Home About
About
Cancel

About

Mohamed Atef


About Me

I’m a Senior Cyber Defense Engineer specializing in Digital Forensics, Incident Response, Threat Hunting, Cyber Threat Intelligence (CTI), and SOC Operations.

I focus on integrating and automating detection and response workflows using tools like TIP, SOAR, SIEM, EDR, Mail Security Gateways, and Python, enabling efficient threat detection, investigation, and mitigation across SOC environments.

My experience includes evaluating and deploying security solutions—EDR, TIP, ASM, DRP, and Dark Web Monitoring—and ensuring they’re effectively embedded into the SOC ecosystem. I’m skilled in conducting endpoint investigations, building detection use cases, and refining SOC processes for optimal performance.

I hold certifications in Threat Hunting and Windows Forensics, and I’ve led CTI initiatives including CTI-SOP development and platform integration to boost threat detection and response efficiency.

Email / Website / LinkedIn / GitHub / Twitter


🛡️ Experience

Senior Cyber Defense Engineer – DFIR Unit

April 2025 – Present

  • Lead digital forensics and incident response (DFIR) investigations using Velociraptor and XDR, focusing on endpoint triage and memory analysis to identify root causes and assess incident impact.
  • Execute threat hunting operations leveraging EDR and SIEM telemetry, mapped to MITRE ATT&CK techniques for proactive detection.
  • Design and maintain a Cyber Threat Intelligence (CTI) workflow using MISP, N8n, and Python scripts to automate IOC ingestion, enrichment, and correlation with internal datasets.
  • Support the development and enforcement of CTI Standard Operating Procedures (SOPs), enabling structured threat analysis and intelligence lifecycle management.
  • Analyze adversary Tactics, Techniques, and Procedures (TTPs) to enhance detection and accelerate response strategies.
  • Automate and integrate threat intelligence, threat hunting, and incident response processes via cross-platform scripting and TIP/SIEM integrations to maximize visibility and efficiency.

Senior Cyber Defense Engineer – SOC Unit

August 2024 – March 2025

  • Administered and fine-tuned key SOC technologies including SIEM, SOAR, EDR, and NDR, ensuring comprehensive threat monitoring and rapid incident response.
  • Integrated and automated security workflows across platforms to drive SOC efficiency and scalability.
  • Managed high-priority cases related to Digital Risk Protection (DRP), Attack Surface Management (ASM), and Threat Intelligence Platforms (TIP), ensuring timely and strategic remediation.
  • Authored detailed Incident Response (IR) reports for executive management, aligning cybersecurity posture with business goals.
  • Partnered with the GRC team on PCI DSS log simulation, and supported governance, risk, and compliance initiatives relevant to SOC operations.
  • Strengthened detection and response capabilities through continuous SOC process improvement and playbook development.
  • Implemented automation initiatives that reduced Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR).
  • Evaluated and contributed to Proof of Concept (PoC) efforts for various security solutions (EDR, Mail Gateway, TIP, ASM, Dark Web Monitoring, DRP, and SOAR).
  • Built and executed a Threat Detection Program using Detection-as-Code (DaC) with test-driven detection engineering.
  • Developed and operationalized a Cyber Threat Intelligence Program using MISP, TIP, and OSINT, delivering timely and actionable insights.
  • Conducted MITRE ATT&CK assessments for both technology stack and detection content, and generated MITRE heat maps to inform strategic decisions.

Cyber Defense Engineer

December 2023 – July 2024

  • Administered and managed SOAR platform (TheHive) to coordinate and streamline incident response activities.
  • Automated key SOC workflows to boost operational efficiency and reduce analyst fatigue.
  • Conducted Endpoint Detection and Response (EDR) assessments to evaluate effectiveness and identify coverage gaps.
  • Provided advanced support to the SOC team during complex and high-impact security incidents.
  • Collaborated with the GRC team on compliance and governance-related SOC initiatives.
  • Performed SIEM administration, ensuring optimal performance, rule tuning, and log source integration.

Senior SOC Analyst

November 2023 – August 2024

  • Played a key role in establishing the first SOC team for Egypt’s first digital bank, Misr Digital Innovation (MDI).
  • Led the implementation of the SOAR solution (TheHive) to automate and orchestrate security operations.
  • Worked closely with GRC and IT operations teams to deploy and configure the SIEM, developing tailored use cases, detection rules, and automated playbooks aligned with MDI’s business operations.
  • Designed and enhanced threat detection, monitoring, and incident response capabilities to meet the evolving threat landscape.
  • Conducted audits on L1 analysts, identifying team/process gaps and implementing quality assurance improvements.
  • Mentored L1 analysts, provided training recommendations, and supported their professional development.
  • Assisted in the administration and optimization of SIEM and SOAR platforms, ensuring reliable and scalable SOC operations.
  • Monitored global cybersecurity trends, IOCs, and daily threat feeds via Threat Intelligence Platforms (TIPs) to support proactive defense strategies.

