Threat detection and response in the SOC. Cloud hardening across AWS, Azure, and GCP. Penetration testing, digital forensics, and governance — the full security lifecycle.
- Clouds
- AWS · Azure · GCP
This window is a decorative terminal. The real, typeable one is the bar at the bottom of the page.
→ To actually type, use the console at the bottom of the screen.
The work, not the job title.
How I show up: defend systems, make models useful, harden the cloud, and still ship the product. Four lanes — one through-line: fewer surprises, faster answers.
SOC work for me is a loop: see something wrong, make it show up in the data next time, and shorten the line between alert and answer. I care about the unglamorous stuff — detections that do not false-positive the team to death, and case notes the next shift can actually use.
Cloud security is the other half. I start from identity and blast radius, then work outward: getting the right logs into the right pipeline, tightening posture before the auditor asks, and making sure the control plane is as monitored as the endpoints.
In the queue with you, not above it.
I triage, correlate, and chase until the story makes sense. When the root cause is an attacker, you get a written trail. When it is bad hygiene, the detection and the playbook get a bump anyway.
- Case ownership: from first alert to clean handoff or close
- ATT&CK-mapped hunts with a testable hypothesis, not a keyword safari
- Detection rules, tuning notes, and postmortems people will actually read
Clouds are just someone else's computers.
I start from identity and blast radius, then work outward — getting logs into a place an analyst can stand on, tightening posture before the auditor asks, and making sure the control plane is as monitored as the endpoints.
- Least privilege you can still operate under across AWS, Azure, and GCP
- Log pipelines: CloudTrail, Entra, GCP Audit — into the same hunt brain
- Posture management, misconfiguration triage, and container hardening
Better detections start with attacker empathy.
I approach defense from an attacker's perspective. Knowing how initial access, lateral movement, and exfil actually work in the wild is what separates a rule that fires from one that catches something real.
- Penetration testing fundamentals: recon, exploitation, post-exploitation
- Purple-team thinking: test the detection before the attacker does
- CVE research and exploit analysis to keep detection logic current
Automation is the analyst's force multiplier.
Python, APIs, and AI agents — used to close the gap between alert volume and analyst bandwidth. I build the tooling that handles the repetitive work so the analyst can focus on the case that actually needs them.
- SOAR playbooks and Python scripts that cut triage time, not corner cases
- LLM-assisted case enrichment, IOC lookup, and log summarisation
- Detection-as-code: version-controlled rules with CI-gated testing
The tools I reach for.
Core day-one tools, what I'm actively working with, and what I'm sharpening next.
Security Operations
What I use to detect, hunt, and respond.
Offensive & Forensics
Thinking like the adversary to defend better.
Cloud & Platform
Where I deploy, harden, and monitor.
AI & Agents
Where agentic systems meet the real world.
Full-Stack Engineering
Shipping the products I help defend.
Projects that shipped
Built, deployed, and defended.
01 / 05
Sound Rights Platform
2025
On-chain IP verification for musicians — provenance, licensing, and AI-assisted originality checks.
Stack
LSTM Signal Engine on SingularityNET
2024
A deep-learning analyzer for AI tokens — comparing robustness, accuracy, and decisiveness signals.
Stack
Agentic Market Intelligence
2025
AI agent that watches multi-protocol portfolios and surfaces sentiment-weighted market moves in real time.
Stack
SOC Detection Lab
2026
A home lab that simulates attacker TTPs against Wazuh + ELK to build and tune custom detections mapped to MITRE ATT&CK.
Stack
Agentic Triage Copilot
2026
An LLM copilot that enriches and triages SOC alerts — pulling IOCs, threat-intel, and prior cases before an analyst even opens the ticket.
Stack
Engineer → AI builder → Security operator.
Same curiosity, broader lens. I stack layers instead of replacing them.
- 2025 — Presentcurrent
SOC Analyst / Security Engineer
@ Security Operations
Triaging alerts across SIEM + EDR, running ATT&CK-driven threat hunts, tuning detections, and contributing to IR playbooks and post-incident reviews.
SIEMEDRMITRE ATT&CKIncident Response - 2024 — 2025
AI / Agentic Systems Engineer
@ Independent & Open-Source
Designed LLM agents with tool-use and RAG over private corpora. Shipped production AI features (sentiment, market intelligence, IP verification) across Web3 and consumer apps.
LLM AgentsRAGLangGraphPythonTypeScript - 2022 — 2024
Full-Stack & Smart Contract Engineer
@ Startups & Hackathons
Shipped multiple production dApps and SaaS products on Next.js, Node, Python, and Solidity — winning hackathons and learning how real attackers think.
Next.jsNodeSolidityPythonPostgres - 2020 — 2022
Software Engineer — Early Career
@ Learning the craft
Built the engineering foundation: clean code, systems thinking, testing, and shipping. This is where the attacker-empathy began.
TypeScriptReactGitLinux
What I'm earning, and what I'm sharpening.
A live look at the certifications I'm pursuing — with the modules, exam codes, and where I'm at.
CompTIA Security+
CompTIA
The vendor-neutral baseline for security: I'm using it to lock in the fundamentals I touch every day in the SOC.
- General Security Concepts
- Threats, Vulnerabilities & Mitigations
- Security Architecture
- Security Operations
- Security Program Management
CompTIA CySA+
CompTIA
Blue-team focused: detection engineering, threat intelligence, and the analyst workflow I live in.
- Security Operations
- Vulnerability Management
- Incident Response & Management
- Reporting & Communication
AWS Cloud Practitioner
Amazon Web Services
Anchoring AWS fundamentals so my cloud-security work stops at the right primitives: IAM, KMS, CloudTrail, GuardDuty.
- Cloud Concepts
- Security & Compliance
- Technology & Services
- Billing, Pricing & Support
TryHackMe & HackTheBox Paths
TryHackMe / HTB Academy
Hands-on labs across blue, red, and cloud security tracks — where the theory becomes muscle memory.
- SOC Level 1
- Cyber Defense
- Junior Penetration Tester
- AD enumeration & lateral movement
What people I've worked with say
Colleagues and clients — across security, AI, and product.
Richard was instrumental in transforming our website into a powerful digital experience. His attention to detail and his grasp of our brand were exceptional — we're thrilled with the work he delivered.
A quick read on who I am
Short on fluff, long on why I do the work.
I work across the full security lifecycle — from triaging alerts and hunting threats in the SOC, to hardening cloud environments, running penetration tests, and handling incident investigations. I understand both how attacks are built and how to make them show up in the data.
I started as a full-stack engineer shipping production apps and smart contracts, which shapes how I defend them today: with attacker empathy, an understanding of what developers actually ship, and a preference for automation over toil.
If you're building something ambitious that needs to be fast, well-instrumented, and hard to compromise — we should talk.
Small things about how I work
- Run CLI over GUI whenever possible
- Curious about how adversaries really think
- Long walks when a problem refuses to solve
- Deep-focus music while hunting logs
- Coffee-driven development, lightly caffeinated
GitHub
Have a system that needs building — or defending?
I'm open to SOC, detection-engineering, and AI-agent roles, and to select contract work. The fastest way in is email.
- ▸ role or brief
- ▸ timeline and urgency
- ▸ stack / environment
- ▸ risk model (if any)