Mission-driven cybersecurity architect and principal security engineer with 15+ years securing large-scale enterprise and DoD environments. Deep hands-on expertise across SIEM/UEBA/XDR/SOAR, data engineering, and Zero Trust architectures. Designs and operationalizes end-to-end security solutions that reduce attack surface and measurably improve detection and response through full lifecycle ownership—from strategy and gap analysis to deployment, optimization, and executive-level reporting. Builds resilient telemetry platforms (Kafka/Cribl/NiFi) that turn high-volume, multi-source events into actionable intelligence for SOC operations and leadership.
Lead Python-driven security tooling, threat hunting, and SIEM/XDR engineering for clients through Xbitium Technologies, with a focus on automation, telemetry quality, and high-fidelity detections.
▸ Show responsibilities & achievements
- Applied advanced Python techniques including multi-threading, async task scheduling, environment configuration, and dynamic JSON job building.
- Developed and deployed FastAPI/Flask services for real-time dashboards, telemetry monitoring, and system health views.
- Built custom modules and APIs for data parsing, RPC integration, JSON handling, and cross-system messaging between telemetry sources and analytics services.
- Delivered on-demand SIEM/XDR engineering and cyber architecture solutions, coordinating platform operations, maintenance windows, and integration/content management.
- Implemented KPI suites for alert fidelity, FP/TP ratios, agent coverage, EPS/GB-day, P95 ingestion latency, parser accuracy, and correlation runtime with automated scorecards.
- Performed historical investigations by replaying SIEM/XDR, firewall/IDS/IPS, VPN, and NetFlow/PCAP data to reconstruct attacks and validate detection accuracy.
- Led end-to-end SIEM/XDR deployments including gap analysis, vendor selection, architecture design, source onboarding, parser/TA development, and threat-intel IOC/hash enrichment.
Architected Splunk Enterprise Security for FHFA with MITRE-aligned use cases, tuned performance, and enabled the SOC with training, SOPs, and reporting.
▸ Show responsibilities & achievements
- Designed and deployed Splunk ES with ATT&CK-aligned detections, advanced correlation searches, and threat-intel integrations.
- Optimized Splunk performance and dashboard efficiency to maximize detection capabilities and operational visibility.
- Delivered SPL training and documentation for analysts and stakeholders, improving query skills and self-service analytics.
- Led IR enablement in Splunk: authored advanced use cases and custom alerts, built notable event workflows, and produced executive/compliance reporting.
Drove global XSIAM/XDR deployments and tuning for multinational customers, integrating threat intelligence, automation, and advanced analytics across PAN-OS and Prisma Cloud telemetry.
▸ Show responsibilities & achievements
- Designed and operationalized XSIAM/XDR for global environments across North America, Europe, and Asia.
- Integrated Unit 42, STIX/TAXII/MISP feeds, and BIOCs into XSIAM/XDR with XQL-based threat hunting and detections.
- Owned Tier-3 engineering for ingestion, parsers, dataset normalization, and XQL refactoring to stabilize performance and raise signal-to-noise.
- Built SOC and executive dashboards with KPIs and provided deep-dive training and knowledge transfer for customer security teams.
Contributed to a $922M USCENTCOM CITS program, designing Zero Trust, CSOC, SIEM, UAM, and Cross Domain Solution architectures with RMF integration and executive-level roadmaps.
▸ Show responsibilities & achievements
- Authored end-to-end architectures for Zero Trust, CSOC, SIEM, UAM, and CDS aligned to mission outcomes.
- Provided executive-level SME guidance across CITS and other priority DoD engagements, driving posture improvements.
- Partnered with multi-stakeholder teams across classified and coalition environments to align designs with RMF and ATO strategies.
Led SIEM/NDR/NAC/CDS modernization and telemetry engineering for USCENTCOM, building a Kafka-backed data backbone and Zero Trust controls across classified and coalition networks.
▸ Show responsibilities & achievements
- Architected enterprise SIEM/NDR/NAC/CDS solutions with Kafka-based log pipelines, Splunk Cloud, and ArcSight upgrades.
- Deployed ForeScout NAC/Comply-to-Connect achieving ~98% device visibility and continuous compliance enforcement.
- Engineered a ~12TB/day telemetry platform aggregating NetFlow, EDR, firewall, VPN, and identity telemetry with schema governance.
