👋 Good morning! ·
Senior SOC Analyst (L3) with 5+ years across enterprise and MSSP environments. I'm the escalation point teams reach when the alert is real, the clock is loud, and the next call decides whether containment beats compromise. I lead with risk and business impact, not severity scores — and I document every move so the next analyst, manager, or auditor can follow the trail.
Outside of work I build open-source SOC labs that mirror enterprise stacks, so analysts can train on Splunk / QRadar / Sentinel / CrowdStrike-class tooling without the licensing wall.
| Area | Detail |
|---|---|
| Incident Response | End-to-end IR — detection → investigation → containment → recovery → RCA |
| Threat Hunting | Hypothesis-driven hunts, Sigma rule authoring, behaviour-based detection |
| Detection Engineering | Custom Splunk / QRadar / Wazuh rules, tuning, false-positive reduction |
| SOAR & Automation | Playbook design, alert enrichment, Python automation |
| Cloud & XDR | Microsoft Sentinel, Defender XDR, CrowdStrike Falcon investigations |
| Lab Building | Open-source SOC labs that mirror enterprise stacks — free for the community |
- 🔭 Building — AI-augmented SOC automation: LLM-assisted alert triage, autonomous detection pipelines, agentic IR playbooks (CrewAI + Ollama)
- 🌱 Learning — Sigma rule authoring at scale · adversary emulation with Caldera · detection-as-code with CI/CD validation
- 🧪 Writing — Open-source SOC labs others can clone in 15 min (see Featured Labs below)
- 🎤 Discussing — detection engineering, SOAR design, the false-positive economy in modern SOCs
SIEM tuning · MITRE ATT&CK mapping · incident response playbooks · SOC home labs · L1 → L3 career progression · interview prep for SOC roles · transitioning from MSSP to in-house SOC · open-source SOAR vs. commercial vendors
SIEM / XDR / EDR
DFIR & Threat Intel
Detection Engineering & Frameworks
Offensive Security & Pen-Testing
SOAR & Scripting
-3fb950?style=flat-square&labelColor=132f4c){kind=icon}
|
🌟 Top repo this week advanced-soc-lab-v2.0 26 views · 55 clones · ⭐ 3 stars (last 7 days) |
|
12-tool SOC lab — OpenSearch · Suricata · Zeek · MISP · Caldera · Velociraptor + AI agents. Docker Compose, MITRE ATT&CK v14, 15 built-in detection rules.
|
AI-augmented open-source SOC — Wazuh + TheHive + Shuffle + MISP + Ollama (LLaMA3) for automated alert triage.
|
|
100% free SOC lab — OpenVAS, Wazuh, pfSense, Proxmox Mail, Lynis replacing Nessus, Splunk, Netskope, Mimecast.
|
🛡️ soc-labSOC analyst home lab — Wazuh SIEM, Sysmon, brute-force detection, MITRE ATT&CK mapping, IR workflow.
|
|
Advanced threat detection lab — Zeek · RITA · Arkime · Velociraptor · OSQuery · MISP · TheHive · Shuffle.
|
Autonomous SOC with AI-driven detection, automated response, and self-healing playbooks.
|
|
Containerised blue-team platform — Wazuh SIEM · Suricata · Zeek · MISP · TheHive · SOAR. Published at cybertechnology.in.
|
Enterprise-grade prompt injection detection and AI firewall — 22 detectors, OWASP LLM Top 10, SARIF/SIEM output, FastAPI + Docker. 📊 metrics collecting — first snapshot pending |
A SOC analyst is judged on the quality of detections they ship, not the tools they list. Two examples below.
