👋 Good morning! ·
Senior SOC Analyst (L3) with 5+ years across enterprise and MSSP environments. I'm the escalation point teams reach when the alert is real, the clock is loud, and the next call decides whether containment beats compromise. I lead with risk and business impact, not severity scores — and I document every move so the next analyst, manager, or auditor can follow the trail.
Outside of work I build open-source SOC labs that mirror enterprise stacks, so analysts can train on Splunk / QRadar / Sentinel / CrowdStrike-class tooling without the licensing wall.
| Area | Detail |
|---|---|
| Incident Response | End-to-end IR — detection → investigation → containment → recovery → RCA |
| Threat Hunting | Hypothesis-driven hunts, Sigma rule authoring, behaviour-based detection |
| Detection Engineering | Custom Splunk / QRadar / Wazuh rules, tuning, false-positive reduction |
| SOAR & Automation | Playbook design, alert enrichment, Python automation |
| Cloud & XDR | Microsoft Sentinel, Defender XDR, CrowdStrike Falcon investigations |
| Lab Building | Open-source SOC labs that mirror enterprise stacks — free for the community |
- 🔭 Building — AI-augmented SOC automation: LLM-assisted alert triage, autonomous detection pipelines, agentic IR playbooks (CrewAI + Ollama)
- 🌱 Learning — Sigma rule authoring at scale · adversary emulation with Caldera · detection-as-code with CI/CD validation
- 🧪 Writing — Open-source SOC labs others can clone in 15 min (see Featured Labs below)
- 🎤 Discussing — detection engineering, SOAR design, the false-positive economy in modern SOCs
SIEM tuning · MITRE ATT&CK mapping · incident response playbooks · SOC home labs · L1 → L3 career progression · interview prep for SOC roles · transitioning from MSSP to in-house SOC · open-source SOAR vs. commercial vendors
SIEM / XDR / EDR
DFIR & Threat Intel
Detection Engineering & Frameworks
Offensive Security & Pen-Testing
SOAR & Scripting
-3fb950?style=flat-square&labelColor=132f4c){kind=icon}
|
🌟 Top repo this week soc-lab-free 8 views · 14 clones · ⭐ 1 stars (last 7 days) |
|
12-tool SOC lab — OpenSearch · Suricata · Zeek · MISP · Caldera · Velociraptor + AI agents. Docker Compose, MITRE ATT&CK v14, 15 built-in detection rules.
|
AI-augmented open-source SOC — Wazuh + TheHive + Shuffle + MISP + Ollama (LLaMA3) for automated alert triage.
|
|
100% free SOC lab — OpenVAS, Wazuh, pfSense, Proxmox Mail, Lynis replacing Nessus, Splunk, Netskope, Mimecast.
|
🛡️ soc-labSOC analyst home lab — Wazuh SIEM, Sysmon, brute-force detection, MITRE ATT&CK mapping, IR workflow.
|
|
Advanced threat detection lab — Zeek · RITA · Arkime · Velociraptor · OSQuery · MISP · TheHive · Shuffle.
|
Autonomous SOC with AI-driven detection, automated response, and self-healing playbooks.
|
|
Containerised blue-team platform — Wazuh SIEM · Suricata · Zeek · MISP · TheHive · SOAR. Published at cybertechnology.in.
|
Enterprise-grade prompt injection detection and AI firewall — 22 detectors, OWASP LLM Top 10, SARIF/SIEM output, FastAPI + Docker. 📊 metrics collecting — first snapshot pending |
A SOC analyst is judged on the quality of detections they ship, not the tools they list. Two examples below.
