I design automation-first cybersecurity systems that connect AI agents, SIEM, SOAR, threat intelligence, and response workflows — with guardrails, auditability, and human control built in.
I build secure AI-agent workflows for SOC, SOAR, MCP, incident response, and cybersecurity automation.
I work across SOAR engineering, AI security, incident response automation, and agentic security workflows. My focus is building practical systems where AI can assist SOC teams safely: querying tools, enriching IOCs, triaging alerts, recommending actions, and escalating with human approval.
Each domain feeds the next. Engineer playbooks, gate them with guardrails, plug them into your stack, and keep humans in control of the moments that matter.
Production-grade playbooks for phishing, malware, EDR isolation, and SIEM enrichment — patterned, versioned, and reusable across tenants.
Threat modeling for tool-calling agents — covering prompt injection, data exfiltration, scope escalation, and untrusted-content boundaries.
Policy, scoping, and auditing for MCP servers — controlling which tools an agent may invoke, with which arguments, under which approval mode.
End-to-end flows from alert ingestion through containment — automated where safe, human-approved where consequential, fully audited end to end.
IOC enrichment chains across VirusTotal, Shodan, AbuseIPDB, and internal CTI — normalized scoring, deduplicated, agent-consumable JSON.
Detection-to-action pipelines that reduce analyst toil — alert deduplication, severity calibration, and clean handoff into automation tiers.
Open and internal projects spanning agent guardrails, lab environments for AI-driven SOC work, prompt-injection defenses, and reusable SOAR blueprints.
A security layer for monitoring and controlling AI agent tool usage across MCP servers — policy gates, call inspection, scope enforcement, and an audit trail.
A lab for testing AI-driven alert triage, IOC enrichment, and response workflows — synthetic telemetry, scoped tools, and a replay harness for tuning.
Experiments and controls to detect prompt injection, tool misuse, and data exfiltration attempts — a rule and classifier hybrid with measured efficacy.
Reusable playbook patterns for phishing, malware alerts, EDR isolation, SIEM enrichment, and incident escalation — opinionated, tested, and tenant-portable.
Seven stages. AI accelerates the middle. Humans remain in control of the moments where consequence and reversibility diverge.
Vendor-agnostic by design. The patterns matter more than the vendor — but the integrations are real and shipped.
Security reviews and builds for teams shipping AI agents and modernizing security operations — secure architecture, guardrailed tool execution, and audit-ready agent execution. These are the areas I study, build, and write about.
Find risks in tool-calling agents — MCP permissions, prompt-injection exposure, data leakage, audit gaps.
View serviceReview MCP tool usage, dangerous permissions, scoped access, policy enforcement, and auditability.
View serviceTest agents against prompt-injection, tool abuse, data leakage, and unauthorized-action scenarios.
View serviceBuild playbooks for phishing triage, IOC enrichment, EDR isolation approval, and escalation.
View serviceBuild a proof-of-concept AI-assisted SOC workflow: triage, enrichment, approval, and audit.
View serviceAutomate IOC enrichment with threat-intel sources, risk scoring, and analyst-ready summaries.
View serviceRepositories, diagrams, demos, test packs, blueprints, audit samples, case studies, and reports — the artifacts behind the positioning.
Policy layer for AI-agent tool usage across MCP servers.
Attack scenarios for tool-calling agents, by boundary.
Alert to enrichment to approval to audit log.
The format I deliver for an agent security review.
Reusable playbook patterns across platforms.
Node-based AI-SOC and guardrail architecture visuals.
Tamper-evident records of agent tool calls.
Executive write-ups: problem, approach, outcome.
Problem, solution, result — three projects that show how the patterns land in real environments.
Field notes on practical AI-SOC design — modeled threats, working defenses, and the engineering it takes to make them safe in production.
Short, technical answers about AI-SOC, SOAR automation, agent security, MCP, and human-in-the-loop response design.
Focused on practical cybersecurity automation, safe AI agents, and enterprise-ready SOAR workflows.