Sigma rule — encoded PowerShell with obfuscation indicators
title: Suspicious Encoded PowerShell Execution
id: 7c1e9b34-2f4a-4e6d-9a1c-1d5b7c0a4e91
status: stable
description: Detects PowerShell launched with base64-encoded command lines, a common
technique used by malware loaders and red teams to evade plaintext detection.
references:
- https://attack.mitre.org/techniques/T1059/001/
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
Image|endswith: '\powershell.exe'
encoded:
CommandLine|contains:
- '-enc'
- '-EncodedCommand'
- 'FromBase64String'
condition: selection and encoded
falsepositives:
- Admin scripts that legitimately use encoded commands (rare; pin to known hashes).
level: high
tags:
- attack.execution
- attack.t1059.001Splunk SPL — lateral movement via SMB admin shares
index=wineventlog EventCode=5140
ShareName IN ("\\\\*\\ADMIN$", "\\\\*\\C$")
AccessMask="0x1"
| stats dc(ComputerName) as host_count
values(ComputerName) as hosts
values(IpAddress) as src_ips
count
by Account_Name
| where host_count >= 5 AND count >= 10
| sort - host_count
| eval risk_score = host_count * 10 + (count / 5)
Triggers when one account touches
ADMIN$/C$on 5+ distinct hosts within the search window — classic post-exploitation lateral movement (PsExec, Impacket, Cobalt Strikepsexec_psh).
A curated cross-section of live detection rules from across my open-source labs — what each rule catches, why it matters, and a link to the YAML. Every row is auto-generated from the actual rule files; click any source link to read the full logic.
📋 Detection case studies — 10 representative rules from my live detection portfolio
| Technique | Tactic | What the rule catches | Severity | Source |
|---|---|---|---|---|
| T1003.001 | Credential Access | LSASS process memory dumping | Critical | advanced-soc-lab-v2.0 |
| T1110 | Credential Access | Password brute-force / spray | High | advanced-soc-lab-v2.0 |
| T1059.001 | Execution | Encoded / obfuscated PowerShell execution | Critical | advanced-soc-lab-v2.0 |
| T1557.001 | Credential Access | Adversary-in-the-middle (LLMNR / NBT-NS / mDNS poisoning) | High | advanced-soc-lab-v2.0 |
| T1071 | Command & Control | Application-layer C2 beaconing | Critical | advanced-soc-lab-v2.0 |
| T1078.004 | Initial Access | Detects two successful interactive sign-ins for the same user from locations whose great-circle distance ca… | High | sentinel-detection-engine |
| T1621 | Credential Access | Detects 5+ failed MFA prompts followed by a successful sign-in for the same user within 30 minutes. | High | sentinel-detection-engine |
| T1213.002 | Collection | Detects users downloading > 200 files within 1 hour from SharePoint or OneDrive, with comparison to the use… | Medium | sentinel-detection-engine |
| T1071 | Command & Control | Detects C2 beaconing behavior based on regular interval connections to external hosts. | Medium | soc-threat-hunting-lab |
| T1071.004 | Command & Control | Detects DNS tunneling by identifying unusually long subdomain queries or high query frequency to the same d… | Medium | soc-threat-hunting-lab |
Auto-generated from the YAML in each lab — refreshes weekly via .github/workflows/detection-portfolio.yml. Click any rule link to read the full detection logic.
Configured detection windows for frequency-based rules in my labs — i.e. how many events must occur in what time span before each rule fires. Parsed from each rule's num_events and timeframe YAML fields; the values here are the same ones the live rules use in production.
