Building threat detection capabilities through hands-on lab work and practical implementation
This portfolio demonstrates end-to-end detection engineering capabilities developed over six months of intensive hands-on lab work (September 2025 - March 2026).
I transitioned into cybersecurity with a clear goal: become a Detection Engineer. Rather than passively consuming training content, I built a complete detection engineering workflow from the ground up, starting with endpoint telemetry collection, progressing through SIEM ingestion and alert development, and culminating in SOC-style investigations and MITRE ATT&CK-mapped detection logic.
Timeline:
- September 2025: Started from zero cybersecurity background
- October-December 2025: Earned CompTIA A+, ISC2 CC, and CompTIA Security+ certifications
- Nov 2025 -March 2026: Built 8+ detection engineering labs spanning multiple platforms and detection languages
- Current: SANS Cyber Academy - Cohort Starting April 2026
Most cybersecurity portfolios consist of isolated CTF writeups or certification study notes. This portfolio demonstrates a coherent detection engineering workflow:
- Endpoint Visibility β Understanding what telemetry sources exist and how to collect them
- SIEM Ingestion β Getting data into detection platforms at scale
- Detection Development β Writing detection logic that identifies malicious behavior
- MITRE ATT&CK Mapping β Translating threat intelligence into actionable detections
- SOC Operations β Triaging alerts and distinguishing true positives from false positives
- Detection Tuning β Improving signal-to-noise ratio through threshold adjustment and context-based validation
Each project builds on the previous one, demonstrating systematic skill progression rather than random lab exercises.
- Develop detection logic across multiple query languages (Python, SPL, KQL, Sigma)
- Map detections to MITRE ATT&CK framework techniques and tactics
- Tune detection thresholds to optimize signal-to-noise ratio
- Build automated alert rules with configurable severity and response actions
- Correlate events across multiple data sources for high-fidelity detections
- Ingest endpoint telemetry into cloud SIEM platforms (Splunk Cloud, Microsoft Sentinel)
- Configure data connectors and HTTP Event Collectors (HEC)
- Build security dashboards and workbooks for real-time monitoring
- Write complex queries for log analysis and threat hunting
- Create scheduled analytics rules with automated incident generation
- Conduct SOC-style alert triage and investigation
- Perform false positive analysis and detection refinement
- Document investigation findings in structured incident reports
- Apply context-based validation (parent process, user context, host role)
- Communicate technical findings using standardized frameworks
- Deploy and configure Sysmon for enhanced process visibility
- Enable Windows Security auditing (Event ID 4688, command-line logging)
- Analyze process creation logs for suspicious execution patterns
- Correlate process execution with network activity (DNS, HTTP)
- Understand telemetry gaps and data source limitations
Foundation lab demonstrating endpoint logging configuration and SIEM ingestion
- Installed and configured Sysmon for enhanced process visibility
- Enabled Windows Security Event ID 4688 with command-line logging
- Ingested process creation telemetry into Splunk Enterprise
- Documented real-world troubleshooting (service hangs, PID locks, Event Viewer issues)
Skills: Sysmon deployment, Windows auditing, Splunk ingestion, PowerShell verification
Extended telemetry lab with cloud SIEM and SOC-style investigation
- Ingested Sysmon and Event ID 4688 logs into Splunk Cloud via HTTP Event Collector (HEC)
- Conducted SOC-style alert triage and investigation
- Performed false positive analysis and documented findings
- Built SPL queries for detection and analysis
Skills: Splunk Cloud, HEC configuration, SOC operations, alert investigation, SPL query development
Multi-source event correlation for behavioral detection
- Correlated Windows process execution with DNS and network activity
- Analyzed temporal relationships between Sysmon Event ID 1 and DNS Client logs
- Demonstrated how single events produce low confidence but correlation improves signal quality
- Mapped correlated behavior to MITRE ATT&CK techniques (T1059.001, T1071.001, T1071.004)
Skills: Event correlation, behavioral analysis, multi-source detection, investigative reasoning
Analyst-focused lab demonstrating threat-informed detection
- Analyzed encoded PowerShell execution and mapped to T1059.001
- Created Sigma detection rule for platform-agnostic detection logic
- Documented analyst reasoning for why technique mapping applies
- Demonstrated context-based validation (parent process, user context, host role)
Skills: MITRE ATT&CK framework, Sigma rule writing, detection reasoning, encoded PowerShell analysis
Foundation project for cloud identity threat detection
- Analyzed Azure AD sign-in logs for authentication anomalies
- Built detection logic for brute force and credential stuffing attacks
- Extended into Python and KQL detection labs (see sub-projects below)
Skills: Azure AD log analysis, authentication monitoring, cloud identity security
Automated detection pipeline using Python
- Built 4-script detection workflow: simulate β parse β detect β report
- Simulated brute force attacks against Azure AD accounts
- Implemented configurable alert thresholds for false positive reduction
- Generated automated incident reports with recommended actions
Skills: Python scripting, detection automation, threshold tuning, incident reporting
Cloud-native SIEM with automated detection rules
- Deployed Microsoft Sentinel and connected Entra ID Audit Logs