- Operationalized Stealthwatch NDR with full NetFlow enablement and packet-level workflows for beaconing, DGA, and lateral-movement detections.
- Led ATO and cross-domain security operations with Forcepoint High Speed Guard across 12 classified domains and mission systems.
Delivered SIEM engineering for HHS CSIRC across multiple agencies, integrating ArcSight and Splunk ES with multi-source telemetry and training analysts on advanced detection content.
▸ Show responsibilities & achievements
- Led ArcSight and Splunk ES engineering for CDC, FDA, NIH, IHS and other HHS entities.
- Integrated VPN, firewall, IDS/IPS, Varonis, and Carbon Black telemetry into SIEM correlations and dashboards.
- Conducted IOC/hash sweeps and parser/normalization tuning to improve precision and rule hygiene.
- Ran analyst training and updated SOPs/runbooks to streamline incident response workflows.
Built greenfield SOC capabilities and SIEM programs for Fortune 500 clients across QRadar, Splunk, and ArcSight platforms with SLAs, health assessments, and governance dashboards.
▸ Show responsibilities & achievements
- Stood up SOC capabilities including SIEM health/gap assessments, measurable SLAs, and governance audits.
- Integrated SIEM with VPN, firewall, IDS/IPS telemetry and built custom parsers and correlation rules.
- Developed executive dashboards and delivered L1/L2 analyst training to boost operational maturity.
- Supported PCI remediation and regulatory SIEM health assessments.
Led ArcSight SIEM architecture and migration programs for DISA Europe, integrating multi-source telemetry and aligning detections to mission risk and RMF requirements.
▸ Show responsibilities & achievements
- Validated detection efficacy with retrospective IOC/hash correlation, tuning rules to improve accuracy.
- Delivered advanced multi-source correlation across VPN, IAM, NAC, firewall, IDS/IPS, and EDR platforms.
- Managed major ArcSight migrations (v4 to v5) with custom content to detect beaconing, exfiltration, and malware distribution.
- Aligned SIEM reporting and detections to mission risk and RMF, supporting executive briefings and operations.
Deployed and scaled ArcSight SIEM across USCENTCOM AOR, centralizing logs and defining KPIs for high-volume, mission-critical security telemetry.
▸ Show responsibilities & achievements
- Deployed ArcSight ESM, Logger, and Smart Connectors across NIPR/SIPR/Coalition networks in theater.
- Centralized VPN, firewall, IDS/IPS, DNS/DHCP, web, and TACACS logs to STIG-compliant logger appliances.
- Engineered a distributed, no-single-point-of-failure ArcSight architecture with bandwidth-efficient connector placement.
- Defined KPIs for EPS, dropped events, and connector backlog, earning top performance reviews and customer recognition.
Progressed from system and network administration into NOSC/SOC leadership and large-scale DoD network engineering, laying the operational foundation for modern security operations and automation work.
▸ Show consolidated responsibilities & achievements
- Defense Engineering Inc. — Network Operations and Security Center Manager (2009 – 2011)
Led 24×7 NOSC/SOC for DTRA, managing 12 network engineers and 12 cyber analysts. Operated ArcSight SIEM, NMS, firewalls, and IPS; engineered automated repositories for outages and config changes; streamlined response procedures and earned an Outstanding Achievement Award. - 2002 – 2009 — Large-Scale Network Engineering & Operations
Advanced into voice/data switching and long-haul communications integrations across DoD environments. Developed netops dashboards, incident workflows, and monitoring to improve detection, escalation, and service resilience. Active USAF military stationed in Ramstein, Germany. - 1998 – 2002 — Systems & Infrastructure Foundations
Built core skills across Windows infrastructure (Exchange, DHCP, DNS), firewalls, backups, routing, and secure remote access. Delivered Tier-1/2 support, Shell/Batch automation, and infrastructure hardening for small-business environments.
- Community College of the Air Force (CCAF) — Data/Voice Network Systems (Top Honors), Sheppard AFB, TX — 2002–2003
- Community College of the Air Force (CCAF) — Electronics & Communications (Honors), Lackland AFB, TX — 2002–2003
- Certifications (selected): CEH, CND, GCIH, CHFI, Security+, Network+, Linux+, RHCSA, ArcSight ACIA/ACSA, Cribl Certified, Forescout FSCA.