Portfolio
Case Studies
Technical case studies from the SignalFoundry project. Each documents what happened, what I did, what the evidence shows, and how a reviewer can verify the claims. No sanitized post-mortems — these are built from session logs and proof artifacts.
0
Cases Processed
210
Detection Rules
0
Case Studies
0
Data Loss Events
Case Disposition Funnel
324,074 alerts → 8,574 escalations
~88% auto-closed · 0 reconciliation mismatches · 0 data loss events
Flagship System
Case Studies
Incident / IR — 2026-04-07
Production Race Condition Recovery
TOCTOU race condition in queue-cap enforcement at 505,836-file scale. Diagnosed from production tracebacks, fixed with 4 guard sites across 2 files, confirmed under live load with 1,056 files vanishing during sort — zero unhandled exceptions. Pipeline recovered from sub-ten-second crashes to 80+ minutes sustained processing.
Read →
Incident Response — 2026-03-13
Pipeline Fault Recovery
Two independent defects surfaced simultaneously: poller retry logic failed on URLError, reconciliation scoped against wrong directory set. Both diagnosed and fixed in one session. Pipeline restored to SUCCESS.
Read →
Detection Engineering — 2026-03-24
Splunk Detection Rule Audit
Audited every Splunk detection rule against 283,976 events. Found four ways they would flood a real analyst with noise: empty CommandLine fields, no failed logon baseline, missing sourcetype coverage, and rex extraction fragility.
Read →
Security Hardening — 2026-03-29
Enterprise Security Hardening
Windows audit policy baseline assessment against Microsoft Security Baseline. 27 subcategories audited, 14 matched, 9 superset, 12 hardened beyond, zero regressions. 11 MITRE ATT&CK techniques unblocked. CommandLine logging enabled, security log expanded 20MB → 1GB.
Read →
Threat Hunting — 2026-03-24
Live Splunk Threat Hunt (EventID 4688)
Rex-based field extraction built from scratch, parent-process exclusion logic, surfaced Codex AI tool spawning pwsh.exe 375x. Correctly classified as tool behavior vs LOLBin abuse via temporal profiling and volume characterization.
Read →
Field Notes
Incident / IR — 2026-04-07
Race Condition Recovery — Full Case Study
TOCTOU race at 505K queue depth. 4 guard sites, 20 lines, zero behavioral changes. Verified with race actively firing.
Read →
Infrastructure — 2026-03-23
AutoSOC Infrastructure Cutover
Production migration of the AutoSOC pipeline from two legacy roots to a single canonical path. Preflight gating, five retargeted Task Scheduler tasks, legacy reference scan returning zero. Proof document signed.
Read →
Incident / RCA — 2026-03-23
Hotfix RCA: Triage Quality Chart Renderer
Function-order bug silently breaking scheduled chart rendering. Assert-CanonicalPath called before declaration at line 10. Fix: reorder. Validation: EXIT=0, 30 data points, 104KB artifact. Parent pipeline confirmed successful.
Read →
Detection & Response
Detection Engineering
Sigma Detection Library
Platform-agnostic ATT&CK coverage: logsource schema, false positive filters, technique tagging, and multi-platform portability across 103 Sigma rules.
Read →
Detection Validation
Wazuh Detection Harness
Python harness querying Wazuh Indexer REST API after Atomic Red Team tests. Pass/fail reports per ATT&CK technique with evidence artifacts.
Read →
Detection Engineering — 2026-04-08
Wazuh Windows Telemetry Remediation
Three-phase restoration of Windows process creation telemetry. Alert-level threshold, broken indexer pipeline, and unconfigured Sysmon — all diagnosed and fixed. 2,120+ Security 4688 alerts and 143 Sysmon EID 1 events indexed with full telemetry.
Read →
Incident Response
IR Playbook Library
10 structured analyst playbooks built around a 7-section template: from alert detection to documentation, with escalation logic and MITRE ATT&CK coverage.
Read →
Incident Response
IR Case: Level 12 FIM Alert
Full IR lifecycle on a Level 12 Wazuh FIM alert. Triaged and closed as BENIGN in 35 minutes. Evidence trail, PowerShell validation, and rule-tuning recommendations.
Read →
Threat Hunting
When AI Tooling Looks Like a LOLBin
Live Splunk hunt on EventID 4688: codex.exe spawning pwsh.exe 375x per session — indistinguishable from LOLBin abuse until parent process path told the real story.
Read →
Vulnerability Response
CVE-2025-55130: Detect to Remediation
Critical Node.js CVE detected by Wazuh during live monitoring, triaged, patched via winget, and verified closed. Full detect-to-remediation cycle with evidence.
Read →
SOC Operations
PP_SOC Integration: Live Detection Workflow
Wazuh rules deployed into a live SOC workflow: active agent coverage, 15,052 alerts in 24h, CVE remediation verified. Evidence-first approach.
Read →
Lab Infrastructure
Cowrie Honeypot + Wazuh + Grafana
Docker-based SSH/Telnet honeypot feeding Wazuh Indexer with a Grafana dashboard for attacker session visualization. LAN-only, auditable deployment.
Read →
Coverage Distribution
4 engineering domains
⚡Incident Response
4
SignalFoundry Flagship
Race Condition Recovery
Pipeline Fault Recovery
Hotfix RCA
◆Detection & Response
4
Sigma Library · Wazuh Harness
Wazuh Telemetry Remediation
Splunk Detection Audit
IR Playbook Library
◎Threat Hunting
4
Splunk Codex LOLBin Hunt
EventID 4688 Analysis
CVE Detect-to-Remediation
SOC Integration Workflow
▣Infrastructure & Lab
3
AutoSOC Infrastructure Cutover
Cowrie Honeypot Stack
Security Hardening Baseline
Context
About these case studies
These aren't sanitized post-mortems written weeks after the fact. They're documented from the session logs and proof artifacts that exist on-system from the actual work. The source material — preflight output, pipeline logs, scheduler metadata, Splunk queries — is real and reviewable.
The SignalFoundry project processes a live queue of Wazuh security alerts across a home lab environment. These case studies capture the operational and engineering decisions made while keeping that system running and improving its detection capability.