Built automation to enumerate identity exposure and simulate adversarial reconnaissance — relevant to SaaS identity compromise scenarios.

• Enumerates identity signals (accounts, aliases, exposure vectors) and outputs structured findings.
• Documents risks and remediation steps suitable for internal tickets and customer-facing notes.
• Supports identity-first investigations (credential exposure, account takeover pathways).

Built SOC-style triage workflows using Windows/Sysmon telemetry to investigate authentication and host activity patterns.

• Analyzed Windows Event IDs (4624/4625) and Sysmon signals to identify suspicious auth behavior.
• Mapped detections to MITRE ATT&CK and produced repeatable investigation write-ups.
• Designed output for escalation-ready handoffs (what happened, evidence, next actions).

Implemented CI-driven daily security runs that generate SOC-style artifacts (useful for SaaS environments where repeatability matters).

• GitHub Actions workflow produces daily validation reports and structured logs.
• Includes lightweight secret-scanning patterns and automated checks.
• Demonstrates operational ownership and reliable security documentation.

Built least-privilege network enforcement and segmentation — aligned with SaaS production principles (restrict, monitor, validate).

• Removed default permissive rules; created explicit allow rules and validated enforcement via logs.
• Segmented zones and verified blocked lateral movement paths.
• Produced repeatable test cases for allow/deny validation.