Sigma rule — encoded PowerShell with obfuscation indicators
title: Suspicious Encoded PowerShell Execution
id: 7c1e9b34-2f4a-4e6d-9a1c-1d5b7c0a4e91
status: stable
description: Detects PowerShell launched with base64-encoded command lines, a common
technique used by malware loaders and red teams to evade plaintext detection.
references:
- https://attack.mitre.org/techniques/T1059/001/
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
Image|endswith: '\powershell.exe'
encoded:
CommandLine|contains:
- '-enc'
- '-EncodedCommand'
- 'FromBase64String'
condition: selection and encoded
falsepositives:
- Admin scripts that legitimately use encoded commands (rare; pin to known hashes).
level: high
tags:
- attack.execution
- attack.t1059.001Splunk SPL — lateral movement via SMB admin shares
index=wineventlog EventCode=5140
ShareName IN ("\\\\*\\ADMIN$", "\\\\*\\C$")
AccessMask="0x1"
| stats dc(ComputerName) as host_count
values(ComputerName) as hosts
values(IpAddress) as src_ips
count
by Account_Name
| where host_count >= 5 AND count >= 10
| sort - host_count
| eval risk_score = host_count * 10 + (count / 5)
Triggers when one account touches
ADMIN$/C$on 5+ distinct hosts within the search window — classic post-exploitation lateral movement (PsExec, Impacket, Cobalt Strikepsexec_psh).
A curated cross-section of live detection rules from across my open-source labs — what each rule catches, why it matters, and a link to the YAML. Every row is auto-generated from the actual rule files; click any source link to read the full logic.
📋 Detection case studies — 10 representative rules from my live detection portfolio
| Technique | Tactic | What the rule catches | Severity | Source |
|---|---|---|---|---|
| T1003.001 | Credential Access | LSASS process memory dumping | Critical | advanced-soc-lab-v2.0 |
| T1110 | Credential Access | Password brute-force / spray | High | advanced-soc-lab-v2.0 |
| T1059.001 | Execution | Encoded / obfuscated PowerShell execution | Critical | advanced-soc-lab-v2.0 |
| T1557.001 | Credential Access | Adversary-in-the-middle (LLMNR / NBT-NS / mDNS poisoning) | High | advanced-soc-lab-v2.0 |
| T1071 | Command & Control | Application-layer C2 beaconing | Critical | advanced-soc-lab-v2.0 |
| T1078.004 | Initial Access | Detects two successful interactive sign-ins for the same user from locations whose great-circle distance ca… | High | sentinel-detection-engine |
| T1621 | Credential Access | Detects 5+ failed MFA prompts followed by a successful sign-in for the same user within 30 minutes. | High | sentinel-detection-engine |
| T1213.002 | Collection | Detects users downloading > 200 files within 1 hour from SharePoint or OneDrive, with comparison to the use… | Medium | sentinel-detection-engine |
| T1071 | Command & Control | Detects C2 beaconing behavior based on regular interval connections to external hosts. | Medium | soc-threat-hunting-lab |
| T1071.004 | Command & Control | Detects DNS tunneling by identifying unusually long subdomain queries or high query frequency to the same d… | Medium | soc-threat-hunting-lab |
Auto-generated from the YAML in each lab — refreshes weekly via .github/workflows/detection-portfolio.yml. Click any rule link to read the full detection logic.
Configured detection windows for frequency-based rules in my labs — i.e. how many events must occur in what time span before each rule fires. Parsed from each rule's num_events and timeframe YAML fields; the values here are the same ones the live rules use in production.
