Mohamed Atef
About Me
I’m a Senior Cyber Defense Engineer specializing in Digital Forensics, Incident Response, Threat Hunting, Cyber Threat Intelligence (CTI), and SOC Operations.
I focus on integrating and automating detection and response workflows using tools like TIP, SOAR, SIEM, EDR, Mail Security Gateways, and Python, enabling efficient threat detection, investigation, and mitigation across SOC environments.
My experience includes evaluating and deploying security solutions—EDR, TIP, ASM, DRP, and Dark Web Monitoring—and ensuring they’re effectively embedded into the SOC ecosystem. I’m skilled in conducting endpoint investigations, building detection use cases, and refining SOC processes for optimal performance.
I hold certifications in Threat Hunting and Windows Forensics, and I’ve led CTI initiatives including CTI-SOP development and platform integration to boost threat detection and response efficiency.
Email / Website / LinkedIn / GitHub / Twitter
🛡️ Experience
Senior Cyber Defense Engineer – DFIR Unit
April 2025 – Present
- Lead digital forensics and incident response (DFIR) investigations using Velociraptor and XDR, focusing on endpoint triage and memory analysis to identify root causes and assess incident impact.
- Execute threat hunting operations leveraging EDR and SIEM telemetry, mapped to MITRE ATT&CK techniques for proactive detection.
- Design and maintain a Cyber Threat Intelligence (CTI) workflow using MISP, N8n, and Python scripts to automate IOC ingestion, enrichment, and correlation with internal datasets.
- Support the development and enforcement of CTI Standard Operating Procedures (SOPs), enabling structured threat analysis and intelligence lifecycle management.
- Analyze adversary Tactics, Techniques, and Procedures (TTPs) to enhance detection and accelerate response strategies.
- Automate and integrate threat intelligence, threat hunting, and incident response processes via cross-platform scripting and TIP/SIEM integrations to maximize visibility and efficiency.
Senior Cyber Defense Engineer – SOC Unit
August 2024 – March 2025
- Administered and fine-tuned key SOC technologies including SIEM, SOAR, EDR, and NDR, ensuring comprehensive threat monitoring and rapid incident response.
- Integrated and automated security workflows across platforms to drive SOC efficiency and scalability.
- Managed high-priority cases related to Digital Risk Protection (DRP), Attack Surface Management (ASM), and Threat Intelligence Platforms (TIP), ensuring timely and strategic remediation.
- Authored detailed Incident Response (IR) reports for executive management, aligning cybersecurity posture with business goals.
- Partnered with the GRC team on PCI DSS log simulation, and supported governance, risk, and compliance initiatives relevant to SOC operations.
- Strengthened detection and response capabilities through continuous SOC process improvement and playbook development.
- Implemented automation initiatives that reduced Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR).
- Evaluated and contributed to Proof of Concept (PoC) efforts for various security solutions (EDR, Mail Gateway, TIP, ASM, Dark Web Monitoring, DRP, and SOAR).
- Built and executed a Threat Detection Program using Detection-as-Code (DaC) with test-driven detection engineering.
- Developed and operationalized a Cyber Threat Intelligence Program using MISP, TIP, and OSINT, delivering timely and actionable insights.
- Conducted MITRE ATT&CK assessments for both technology stack and detection content, and generated MITRE heat maps to inform strategic decisions.
Cyber Defense Engineer
December 2023 – July 2024
- Administered and managed SOAR platform (TheHive) to coordinate and streamline incident response activities.
- Automated key SOC workflows to boost operational efficiency and reduce analyst fatigue.
- Conducted Endpoint Detection and Response (EDR) assessments to evaluate effectiveness and identify coverage gaps.
- Provided advanced support to the SOC team during complex and high-impact security incidents.
- Collaborated with the GRC team on compliance and governance-related SOC initiatives.
- Performed SIEM administration, ensuring optimal performance, rule tuning, and log source integration.
Senior SOC Analyst
November 2023 – August 2024
- Played a key role in establishing the first SOC team for Egypt’s first digital bank, Misr Digital Innovation (MDI).
- Led the implementation of the SOAR solution (TheHive) to automate and orchestrate security operations.
- Worked closely with GRC and IT operations teams to deploy and configure the SIEM, developing tailored use cases, detection rules, and automated playbooks aligned with MDI’s business operations.
- Designed and enhanced threat detection, monitoring, and incident response capabilities to meet the evolving threat landscape.
- Conducted audits on L1 analysts, identifying team/process gaps and implementing quality assurance improvements.
- Mentored L1 analysts, provided training recommendations, and supported their professional development.
- Assisted in the administration and optimization of SIEM and SOAR platforms, ensuring reliable and scalable SOC operations.
- Monitored global cybersecurity trends, IOCs, and daily threat feeds via Threat Intelligence Platforms (TIPs) to support proactive defense strategies.
Senior SOC and Incident Response Engineer
September 2022 – November 2023
- Strengthened threat detection, monitoring, and response capabilities through continuous purple team engagements.
- Designed automation workflows to streamline threat investigation and analysis processes.
- Integrated various SOC technologies with the SIEM platform to centralize and enhance detection capabilities.
- Led the implementation and optimization of SOAR platform (TheHive) for effective incident response.
- Developed comprehensive SOC processes, including tailored use cases and playbooks to align with operational needs.
- Conducted deep-dive investigations into escalated security incidents from L1 analysts, identifying root cause and containment strategies.
- Monitored Dark Web platforms to identify potential data breaches or compromised business credentials, initiating appropriate takedown or remediation efforts.
- Executed threat hunting activities using known adversary TTPs aligned with the MITRE ATT&CK framework.
