IT Operations and Security Analysis
ATT&CK-aligned detection validation and telemetry analysis across endpoint and network data.
Analysis environment using Suricata IDS, Sysmon endpoint telemetry, and Splunk investigation workflows.
16 ATT&CK technique investigations documented as structured detection case studies.
View Detection Case StudiesCore Capabilities
Detection Validation
- ATT&CK technique testing and telemetry validation
- Telemetry testing against controlled execution
- Gap identification across rule sets and data sources
Telemetry & Visibility
- Network traffic analysis (Suricata IDS)
- Endpoint logging and enrichment (Sysmon)
- Cross-source telemetry correlation
Alert Reliability
- Detection fidelity evaluation across data sources
- False positive and false negative analysis
- Alert behaviour evaluation and tuning
Operational Environment
- Data Sources
- Suricata IDS gateway traffic + Sysmon endpoint telemetry
- Topology
- Segmented network with isolated test targets
- Aggregation
- Centralised Splunk ingestion and searchable log retention
- Validation Model
- Controlled technique execution mapped to expected telemetry
- Adversary Sim
- Isolated targets with no external exposure
Evidence & Methodology
Measured Detection Coverage
Technique execution generates observable telemetry that is analysed directly in Splunk Enterprise to validate detection behaviour.
Systematic Gap Identification
Blind spots and alert quality issues are recorded per data source and technique, with constraints documented alongside results.
Structured Technique Testing
All tests follow a consistent execution-to-review workflow, producing comparable results across techniques and detection layers.
Detailed case studies documenting execution steps, telemetry output, detection behaviour, and identified gaps.
View Detection Case Studies