🔐 SOC Analyst | Penetration Tester | OT/ICS Security Enthusiast
I began my professional journey as a soil physicist, earning a Ph.D. in Soil Physics and conducting advanced research in soil hydrodynamics, carbon modeling, and geospatial data analysis. I was a former full-stack developer with 15+ years in secure software engineering, now focused on threat detection, incident response, penetration testing, and operational technology (OT) security. Certified in CompTIA Security+ and AWS Cloud Practitioner, actively pursuing OSCP and CySA+.
- 🔍 SOC Operations: SIEM (Splunk, Microsoft Sentinel, ELK), EDR (Carbon Black), phishing analysis, threat hunting
- 🧨 Offensive Security: Penetration testing with Metasploit, Nmap, Burp Suite, Wireshark, Nessus, privilege escalation
- ☁️ Cloud & Infrastructure: AWS IAM, GuardDuty, CloudTrail, Zero Trust, secure network architecture
- 🏭 OT/ICS Security: Modbus/BACnet simulation, Purdue Model, ISA/IEC 62443 alignment
- 🐍 Security Automation: Python (Pandas, NumPy) for log correlation, anomaly detection, Splunk dashboarding
- Hack The Box CPTS (In Progress) – 15+ machines, focus on Linux/Windows privilege escalation
- OSCP Labs – Buffer overflows, web app exploitation, Active Directory attacks
- SIEM Home Lab – Splunk-based SOC simulation with real-time threat detection & NIST 800-61 workflows
- Container & API Hardening – Trivy/Clair scans, OWASP Top 10 testing with Burp Suite/Postman
- ICS Cyber Range – Simulated attacks on industrial protocols (Modbus, BACnet)
- Advanced Active Directory attacks & lateral movement
- Purple teaming & MITRE ATT&CK framework mapping
- YARA, Sigma, and custom detection rules for SIEM
- Kotlin for secure mobile app development
| Tactic | Technique | Application |
|---|---|---|
| Initial Access | T1190 – Exploit Public App | Laravel debug mode → RCE |
| Execution | T1059.006 – Python | Reverse shell via cron |
| Persistence | T1053 – Scheduled Task | at job + encoded payload |
| Privilege Escalation | T1068 – Kernel Exploit | Dirty COW, SUID binary |
| Defense Evasion | T1070.004 – Log Clear | shred, wevtutil cl |
| Lateral Movement | T1021.001 – RDP | Pass-the-Hash + RDP |
| Exfiltration | T1041 – C2 Channel | DNS tunneling, HTTPS POST |
- Master Linux/Windows CLI,
netstat,wmic,tasklist - Complete TJNull’s HTB List (50 retired boxes)
- Write one-liner enumeration scripts
nmap -sC -sV -p- --min-rate 1000 -oA scan <IP>
gobuster dir -u http://<IP> -w medium.txt -x php,html,txt- Open-source SIEM detection content (Splunk, Sigma)
- Penetration testing tools & exploit development
- OT security automation (IaC, Ansible, Python)
- Threat intelligence platforms & automated phishing triage
📧 ewan.mails -{at}- gmail -|dot|- com
🔗 LinkedIn | GitHub
