Building secure, scalable cloud infrastructure — and hunting the threats that target it.
I work across the full cloud security stack: infrastructure automation with Terraform and Ansible, container orchestration with Kubernetes and Docker, CI/CD pipelines with Jenkins, and proactive threat detection using MITRE ATT&CK-mapped Sigma rules, CrowdStrike Falcon, and Splunk. My projects reflect real-world engineering problems — not tutorials.
Cloud & Infrastructure AWS · Azure · Terraform · Ansible · EC2 · S3 · Lambda · Key Vault · Auto Scaling · Load Balancers
Containers & Orchestration Kubernetes · Docker · Docker Compose · Docker Swarm · Spring Boot on K8s
CI/CD & Automation Jenkins (multi-node, pipelines, Groovy libraries) · Python CD · Infrastructure as Code
Security & Threat Detection Sigma Rules · Detection-as-Code · MITRE ATT&CK · CrowdStrike Falcon · Splunk · Microsoft Sentinel · Elastic SIEM · SOC Monitoring · Threat Hunting · EDR · Azure Key Vault
| Project | What It Is |
|---|---|
| Sigma Detection Rules — 15-Rule ATT&CK Library | Production-grade detection-as-code library: 15 MITRE ATT&CK-mapped Sigma rules spanning credential access, lateral movement, exfiltration, persistence, defense evasion, and impact — each with Splunk SPL, Sentinel KQL, and Elastic translations |
| SOAR Playbooks — SOC Automation Library | 4 vendor-neutral SOAR playbooks (phishing response, suspicious login, malware/endpoint isolation, cloud misconfiguration) with Mermaid flowcharts, Python enrichment scripts (VirusTotal, MISP, IP geo), and mandatory human-in-the-loop approval gates mapped to MITRE ATT&CK |
| Kubernetes Container Security Pipeline | Three-layer DevSecOps pipeline: Trivy image scanning + OPA Gatekeeper admission control + Falco runtime threat detection on a live Minikube cluster |
| CrowdStrike Threat Hunt — SCATTERED SPIDER | Hypothesis-driven threat hunt against a real-world eCrime group using CrowdStrike Falcon CQL, mapped to MITRE ATT&CK v14 |
| Wiz + Palo Alto Cloud IR Playbook | End-to-end cloud incident response — Wiz Toxic Combination detection (Log4Shell + public S3 + IAM escalation) with Palo Alto Cortex XDR automated containment |
| Azure Cloud Security Lab | Hands-on Azure security lab covering Entra ID, RBAC, Defender for Cloud, Microsoft Sentinel, VNet/NSG, and KQL threat detection |
| Splunk SOC Monitoring Lab | End-to-end SOC monitoring environment built in Splunk with detection rules, alerts, and dashboards |
| AWS Disaster Recovery Strategy | Multi-region AWS DR architecture with RTO/RPO targets and automated failover |
| Azure Key Vault Lab | Secrets management and access policy automation using Azure Key Vault |
| Kubernetes Rolling Deployment | Zero-downtime rolling deployments on Kubernetes with health checks and rollback |
- sigma-detection-rules — 15 MITRE ATT&CK-mapped Sigma rules · Splunk SPL · Sentinel KQL · Elastic · detection-as-code
- soar-playbooks — 4 SOAR playbooks · phishing · suspicious login · malware · cloud misconfiguration · Python enrichment · MITRE ATT&CK · human-in-the-loop
- k8s-container-security-pipeline — Trivy · OPA Gatekeeper · Falco · three-layer Kubernetes security pipeline
- wiz-paloalto-cloud-ir-playbook — Wiz Toxic Combination detection · Palo Alto Cortex XDR · cloud incident response
- crowdstrike-threat-hunt-portfolio — CrowdStrike Falcon threat hunt · SCATTERED SPIDER · MITRE ATT&CK
- azure-cloud-security-lab — Entra ID · RBAC · Defender for Cloud · Microsoft Sentinel · KQL
- splunk-soc-monitoring-lab — Splunk SOC monitoring and detection
- aws-terraform-ec2-iac — EC2 provisioning with Terraform IaC
- aws-serverless-web-lambda — Serverless web application on AWS Lambda
- azure-key-vault-lab — Azure secrets management
- disaster-recovery-strategy-aws — AWS multi-region DR strategy
- load-balanced-autoscaling-webservers — ALB + ASG with Terraform
- terraform-remote-state-s3 — Remote Terraform state in S3
- modular-webserver-infrastructure — Modular Terraform web infrastructure
- python-appserver-provisioner — EC2 Python app server via Terraform + Ansible
- kubernetes-rolling-deployment-demo — Zero-downtime K8s rolling deployments
- kubernetes-core-namespaces-demo — Kubernetes namespace architecture
- kubernetes-mysql-persistent-volume-demo — MySQL with persistent volumes on K8s
- kubernetes-cluster-ec2-infrastructure — K8s cluster on EC2 with Terraform
- spring-boot-k8s-vulnerability-remediation — Spring Boot containerisation and K8s security hardening
- docker-swarm-ec2-provisioner — Docker Swarm on EC2 with Terraform + Ansible
- ghost-blog-docker-compose — Ghost + MySQL via Docker Compose
- docker-springboot-container-build — Spring Boot Docker container build
- jenkins-ci-cd-springboot-docker — Jenkins pipeline for Spring Boot + Docker
- jenkins-docker-springboot-ci — Jenkins + Docker + Maven CI for Spring Boot
- jenkins-multi-node-infrastructure — Multi-node Jenkins master setup on EC2
- jenkins-groovy-reporting-library — Reusable Groovy library for Jenkins build reports
- python-ci-cd-pipeline — Jenkins + Ansible CD pipeline for Python apps
- ansible-control-node-provisioner — Provision Ansible control node on EC2
- ansible-managed-nodes-provisioner — Provision managed nodes for Ansible
- ansible-control-node-setup — SSH key generation and control node config
- ansible-sandbox-ec2 — EC2 sandbox with Ansible pre-installed
- mariadb-ansible-setup — MariaDB install and config via Ansible
- httpd-static-web-deployment — Apache HTTP static site deployment via Ansible
- terratest-infrastructure — Infrastructure testing with Terratest
- Detection-as-code: expanding the MITRE ATT&CK-mapped Sigma rule library with Splunk, Sentinel, and Elastic coverage
- SOAR playbook development: automating SOC response workflows with human-in-the-loop approval gates
- Cloud security architecture and detection engineering across AWS and Azure environments