| Rule | Type | Trigger | Worst-case latency | Source |
|---|---|---|---|---|
| T1003.001 — LSASS Credential Dumping | any |
Fires on first match (no time aggregation) | near real-time | T1003_credential_dump.yml |
| T1110 — Brute Force Authentication Attack | frequency |
10 events in 5m | ≤ 5m | T1110_brute_force.yml |
| T1059.001 — Suspicious Encoded PowerShell | any |
Fires on first match (no time aggregation) | near real-time | T1059_powershell.yml |
| T1557 — LLMNR/NBT-NS Poisoning (Responder) | any |
Fires on first match (no time aggregation) | near real-time | T1557_responder.yml |
| T1071 — C2 Beacon Detected (Suricata) | any |
Fires on first match (no time aggregation) | near real-time | network_c2_beacon.yml |
| Entra ID - Impossible Travel Between Sign-Ins | scheduled-query |
KQL polled every 1h | ≤ 60m | EntraID_ImpossibleTravel.yaml |
| Entra ID - MFA Fatigue Followed by Success | scheduled-query |
KQL polled every 30m | ≤ 30m | EntraID_MFAFatigue.yaml |
| M365 - Mass SharePoint / OneDrive Download | scheduled-query |
KQL polled every 1h | ≤ 60m | M365_MassSharePointDownload.yaml |
| C2 Beaconing via Regular Network Connection | sigma |
Sigma — backend-defined (Splunk/QRadar/Elastic timing) | backend-dependent | c2-beaconing.yml |
| DNS Tunneling via Long Subdomain Queries | sigma |
Sigma — backend-defined (Splunk/QRadar/Elastic timing) | backend-dependent | dns-tunneling.yml |
Latency = the rule's own detection window (parsed from timeframe, queryFrequency, or type). Portfolio spread: 1–60 minutes worst-case. These are configured windows, not measured end-to-end times — click any source link to verify the raw values.
-3fb950?style=flat-square&labelColor=132f4c){kind=icon}
-8b949e?style=flat-square&labelColor=132f4c){kind=icon}
Cert order: senior/specialty first, foundational at the end. Update if you hold different titles — e.g. CSAP, GSEC, OSCP, AZ-500, AWS Security.
📡 Personal lab + blog covering SOC operations, detection engineering, threat hunting walkthroughs, and open-source security tooling. Screenshot refreshes automatically — click to visit.
Auto-refreshed daily by GitHub Actions. CVE feed from NIST NVD; threat headlines from public security RSS sources.
| Field | Value |
|---|---|
| CVE ID | CVE-2026-43633 |
| CVSS v3.1 | 10.0 (CRITICAL) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Published | 2026-05-19 |
HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that allows unauthenticated remote attackers to achieve root-level code execution. Attackers can inject crafted data into HTTP headers that are processed by the PHP session handler but incorrectly deserialized by…
Source: NIST NVD. Last check: 2026-05-25 13:28 UTC. Auto-refreshed daily by cve-of-the-week.yml.
Last refresh: 2026-05-25 12:25 UTC
The Hacker News
- Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks
- The Alert Firehose Finally Meets Its Match
- Lazarus Deploys RemotePE Memory-Only RAT Against Financial and Crypto Firms
- TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO
BleepingComputer
- Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign
- Laravel Lang packages hijacked to deploy credential-stealing malware
- Italy disrupts CINEMAGOAL piracy app that stole streaming auth codes
- Netherlands seizes 800 servers of hosting firm enabling cyberattacks
Krebs on Security
- Lawmakers Demand Answers as CISA Tries to Contain Data Leak
- Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada
- CISA Admin Leaked AWS GovCloud Keys on Github
- Patch Tuesday, May 2026 Edition
Headlines pulled from public RSS feeds. Not endorsements — just situational awareness.
| Role | Senior SOC Analyst (L3) |
| Experience | 5+ years (enterprise + MSSP) |
| Specialties | IR · Detection Engineering · Threat Hunting · Cloud XDR |
| Open to | Senior SOC Analyst · L3 · Detection Engineer · Threat Hunter |
| Location preference | UK / EU / Remote |
| Availability | Open to conversations now |
| Languages | English · Telugu · Hindi |
| Website | cybertechnology.in |
| sandeep.mothukuris@gmail.com | |
| sandeepmothukuri |
I'm actively open to Senior SOC Analyst / L3 / Detection Engineer / Threat Hunter roles. Remote-friendly, UK/EU preferred but happy to talk about anywhere with reasonable time-zone overlap.
📧 Fastest way to reach me: sandeep.mothukuris@gmail.com 🔗 Or send a LinkedIn message: linkedin.com/in/sandeepmothukuri
📧 Fastest way to reach me: sandeep.mothukuris@gmail.com — typical reply within 24h.
⭐ If a lab or write-up helped you, a star helps other SOC analysts find this work.
Released under the MIT License. © 2026 Sandeep Mothukuri.