Generate MITRE ATT&CK Navigator layers for coverage visualization, threat actor mapping, and gap analysis. Produces JSON files compatible with the Navigator web app.
Create grouped detection narratives that tie individual rules into coherent threat stories. Covers Splunk Analytic Stories, Elastic detection rule groups, and Sentinel analytics grouping.
Execute and validate adversary emulation tests using Atomic Red Team. Covers standard atomics, custom atomics (T9999.XXX), deployment workflows, and detection validation.
Build and manage adversary emulation lab environments for any SIEM. Covers Splunk Attack Range, Elastic Security labs, Azure Sentinel labs, and Docker-based setups. Maps data source requirements to infrastructure components.
Expert CTI analyst specializing in detection engineering, MITRE ATT&CK mapping, behavioral analysis, and intelligence-driven detection creation. SIEM-agnostic methodology that works with Splunk SPL, KQL, Sigma, and Elastic. Use when analyzing threat reports, creating detections, mapping MITRE techniques, or developing behavioral analytics.
Create, deploy, and execute custom Atomic Red Team tests (T9999.XXX series) for detection validation. Covers YAML authoring, Ansible deployment, and manual alternatives.
Map MITRE ATT&CK techniques to required data sources across Windows, Linux, cloud, network, and EDR telemetry. Includes CIM, ECS, Sigma, and KQL (Sentinel) field mapping comparisons.
Expert detection quality assurance reviewer. Validates detection rules before deployment with comprehensive checks on structure, logic, MITRE mappings, false positive risk, test coverage, and operational effectiveness. Works with SPL, KQL, Sigma, and Elastic formats. Use when reviewing detections or performing QA checks.