- Investigated IOCs shared by Central Bank of Egypt (CBE) and Threat Intelligence Platforms (TIPs) to detect relevant threats within the environment.
- Established and continuously refined SOC operational processes, ensuring alignment with best practices and efficiency goals.
- Audited and mentored L1 analysts, identifying knowledge gaps and recommending training paths to enhance team capabilities.
- Authored detailed incident response reports for major cases, providing insights and mitigation recommendations.
- Collaborated with the GRC team on PCI log simulation and other compliance-aligned SOC responsibilities.
SOC Analyst
December 2021 – September 2022
- Provided 24x7 security monitoring by analyzing alerts generated from multiple security technologies.
- Validated alerts, filtered out false positives, and escalated legitimate threats for appropriate incident handling.
- Monitored cyber threat intelligence feeds, proactively identifying and flagging new and emerging threats.
- Recommended improvements to detection rules and controls to reduce noise and enhance signal fidelity.
- Produced regular SOC performance reports, covering detection metrics, incident trends, and resolution stats.
- Conducted threat hunting activities across critical systems and log sources to uncover hidden threats or misconfigurations.
- Responded to alerts and IOCs distributed by EG-FinCert and the Central Bank of Egypt (CBE), ensuring prompt action and investigation.
- Managed brand protection alerts, executing takedowns of impersonating social media profiles, websites, and mobile apps flagged by threat intelligence tools.
🧾 Certificates
eCTHPv2 – Certified Threat Hunting Professional
eLearnSecurity / INEThreat Intelligence Analyst
Group-IBWindows Forensics Certification
Belkasoft
🎓 Training
- Threat Detection Engineering – TCM Security
- Practical Malware Analysis & Triage – TCM Security
- Incident Handler Path – Cybrary
- Practical Windows Forensics – TCM Security
- Foundations of Operationalizing MITRE ATT&CK – AttackIQ Academy
- Maturing Threat-Informed Defense with M3TID – AttackIQ Academy
- SOC Analyst Level 2 – Cybrary
- SOC Analyst Level 1 & 2 – TryHackMe
- Security Engineer – TryHackMe
- Foundations of Cyber Threat Intelligence – AttackIQ Academy
- N8N Workflow Automation (Levels 1 & 2)
- SIEM Alert Rule Development Fundamentals – Purple Academy by Picus
- AWS Cloud Practitioner (CLF-C02) – KodeKloud
- Microsoft Azure Fundamentals (AZ-900) – KodeKloud
- PCAP: Python Programming Essentials – KodeKloud
- CCNA / CCNA Security & CyberOps Associate – Cisco Networking Academy
🛠️ Hands-on Experience
- SIEM: QRadar, Splunk, ELK
- SOAR: TheHive, IBM Resilient
- EDR/XDR: Trillex, Fidelis, Group-IB
- NDR/XDR: IBM QNI, Group-IB
- Workflow Automation: N8N, Shuffle
- Programming: Python
- Threat Intelligence Platforms (TIP): GIB, Threat-Q, Dark Atlas, Criminal IP, CTM360, SOC Radar, Google Threat Intelligence
- Dark Web Monitoring: GIB, Dark Atlas, CTM360, SOC Radar, Google Threat Intelligence
- Attack Surface Management (ASM): GIB, Dark Atlas, Cynerv, Criminal IP, Tenable, CTM360, SOC Radar, Google Threat Intelligence
- Digital Risk Protection (DRP): GIB, Dark Atlas, CTM360, SOC Radar, Google Threat Intelligence
- Command & Control (C2) Frameworks: Covenant, Havoc
- Adversary Emulation: Caldera
- Middleware / API Integrations
- MITRE ATT&CK Gap Assessments: Technology and Detection Use Cases
- Velociraptor (Endpoint & Memory Forensics)
- MISP (Threat Intelligence Sharing and Automation)
🏆 Key Projects
The Hive: Open Source SOAR
Developed and maintained The Hive, a SOAR platform for incident response, threat hunting, and automated alert processing. Integrated with Cortex, MISP, QRadar, TIP, Digital Risk Protection, email, MS Teams, N8n, and Shuffle to streamline workflows and enhance response times.MISP (Malware Information Sharing Platform)
Implemented MISP to share and correlate Indicators of Compromise (IoCs). Automated IOC ingestion and enrichment, improving threat analysis and situational awareness. Integrated MISP with SIEM and TIP systems to enhance detection and response capabilities.- Product Assessment
- Conducted EDR assessments to evaluate threat detection, incident response, forensic analysis, and integration with other security tools.
- Assessed Threat Intelligence Platforms, Dark Web Monitoring, Digital Risk Protection, and Attack Surface Management solutions for effectiveness and integration.
Attack Simulation
Utilized Caldera for automated adversary emulation, performing real-world attack simulations to evaluate and strengthen security posture.Custom Middleware for SIEM Integration
Developed a custom middleware solution to integrate log data from APIs into SIEM systems, enhancing data centralization and analysis.- Card Data Discovery Validator
Built a Python tool for validating and ensuring proper handling and masking of card data in compliance with security standards.
🔒 Security Projects Overview
- TheHive: Open Source SOAR
- MISP: Malware Information Sharing Platform
- BookStack: Documentation Platform
- EDR Assessment
- ELK: Elasticsearch, Logstash, Kibana
- C2 Frameworks
- Attack Simulation
- How to Send Logs From an API to QRadar SIEM Through Syslog Middleware
⚡ Nothing Is Better Than A Quiet Night, Cup Of Coffee & Dark Mode IDE