| Rule | Type | Trigger | Worst-case latency | Source |
|---|---|---|---|---|
| T1003.001 — LSASS Credential Dumping | any |
Fires on first match (no time aggregation) | near real-time | T1003_credential_dump.yml |
| T1110 — Brute Force Authentication Attack | frequency |
10 events in 5m | ≤ 5m | T1110_brute_force.yml |
| T1059.001 — Suspicious Encoded PowerShell | any |
Fires on first match (no time aggregation) | near real-time | T1059_powershell.yml |
| T1557 — LLMNR/NBT-NS Poisoning (Responder) | any |
Fires on first match (no time aggregation) | near real-time | T1557_responder.yml |
| T1071 — C2 Beacon Detected (Suricata) | any |
Fires on first match (no time aggregation) | near real-time | network_c2_beacon.yml |
| Entra ID - Impossible Travel Between Sign-Ins | scheduled-query |
KQL polled every 1h | ≤ 60m | EntraID_ImpossibleTravel.yaml |
| Entra ID - MFA Fatigue Followed by Success | scheduled-query |
KQL polled every 30m | ≤ 30m | EntraID_MFAFatigue.yaml |
| M365 - Mass SharePoint / OneDrive Download | scheduled-query |
KQL polled every 1h | ≤ 60m | M365_MassSharePointDownload.yaml |
| C2 Beaconing via Regular Network Connection | sigma |
Sigma — backend-defined (Splunk/QRadar/Elastic timing) | backend-dependent | c2-beaconing.yml |
| DNS Tunneling via Long Subdomain Queries | sigma |
Sigma — backend-defined (Splunk/QRadar/Elastic timing) | backend-dependent | dns-tunneling.yml |
Latency = the rule's own detection window (parsed from timeframe, queryFrequency, or type). Portfolio spread: 1–60 minutes worst-case. These are configured windows, not measured end-to-end times — click any source link to verify the raw values.
-3fb950?style=flat-square&labelColor=132f4c){kind=icon}
-8b949e?style=flat-square&labelColor=132f4c){kind=icon}
Cert order: senior/specialty first, foundational at the end. Update if you hold different titles — e.g. CSAP, GSEC, OSCP, AZ-500, AWS Security.
📡 Personal lab + blog covering SOC operations, detection engineering, threat hunting walkthroughs, and open-source security tooling. Screenshot refreshes automatically — click to visit.
Auto-refreshed daily by GitHub Actions. CVE feed from NIST NVD; threat headlines from public security RSS sources.
| Field | Value |
|---|---|
| CVE ID | CVE-2018-25350 |
| CVSS v3.1 | 9.8 (CRITICAL) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Published | 2026-05-23 |
userSpice 4.3.24 contains a username enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by sending POST requests to the existingUsernameCheck.php endpoint. Attackers can submit usernames and analyze response text for the 'taken' string to identify existing accounts in the system.…
Source: NIST NVD. Last check: 2026-05-30 11:18 UTC. Auto-refreshed daily by cve-of-the-week.yml.
Last refresh: 2026-05-31 10:54 UTC
The Hacker News
- PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation
- ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface
- Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit
- New Russia-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks
BleepingComputer
- Palo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks
- New CIFSwitch Linux flaw gives root on multiple distributions
- ChatGPT share links abused to host fake outage pages to deliver malware
- California AG sues 23andMe over 2023 breach exposing health data
Krebs on Security
- Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks
- Lawmakers Demand Answers as CISA Tries to Contain Data Leak
- Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada
- CISA Admin Leaked AWS GovCloud Keys on Github
Headlines pulled from public RSS feeds. Not endorsements — just situational awareness.
| Role | Senior SOC Analyst (L3) |
| Experience | 5+ years (enterprise + MSSP) |
| Specialties | IR · Detection Engineering · Threat Hunting · Cloud XDR |
| Open to | Senior SOC Analyst · L3 · Detection Engineer · Threat Hunter |
| Location preference | UK / EU / Remote |
| Availability | Open to conversations now |
| Languages | English · Telugu · Hindi |
| Website | cybertechnology.in |
| sandeep.mothukuris@gmail.com | |
| sandeepmothukuri |
I'm actively open to Senior SOC Analyst / L3 / Detection Engineer / Threat Hunter roles. Remote-friendly, UK/EU preferred but happy to talk about anywhere with reasonable time-zone overlap.
📧 Fastest way to reach me: sandeep.mothukuris@gmail.com 🔗 Or send a LinkedIn message: linkedin.com/in/sandeepmothukuri
📧 Fastest way to reach me: sandeep.mothukuris@gmail.com — typical reply within 24h.
⭐ If a lab or write-up helped you, a star helps other SOC analysts find this work.
Released under the MIT License. © 2026 Sandeep Mothukuri.