Raylee Hawkins

This is a working security operations system, not a static portfolio.

I built and operate SignalFoundry — a 35-script Python pipeline that ingests Wazuh alerts, performs policy-driven triage, and publishes redacted escalation packs. 210 detection rules across Sigma, Wazuh, and Splunk, plus 10 IR playbooks. Every metric is CI-verified. Every claim is reproducible.

Sept 2025: zero computer experience. Mar 2026: 324,074 verified cases processed, live pipeline processing on cadence. Previous career: production supervisor — 30+ operators, IATF audit compliance, mandatory 12-hour shifts. The domain changed. The discipline didn't.

SignalFoundry → Proof Resume

Huntsville, AL
Available for SOC / Detection roles

SignalFoundry Pipeline (Live)

Every alert passes through this system.

SignalFoundry System Page →

Case Disposition

324,074

total cases

Auto-Closed Known FP Escalated

MITRE ATT&CK Tactic Coverage

13

IMP

11

PER

10

PE

10

DE

10

CA

10

DIS

10

LM

10

COL

10

EXF

9

EXE

Full detection grid →

System Overview

SignalFoundry

Wazuh alerts in → policy-driven triage → mandatory redaction → evidence packs → reconciliation gate → published proof. 35-script Python pipeline. Deterministic. Nothing publishes without PASS.

Detection Inventory

210 rules

σ

Sigma

10 MITRE ATT&CK tactics · portable

103

○

Wazuh XML

Custom rule blocks · live in Wazuh

28

>

Splunk SPL

Investigation layer · home lab

79

📋

IR Playbooks

7-step structured · reproducible evidence

10

Case Flow

How alerts become evidence

Every alert enters the same pipeline. Most are auto-closed. The rest produce structured evidence packs.

Detection Inventory

What the pipeline watches for

210 detection rules across 4 platforms, mapped to MITRE ATT&CK (+ 10 IR playbooks). Full searchable inventory →

Sigma YAML

MITRE-mapped behavioral detections across tactic folders: process creation, lateral movement, credential access, persistence, and more.

Wazuh XML

Custom rule IDs (100000+ range), deployed to Wazuh Manager. Lab-validated with detection harness.

IR Playbooks

7-step structured response: detect, triage (5 min), investigate (30 min), contain, eradicate, recover, document.

Splunk SPL

Investigation queries against Wazuh-forwarded events. Home lab scope — not enterprise deployment.

Stable Benchmark

Pipeline integrity

Locked snapshot from data/truth/current-authority.json. These values do not change from live telemetry. Full proof →

Public benchmark snapshot: reviewer-authoritative values from data/truth/current-authority.json.
Runtime snapshot: informational telemetry remains subordinate and is disclosed on /proof.
Generated at: LOCKED
Source artifact: site/data/truth/current-authority.json

Heartbeat SUCCESS

Pipeline health check.

Host Coverage 8/8

All endpoints reporting.

Escalations 8,574

Analyst-ready evidence packs.

Reconciliation PASS

0 mismatches between stages.

Locked LOCKED

Snapshot date.

Source: /assets/data/ops-metrics.json · Locked: 04-07-2026 · Full verification →

Public benchmark snapshot · Runtime snapshot · Generated at 04-07-2026 · Source artifact /assets/data/ops-metrics.json

Operator Origin

Manufacturing discipline, applied to security

I didn't break into cybersecurity. I transitioned operator discipline from automotive manufacturing into detection engineering. The systems instinct predates the portfolio.

Manufacturing Operations

Fehrer Automotive — Team Lead, A/B/I lines. Mercedes, BMW, VW, Tesla. IATF 16949 / TISAX. Promoted in under 5 months.
Unipres Alabama — Team Lead Supervisor, hot stamp + laser for Nissan. Schuler 16,000 kN press. ISO 9001. Mandatory 12-hour shifts.
Carrington Foods — Quality Control, Tier-1 U.S. Armed Forces supplier. SQF Ed. 9 "Excellent" / Platinum Award.

Security Operations

Sept 2025: Zero computer experience.
Dec 2025: Left Unipres. Started AI Model Evaluator role (detection, scripting, security reasoning).
Mar 2026: Automated pipeline. Verified public benchmark. 210 detection rules + 10 IR playbooks. Anthropic MCP + Claude API certified.
Result: SignalFoundry — built during mandatory 12-hour shifts.

The Parallel

Factory floor

Quality gates, process control, escalation handling, reconciliation against spec, audit-ready documentation.

→

SOC pipeline

Quality gates, policy-driven triage, escalation handling, reconciliation against truth, verified proof artifacts.

Reproducible

Verify it yourself

Every claim on this site traces back to a verification command. Clone the repo and run these:

Terminal

# Count verification (source of truth)
pwsh -NoProfile -File ".\scripts\verify\verify-counts.ps1"

# Metrics generation
node scripts/generate-metrics.js

# Drift scan (HTML/JSON/Markdown consistency)
python scripts/drift_scan.py

# Metrics schema validation
python scripts/validate_metrics.py

# Site health diagnosis
node scripts/diagnose-site.js

# Full site data pipeline
node scripts/generate-site-data.js

Review Routes

Where to go next

Pick the path that answers your decision fastest.

Host	Role	Status
`wazuh-mgr`	SIEM Manager	Reporting
`dc01`	Domain Controller	Reporting
`win10-pc01`	Workstation (Sysmon)	Reporting
`win10-pc02`	Workstation (Sysmon)	Reporting
`linux-web`	Web Server	Reporting
`linux-db`	Database Server	Reporting
`honeypot`	Honeypot Sensor	Reporting
`splunk-fwd`	Splunk Forwarder (vm104)	Reporting

Raylee Hawkins

Every alert passes through this system.

SignalFoundry

How alerts become evidence

What the pipeline watches for

Pipeline integrity

Manufacturing discipline, applied to security

Verify it yourself

Where to go next

Enterprise Security

SignalFoundry

Race Condition Recovery

Case Studies

Proof

Resume