I'm Rezwan — a Senior SOC Analyst & Detection Engineer with 6+ years building 24×7 security operations across enterprise and healthcare. I turn high-volume telemetry into outcomes you can audit.
Trusted across enterprise & healthcare
// PROVEN OUTCOMES
Every project ships with metrics — because security operations only matter when leadership can see them.
// WHAT I DO
I'm not a generalist. My value is in the detection-to-response loop — engineering high-fidelity signals, leading the response when they fire, and automating everything in between so the team scales.
High-fidelity correlation rules and behavioral analytics in Splunk & Microsoft Sentinel — packaged in MITRE ATT&CK-mapped runbooks your team can actually use.
End-to-end IR for phishing, malware, ransomware, and lateral movement — with structured RCAs and post-IR reports executives understand.
Python and PowerShell playbooks that enrich alerts, ticket automatically, and contain hosts — turning a noisy queue into a force-multiplier.
// HOW I WORK
Every program follows the same disciplined rhythm — so improvements compound and outcomes hold up to audit.
Inventory log sources, agents, and identity boundaries against MITRE ATT&CK to find blind spots first.
Author detections with thresholds, suppression, and enrichment built in — not bolted on later.
Wrap repeatable triage in SOAR playbooks so analysts spend their time on the 5% that needs a human.
Every detection ships with a runbook, evidence template, and dashboard ready for ISO, SOC 2, or HIPAA review.
// SELECTED WORK
Three programs that defined my last six years — each with a clear challenge, a deliberate approach, and numbers leadership tracked.
Senior SOC Analyst · Atlanta, GA
Challenge
A 1,200-alerts-per-day queue was burning analysts out and audit cycles were leaning on tribal knowledge.
Approach
Re-architected correlation logic in KQL/SPL, deployed 12 SOAR playbooks across VirusTotal/OTX/Defender APIs, and packaged every hunt into MITRE-mapped runbooks.
Information Security Risk Analyst · Minneapolis, MN
Challenge
Critical CVEs were taking 96 hours to reach remediation in a HIPAA-bound healthcare estate. Email-borne phishing was the dominant initial-access vector.
Approach
Bridged ServiceNow with Qualys/Tenable in Python/Bash, hardened Defender for Office 365 with ZAP and custom transport rules, and recalibrated Splunk routing.
Junior Security Analyst · Ventois, MA
Challenge
No SIEM, no IDS, no playbooks — just raw log volume and a small team that needed to ship 24×7 monitoring.
Approach
Architected the Wazuh + ELK + Suricata stack from scratch, onboarded 20+ log sources, and authored 15 custom decoders with behavioral baselines.
// THE STACK
Battle-tested across enterprise SOC, healthcare security, and MSSP environments.
Splunk (SPL), Microsoft Sentinel (KQL), Wazuh, ELK Stack
Defender for Endpoint, SentinelOne, CrowdStrike Falcon
Suricata, Snort, Wireshark, tcpdump, NetFlow, Nmap
Python, PowerShell, Bash, REST/JSON, SOAR playbooks
Entra ID, Okta, Azure Security, Conditional Access, MFA
Qualys VMDR, Tenable, Nessus, OpenVAS, Burp Suite
VirusTotal, AlienVault OTX, MITRE ATT&CK, UEBA
ISO 27001, SOC 2, HIPAA, NIST 800-53, CIS Controls
ServiceNow, Jira, Confluence, Executive Dashboards
// CERTIFIED
// ABOUT
I started in network packet analysis at a small MSSP and grew into senior detection engineering work for Fortune 50 healthcare and enterprise mortgage. Six years in, I still believe the best SOC isn't the loudest one — it's the one whose detections are quiet because they're tuned, automated, and trusted.
I write detections in KQL and SPL, automate the boring parts in Python, and document everything so the next analyst — or auditor — can pick up where I left off.
// LET'S TALK
I'm currently exploring senior SOC, detection engineering, and incident response roles. Public Trust eligible, US-based, no sponsorship required.