/S3/EC2 attack sims, GuardDuty integration, Lambda auto-response |
| Malware-Detonation-Lab | On-Prem | Isolated FLARE-VM + REMnux sandbox, DNS sinkhole, local-capture detection workflow |
- Nebula Forge — 13 tools containerized and live (v1: SigmaForge, YaraForge, Threat-Intel-Dashboard, SnortForge, SIREN, EndpointForge; v2: LogNorm, HuntForge, DriftWatch, ClusterIQ, AtomicLoop, VulnForge, WifiForge) + dashboard (5010) + Postgres, 15 services total — setup scripts + single
docker compose up -d - Purple team automation pipelines: drift-scan and purple-loop validated end-to-end April 2026
- PSAP 2026 — SOC analyst and detection engineering roles
- Expanding Wazuh SIEM detections and Splunk correlation rules
In Progress:
- 🔹 PSAA (Practical SOC Analyst Associate) - 2026*
- 🔹 PSAP (Practical SOC Analyst Professional) - Scheduled Q4 2026
Certification Roadmap: PSAA → PSAP → Security+ → CCDL1 → PAPA → PJPT → PNPT
22+ VM Purple Team Lab:
- Active Directory lab (attack & defense)
- Snort IDS/IPS network monitoring
- Web vulnerability testing environment
- Malware analysis sandbox
- WiFi penetration testing lab
- Flipper Zero / Pwnagotchi
- Wazuh SIEM with Sysmon integration & MITRE ATT&CK-mapped detections (5 agents: Windows, Linux)
- Splunk Free on Ubuntu for detection and hunt workflows
