Public proof summary

AI Security Operations Analyst Proof Summary

Governed SOC automation, detection engineering, LLM-output validation, and evidence-backed security workflows.

I build AI-assisted security operations workflows where model output is useful labor, not trusted judgment. My work focuses on the control layer around AI-assisted SOC work: validation, reconciliation, redaction, evidence packaging, reviewer gates, and public-claim discipline.

Primary proofHawkinsOps proof surface Detection surfaceSigma, Wazuh, and Splunk library GitHub sourceRepository source and public artifacts
Core thesis

AI is the labor layer, not the judgment layer.

The security value comes from the operating discipline around the model: what inputs are allowed, how outputs are checked, what evidence is preserved, what gets promoted, what gets deferred, and what claims are safe to publish.

Flagship proof

SignalFoundry: governed AI-assisted SOC pipeline

SignalFoundry is a 35-script Python SOC automation pipeline for Wazuh alert ingestion, policy-driven triage, sensitive-field redaction, reconciliation, and reviewer-gated evidence packaging.

324,074Verified cases processed
~88%Auto-close rate
8,574Escalation packs generated
0Reconciliation mismatches
ScriptsMetrics tied to reproducible validation artifacts
Detection-as-code proof

Detection-as-code library

Version-controlled detection content spanning Sigma, Wazuh XML, and Splunk SPL, mapped to MITRE ATT&CK and validated through custom structural checks.

  • 103 Sigma YAML rules
  • 79 Splunk detection searches across 9 SPL files
  • 25 Wazuh XML files / 29 Wazuh rule blocks
  • 123 MITRE ATT&CK techniques across 69 families
Concrete AI-assisted example

Wazuh silent-parent audit

Reviewed Wazuh parent-child relationships, identified dead chains, and shipped remediation rules covering:

WMI lateral movement / T1047 reg.exe credential extraction / T1003.002 PowerShell staging locations / T1059.001 netsh portproxy pivoting / T1090
AI accelerated the rule-surface review. Human judgment determined what shipped, what deferred pending validation, and how the remediation was worded for reviewer trust.
Governance model

Truth surfaces and promotion gates

HawkinsOperations separates truth surfaces so AI-assisted work does not become public proof by accident.

  • Source truth: artifact exists
  • Runtime truth: current runtime evidence exists
  • Signal truth: telemetry, alert, log, or output observed
  • Evidence truth: supporting material preserved and linked
  • Public proof: reviewed wording, evidence linkage, stale review, and approval
  • Human validation, evidence reconciliation, and promotion gates remain the trust mechanism
Manufacturing transfer

Manufacturing quality discipline applied to AI-assisted SOC work

My operating discipline comes from Tier-1 automotive manufacturing under IATF 16949, ISO 9001, and TISAX quality systems. That background taught standard work, shift handoffs, escalation paths, defect containment, audit trails, and quality gates. I apply the same discipline to AI-assisted security operations.

Reviewer links
Primary proofhawkinsops.com Detection surfacehawkinsops.com/detections GitHub sourcegithub.com/raylee-hawkins/HawkinsOperations Governance architecturehawkinsoperations.com Review/context layerrayleeops.com LinkedInlinkedin.com/in/raylee-hawkins

This page is a public-safe candidate summary. Source, runtime, signal, evidence, and public-proof claims remain separate trust surfaces.