I lead Security Operations with a focus on building resilient detection capabilities, streamlining incident response, and automating repetitive analyst work so teams can focus on what matters β finding and stopping threats.
- Security Operations Leadership β Managing SOC teams, shift coverage, SLA governance, and analyst development
- Detection Engineering β Writing and tuning detection rules (Sigma, KQL, SPL) mapped to MITRE ATT&CK
- Incident Response β Owning IR playbooks from phishing to ransomware; P1 incident commander
- Security Automation β Building Python tools for alert triage, IOC enrichment, and automated reporting
- Compliance & Reporting β NIST CSF, ISO 27001; producing board-level executive summaries and CISO dashboards
| Repository | Description | CI |
|---|---|---|
| π¨ soc-incident-response | IR playbooks, runbooks, and incident report templates β from phishing to ransomware |  |
| π soc-detection-rules | Sigma detection rules and threat hunting queries mapped to MITRE ATT&CK |  |
| βοΈ soc-automation | Python scripts for IOC enrichment, automated alert triage, and severity classification |  |
| π soc-compliance-reporting | NIST CSF audit checklists, SOC KPI metrics, weekly/monthly executive report templates |  |
| π soc-threat-intelligence | IOC feeds, actor profiles, TI reports, and MISP integration guides |  |
| π‘οΈ soc-vulnerability-management | Vulnerability workflows, patch SLA tracking, CVSS risk scoring, and remediation processes |  |
| π soc-training-lab | Analyst onboarding, training scenarios, tabletop exercises, and certification roadmap |  |
SIEM / Detection Β 
Languages & Scripting Β 
Frameworks & Standards Β 
DevOps & Automation Β 
"A SOC that can't measure itself, can't improve itself."
I believe in three pillars for effective security operations:
- Detect more, alert less β High-fidelity detections beat alert fatigue every time. Tune ruthlessly.
- Automate the repeatable β Every manual task a machine can do is analyst time freed for real hunting.
- Communicate clearly β A P1 incident handled perfectly but reported poorly loses stakeholder trust. Clear, timely communication is a core SOC skill.
All my SOC repos follow the same principles:
- β Version-controlled β Every playbook, rule, and script change is tracked in Git
- β CI/CD validated β GitHub Actions check structure, syntax, and links on every push
- β Framework-mapped β Detection rules and playbooks are tagged to MITRE ATT&CK tactics
- β Tool-agnostic where possible β Sigma rules convert to Splunk SPL, Microsoft KQL, Elastic EQL
- β Peer-reviewed β All production changes go through PR review
- GitHub: @reninjk
"Security is not a product, but a process." β Bruce Schneier