Practice areas. Locked priority order.
01 / 04
Detections that fire on a live tenant, proven end to end.
Microsoft Sentinel (KQL) and Defender XDR across control plane, endpoint, and identity. Nine MITRE ATT&CK-mapped analytics rules shipped as versioned code, each proven trigger to incident to investigation, including a multi-stage correlation rule and an Azure Resource Graph-backed NSG rule.
Sentinel · Defender XDR · KQL · MITRE ATT&CK
02 / 04
Rules as code, measured not asserted.
A PR-gated GitHub Actions pipeline deploys rule YAML via OIDC (no secrets), with unit tests and a benign and attack harness that measures false positives. SOC fundamentals: alert triage, NIST 800-61 incident response, Sigma authoring, and false-positive tuning with Wazuh, Suricata, and Zeek.
CI/CD · OIDC · unit tests · FP measurement
03 / 04
Hands-on across enterprise stacks.
Windows Server / Active Directory lifecycle, Cisco IOS networking (VLAN, EtherChannel, inter-VLAN, ACL/NAT), Hyper-V virtualization, and web application security testing. Lab-validated across multiple environments.
AD · Cisco IOS · Hyper-V · lab-validated
04 / 04
Upstream PRs into widely-used codebases.
Sustained hardening contributions to Google gVisor (container sandbox and Linux runtime behavior) and Kubernetes, with cryptography work across the Google Tink ecosystem. 15 merged upstream PRs and 1 published CVE.
view merged contributionsgVisor · Kubernetes · Tink · 15 PRs · 1 CVE
$ cat capabilities.tsv | verify
Microsoft Sentinel detection engineering
Scheduled analytics rules and KQL hunting queries across control plane, endpoint, and identity, mapped to MITRE ATT&CK.
Sentinel · KQL · analytics rules · ATT&CK mapping
Detection-as-Code pipeline
Versioned rule YAML, PR-gated GitHub Actions, OIDC deploy, unit tests, and false-positive measurement.
GitHub Actions · OIDC · unit tests · Azure Resource Graph
SIEM / SOC stack operations
Tier-1 alert triage, IDS rule analysis, NIST 800-61 incident response, case management.
Wazuh · Security Onion · Suricata · Zeek · alert triage
Defender XDR and Entra ID identity
Endpoint and identity detection, Conditional Access review, sign-in and audit-log hunting.
Defender XDR · Defender for Endpoint · Entra ID · Sigma
Windows Server / Active Directory lifecycle
Forest design, DC promotion, GPO authoring and troubleshooting, PowerShell admin tooling.
AD DS · GPO · PowerShell admin · Server 2016-2025
Cisco IOS networking
Switch and router configuration, VLAN/trunk design, link aggregation, inter-VLAN routing.
VLAN / trunk · EtherChannel · inter-VLAN · ACL · NAT
Hyper-V virtualization administration
Virtual switch design, VHD lifecycle, dynamic memory tuning, multi-VM lab provisioning.
VHD / VHDX · virtual switches · checkpoints · dynamic memory
Open-source security contributions
Sustained upstream PRs into widely-used security libraries.
gVisor · Kubernetes · Tink · 15 PRs · 1 CVE
FRAME-01 to FRAME-05 · operator-curated
Detection-as-Code on a live Microsoft Sentinel and Defender XDR tenant. Nine MITRE-mapped analytics rules across control plane, endpoint, and identity, each proven trigger to incident to investigation. Versioned rule YAML deployed by a PR-gated GitHub Actions pipeline via OIDC (no secrets), with unit tests and a benign and attack harness that measured 0 false positives on the benign batch. Includes a multi-stage correlation rule (privilege grant then deployment) and an Azure Resource Graph-backed NSG content rule.
view repositoryOpen-source PowerShell audit suite for Microsoft 365 and Cloudflare in small organizations. Audits five domains (Sentinel, Defender for Office 365, DNS and email authentication, Entra ID, Defender for Cloud) and produces a P1 / P2 / P3 ranked report with deployable remediation artifacts. Ships Sentinel analytics rule templates, KQL hunting drills, and email authentication baselines covering SPF, DKIM, DMARC, MTA-STS, and TLS-RPT.
view toolkitForty-eight-hour multi-zone blue-team engagement against a live red team at Sierra College Cyber Defense Competition. Deployed Security Onion, Wazuh, Suricata, Zeek, and honeypots across WAN, DMZ, and LAN zones. Authored a Sigma rule pack, hunting queries, and a triage runbook for sustained adversary activity under time pressure. Public case-study repository at github.com/ibondarenko1/blue-team-engagement.
view case studyOpen-source security research with focus on Google gVisor (container sandboxing and Linux runtime behavior): TOCTOU fixes in systrap, TUN device crash handling, Go concurrency race fixes, guest-writable shared memory hardening. Additional upstream contributions across Kubernetes and the Google Tink cryptography ecosystem. 15 merged upstream PRs and 1 published CVE.
view merged contributionsSecurity reference for the large language model serving stack: CVE matrix, vulnerability classes, and hardening guidance for vLLM, Triton, lmdeploy, BentoML, SGLang, Ollama, and TGI. The source-level view of the AI attack surface that sharpens what to look for in telemetry.
view reference$ systemctl status now.service
● now.service · operator workstream snapshot
Active: running
Loaded: detection-stack.cfg
Extending the Sentinel detection catalog: new analytics rules across identity and endpoint, each shipped through the PR-gated pipeline with unit tests and false-positive measurement before deploy. Closing detection gaps tracked as ATT&CK Navigator cells: resource hijacking, cloud storage access, and service discovery. Upstream hardening PRs continue across gVisor and Kubernetes.
In parallel: live-fire blue-team practice under sustained operational pressure. Cloud-deployed lab pod with Security Onion 2.4, pfSense + Snort IPS, Wazuh agents, and a mixed Linux / Windows fleet, exercised against simulated adversary activity at production rate. Scope covers SOC alert triage, KQL pivot hunting, MITRE ATT&CK mapping, firewall and IDS tuning under load, and disciplined change management across reset cycles.
Response frameworks layered in as fallback discipline: CIS Critical Controls, NIST CSF, PCI-DSS, and HIPAA technical safeguards. Role spread across firewall, Windows, Linux, application, monitoring, and change-management leads, with shared runbooks for reset recovery and uptime continuity.
Two channels. One filter.
Open for OSS security collaboration, architecture review, full-time opportunities in detection engineering and security operations, and research dialogue. Cold sales routes to /dev/null.