Senior SOC and Incident Response Engineer

September 2022 – November 2023

  • Strengthened threat detection, monitoring, and response capabilities through continuous purple team engagements.
  • Designed automation workflows to streamline threat investigation and analysis processes.
  • Integrated various SOC technologies with the SIEM platform to centralize and enhance detection capabilities.
  • Led the implementation and optimization of SOAR platform (TheHive) for effective incident response.
  • Developed comprehensive SOC processes, including tailored use cases and playbooks to align with operational needs.
  • Conducted deep-dive investigations into escalated security incidents from L1 analysts, identifying root cause and containment strategies.
  • Monitored Dark Web platforms to identify potential data breaches or compromised business credentials, initiating appropriate takedown or remediation efforts.
  • Executed threat hunting activities using known adversary TTPs aligned with the MITRE ATT&CK framework.
  • Investigated IOCs shared by Central Bank of Egypt (CBE) and Threat Intelligence Platforms (TIPs) to detect relevant threats within the environment.
  • Established and continuously refined SOC operational processes, ensuring alignment with best practices and efficiency goals.
  • Audited and mentored L1 analysts, identifying knowledge gaps and recommending training paths to enhance team capabilities.
  • Authored detailed incident response reports for major cases, providing insights and mitigation recommendations.
  • Collaborated with the GRC team on PCI log simulation and other compliance-aligned SOC responsibilities.

SOC Analyst

December 2021 – September 2022

  • Provided 24x7 security monitoring by analyzing alerts generated from multiple security technologies.
  • Validated alerts, filtered out false positives, and escalated legitimate threats for appropriate incident handling.
  • Monitored cyber threat intelligence feeds, proactively identifying and flagging new and emerging threats.
  • Recommended improvements to detection rules and controls to reduce noise and enhance signal fidelity.
  • Produced regular SOC performance reports, covering detection metrics, incident trends, and resolution stats.
  • Conducted threat hunting activities across critical systems and log sources to uncover hidden threats or misconfigurations.
  • Responded to alerts and IOCs distributed by EG-FinCert and the Central Bank of Egypt (CBE), ensuring prompt action and investigation.
  • Managed brand protection alerts, executing takedowns of impersonating social media profiles, websites, and mobile apps flagged by threat intelligence tools.

🧾 Certificates

  • eCTHPv2 – Certified Threat Hunting Professional
    eLearnSecurity / INE

  • Threat Intelligence Analyst
    Group-IB

  • Windows Forensics Certification
    Belkasoft


🎓 Training

  • Threat Detection EngineeringTCM Security
  • Practical Malware Analysis & TriageTCM Security
  • Incident Handler PathCybrary
  • Practical Windows ForensicsTCM Security
  • Foundations of Operationalizing MITRE ATT&CKAttackIQ Academy
  • Maturing Threat-Informed Defense with M3TIDAttackIQ Academy
  • SOC Analyst Level 2Cybrary
  • SOC Analyst Level 1 & 2TryHackMe
  • Security EngineerTryHackMe
  • Foundations of Cyber Threat IntelligenceAttackIQ Academy
  • N8N Workflow Automation (Levels 1 & 2)
  • SIEM Alert Rule Development FundamentalsPurple Academy by Picus
  • AWS Cloud Practitioner (CLF-C02)KodeKloud
  • Microsoft Azure Fundamentals (AZ-900)KodeKloud
  • PCAP: Python Programming EssentialsKodeKloud
  • CCNA / CCNA Security & CyberOps AssociateCisco Networking Academy

🛠️ Hands-on Experience

  • SIEM: QRadar, Splunk, ELK
  • SOAR: TheHive, IBM Resilient
  • EDR/XDR: Trillex, Fidelis, Group-IB
  • NDR/XDR: IBM QNI, Group-IB
  • Workflow Automation: N8N, Shuffle
  • Programming: Python
  • Threat Intelligence Platforms (TIP): GIB, Threat-Q, Dark Atlas, Criminal IP, CTM360, SOC Radar, Google Threat Intelligence
  • Dark Web Monitoring: GIB, Dark Atlas, CTM360, SOC Radar, Google Threat Intelligence
  • Attack Surface Management (ASM): GIB, Dark Atlas, Cynerv, Criminal IP, Tenable, CTM360, SOC Radar, Google Threat Intelligence
  • Digital Risk Protection (DRP): GIB, Dark Atlas, CTM360, SOC Radar, Google Threat Intelligence
  • Command & Control (C2) Frameworks: Covenant, Havoc
  • Adversary Emulation: Caldera
  • Middleware / API Integrations
  • MITRE ATT&CK Gap Assessments: Technology and Detection Use Cases
  • Velociraptor (Endpoint & Memory Forensics)
  • MISP (Threat Intelligence Sharing and Automation)

🏆 Key Projects

  1. The Hive: Open Source SOAR
    Developed and maintained The Hive, a SOAR platform for incident response, threat hunting, and automated alert processing. Integrated with Cortex, MISP, QRadar, TIP, Digital Risk Protection, email, MS Teams, N8n, and Shuffle to streamline workflows and enhance response times.

  2. MISP (Malware Information Sharing Platform)
    Implemented MISP to share and correlate Indicators of Compromise (IoCs). Automated IOC ingestion and enrichment, improving threat analysis and situational awareness. Integrated MISP with SIEM and TIP systems to enhance detection and response capabilities.

  3. Product Assessment
    • Conducted EDR assessments to evaluate threat detection, incident response, forensic analysis, and integration with other security tools.
    • Assessed Threat Intelligence Platforms, Dark Web Monitoring, Digital Risk Protection, and Attack Surface Management solutions for effectiveness and integration.
  4. Attack Simulation
    Utilized Caldera for automated adversary emulation, performing real-world attack simulations to evaluate and strengthen security posture.

  5. Custom Middleware for SIEM Integration
    Developed a custom middleware solution to integrate log data from APIs into SIEM systems, enhancing data centralization and analysis.

  6. Card Data Discovery Validator
    Built a Python tool for validating and ensuring proper handling and masking of card data in compliance with security standards.

🔒 Security Projects Overview


Nothing Is Better Than A Quiet Night, Cup Of Coffee & Dark Mode IDE

Recently Updated