- Wrote KQL queries for identity change detection and privilege escalation
- Built automated analytics rule mapped to MITRE ATT&CK Privilege Escalation tactic
- Created security workbook with real-time dashboards for alerts and incidents
- Simulated privilege escalation by assigning Global Reader role
Skills: Microsoft Sentinel, KQL query language, automated alert rules, MITRE ATT&CK mapping, workbook creation
Enterprise identity infrastructure deployment and administration
- Deployed hybrid Active Directory environment in Microsoft Azure
- Configured domain controller (Windows Server 2022) and domain workstation (Windows 10 Enterprise)
- Performed identity administration: user provisioning via PowerShell, security group assignment, delegated administration
- Implemented Group Policy for password policies and logon scripts
- Validated authentication, authorization, and role-based access control
- Foundation for future identity-based threat detection scenarios
Skills: Active Directory, Azure infrastructure, identity management, Group Policy, PowerShell automation, delegated administration
- Splunk: Splunk Cloud, Splunk Enterprise, HTTP Event Collector (HEC), SPL query language
- Microsoft Sentinel: Workspace deployment, data connectors, analytics rules, workbooks, KQL
- Azure/Entra ID: Audit logs, sign-in logs, identity monitoring
- Python: Log parsing, anomaly detection, automated reporting, threshold-based alerting
- SPL (Splunk Processing Language): Search queries, statistical analysis, correlation searches
- KQL (Kusto Query Language): Detection queries, summarization, time-series analysis
- Sigma: Platform-agnostic detection rule format, YAML-based rule writing
- Sysmon: Installation, configuration, Event ID 1 (process creation), Event ID 3 (network connections)
- Windows Security Logs: Event ID 4688 (process creation), command-line auditing, auditpol configuration
- DNS Client Logs: DNS query analysis, process-network correlation
- Event Viewer: Log analysis, custom views, PowerShell log queries
- MITRE ATT&CK: Technique mapping (T1059.001, T1071.001, T1071.004, Privilege Escalation tactics)
- Detection Engineering: Threat-informed detection, behavioral analytics, multi-source correlation
- SOC Operations: Alert triage, incident investigation, false positive analysis, detection tuning
- Microsoft Azure: Virtual networks, resource groups, VM deployment, hybrid environments
- Active Directory: Domain controllers, organizational units, Group Policy, delegated administration
- PowerShell: Automation, log analysis, system administration
- Version Control: Git, GitHub, commit workflows, repository documentation
- Scripting: Python 3.x, PowerShell, Bash
- Troubleshooting: Service debugging, log correlation, root cause analysis
| Certification | Date | Focus Area |
|---|---|---|
| CompTIA A+ | October-November 2025 | Hardware, networking, operating systems, security fundamentals |
| ISC2 Certified in Cybersecurity (CC) | December 2025 | Security principles, governance, risk management |
| CompTIA Security+ | December 2025 | Threats, attacks, vulnerabilities, security architecture |
SANS Cyber Academy β Cohort 2026 Starting April
SEC275: Foundations (GFACT) SEC401: Security Essentials (GSEC) SEC504: Hacker Tools, Techniques & Incident Handling (GCIH)
Focus areas:
- Mitigate threats using Microsoft Sentinel
- Mitigate threats using Microsoft Defender
- Query, visualize, and monitor data in Microsoft Sentinel
- Configure and manage automation in Microsoft Sentinel
- TryHackMe Advent of Cyber (December 2025 - January 2026)
- Ongoing security research and tool evaluation
September 2025 β Started from zero cybersecurity background
October 2025 β CompTIA A+ Core 1
November 11, 2025 β CompTIA A+ Core 2
December 5, 2025 β ISC2 CC
December 19, 2025 β CompTIA Security+
November 2025 - March 2026 β Built 8 detection engineering labs
March 2026 β Current:SANS Cyber Academy β Cohort Starting April 2026
What This Demonstrates:
Exceptional learning velocity, self-direction, and the ability to rapidly acquire new technical skillsβcritical traits for detection engineering roles where threats and technologies evolve constantly.
I'm actively seeking Detection Engineer, Security Engineer, or SOC Analyst roles where I can apply and expand these skills in a production environment.
- LinkedIn: linkedin.com/in/tresean-tuggle-b36811138
- GitHub: @tdt1114
- Email: tresean.tuggle@gmail.com
I'm seeking opportunities to:
- Build and tune detections in production environments
- Work with experienced detection engineers and threat intelligence teams
- Gain hands-on experience with enterprise-scale SIEM deployments
- Contribute to SOC operations and incident response workflows
- Continue learning emerging detection techniques and threat actor TTPs
Open to: Full-time Detection Engineer, Security Engineer, or SOC Analyst II roles
Location: Remote or opportunities near Charlotte, NC
Current Status: Actively interviewing
detection-engineering-portfolio/
βββ README.md # This file - portfolio overview
βββ certifications/
βββ README.md # Certification overview and study resources
βββ comptia-a-plus.md # CompTIA A+ study guide
βββ isc2-cc.md # ISC2 CC study guide
βββ security-plus.md # CompTIA Security+ study guide
βββ sans-cyber-academy.md (in progress)
This portfolio represents 6 months of intensive self-directed learning. Special thanks to the cybersecurity community for open-source tools, documentation, and guidance that made this possible.
Built with: Splunk, Microsoft Sentinel, Azure, Python, Sysmon, MITRE ATT&CK
Inspired by: Real-world SOC operations and detection engineering workflows
Purpose: Demonstrate practical detection engineering capabilities to future employers
Last updated: March 2026