About

Mohamed Atef

---

About Me

Senior Cyber Defense DFIR Analyst with a strong focus on Cyber Threat Intelligence (CTI), threat detection engineering, and threat hunting. While formally positioned within DFIR, my role spans across threat intelligence engineering, SOC architecture, and detection strategy, driving proactive defense initiatives and intelligence-led security operations.

I lead the development of CTI strategies, SOPs, and tooling, including custom-built platforms like “ThreatOps”—a CTI automation tool designed to collect, parse, and operationalize RSS-based intelligence feeds, enriching internal security insights and empowering enterprise-wide threat programs.

With a foundation in SOC operations, including analysis, administration, and engineering, I bring prior experience in architecting and integrating core security solutions (SIEM, SOAR, EDR, TIPs, ASM, DRP), building end-to-end detection pipelines, and optimizing intelligence workflows.

Actively engaged in purple teaming to validate detection logic and enhance visibility. While my current DFIR responsibilities are more strategic than deep-dive forensics, I maintain hands-on capability in incident response, enrichment-driven triage, and light DFIR investigations.

Certified in Threat Hunting and Windows Forensics, I continuously contribute to threat-informed defense models, develop custom detection content, and ensure the seamless integration of CTI into SOC workflows. My mission is to bridge intelligence, engineering, and response into a unified, adaptive cyber defense capability.

Email / Website / LinkedIn / GitHub / Twitter

---

🛡️ Experience

Senior Cyber Defense DFIR Analyst

April 2025 – Present

🔍 Threat Hunting & Investigation

• Conduct threat-informed investigations and incident response by providing contextual intelligence, adversary insights, and lightweight analysis to guide detection and response efforts
• Perform proactive threat hunting leveraging EDR/SIEM data mapped to MITRE ATT&CK, identifying stealthy behaviors and detection gaps
• Analyze adversary TTPs and campaign data to inform detection engineering and response tuning across SOC tooling

🛡️ Detection Engineering & Content Development

• Develop and maintain detection rules and use cases across multiple SIEM platforms (QRadar, Splunk, ELK)
• Implement Detection-as-Code (DaC) methodologies with version control and automated testing frameworks
• Create and tune MITRE ATT&CK-mapped detection content to address specific adversary techniques and procedures
• Establish detection coverage metrics and gap analysis to continuously improve security monitoring capabilities
• Collaborate with threat intelligence teams to transform IOCs and TTPs into actionable detection logic

🤖 CTI Automation & Engineering

• Develop and operate an automated CTI pipeline using MISP, N8n, and Python, enabling scalable IOC ingestion, enrichment, tagging, and correlation with internal telemetry sources
• Engineer and maintain “ThreatOps” - a custom-built CTI automation tool designed to:
  • Collect and parse RSS feed data
  • Operationalize open-source intelligence (OSINT)
  • Support internal intelligence programs
• Automate and integrate threat intelligence, hunting, and incident response workflows using Python, N8n, and TIP/SIEM integrations

📋 Process Development & Operations

• Design and implement CTI SOPs and intelligence workflows, aligning with the intelligence lifecycle to support:
  • Collection planning
  • Threat analysis
  • Stakeholder dissemination
• Support ongoing development of MISP-based ecosystems, ensuring alignment between threat intelligence operations and enterprise defense strategy
• Improve cross-platform visibility, accelerate triage, and reduce manual analyst workload through automation

---

Senior Cyber Defense Engineer

August 2024 – March 2025

🖥️ SOC Operations & Technology Management

• Administered and fine-tuned key SOC technologies including SIEM, SOAR, EDR, and NDR, ensuring comprehensive threat monitoring and rapid incident response
• Integrated and automated security workflows across platforms to drive SOC efficiency and scalability
• Managed high-priority cases related to Digital Risk Protection (DRP), Attack Surface Management (ASM), and Threat Intelligence Platforms (TIP)
• Partnered with the GRC team on PCI DSS log simulation and supported governance, risk, and compliance initiatives

🛡️ Detection & Response Engineering

• Built and executed a Threat Detection Program using Detection-as-Code (DaC) with test-driven detection engineering
• Strengthened detection and response capabilities through continuous SOC process improvement and playbook development
• Implemented automation initiatives that reduced Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR)
• Conducted MITRE ATT&CK assessments for both technology stack and detection content, and generated MITRE heat maps to inform strategic decisions

🧠 Strategic Programs & Intelligence

• Developed and operationalized a Cyber Threat Intelligence Program using MISP, TIP, and OSINT, delivering timely and actionable insights
• Evaluated and contributed to Proof of Concept (PoC) efforts for various security solutions:
  • EDR, Mail Gateway, TIP
  • ASM, Dark Web Monitoring, DRP, SOAR
• Authored detailed Incident Response (IR) reports for executive management, aligning cybersecurity posture with business goals

Cyber Defense Engineer

December 2023 – July 2024

🤖 SOAR & Automation

• Administered and managed SOAR platform (TheHive) to coordinate and streamline incident response activities
• Automated key SOC workflows to boost operational efficiency and reduce analyst fatigue

🛠️ Technology Assessment & Administration

• Conducted Endpoint Detection and Response (EDR) assessments to evaluate effectiveness and identify coverage gaps
• Performed SIEM administration, ensuring optimal performance, rule tuning, and log source integration

👥 SOC Operations & Collaboration

• Provided advanced support to the SOC team during complex and high-impact security incidents
• Collaborated with the GRC team on compliance and governance-related SOC initiatives

---

Senior SOC Analyst

November 2023 – August 2024

🏗️ SOC Establishment & Leadership

• Played a key role in establishing the first SOC team for Egypt’s first digital bank, Misr Digital Innovation (MDI)
• Designed and enhanced threat detection, monitoring, and incident response capabilities to meet the evolving threat landscape

🛠️ SIEM/SOAR Implementation & Management

• Led the implementation of the SOAR solution (TheHive) to automate and orchestrate security operations
• Worked closely with GRC and IT operations teams to deploy and configure the SIEM, developing tailored use cases, detection rules, and automated playbooks aligned with MDI’s business operations
• Assisted in the administration and optimization of SIEM and SOAR platforms, ensuring reliable and scalable SOC operations

👨‍🏫 Team Development & Training

• Conducted audits on L1 analysts, identifying team/process gaps and implementing quality assurance improvements
• Mentored L1 analysts, provided training recommendations, and supported their professional development

🌐 Threat Intelligence & Monitoring

• Monitored global cybersecurity trends, IOCs, and daily threat feeds via Threat Intelligence Platforms (TIPs) to support proactive defense strategies

Senior SOC and Incident Response Engineer

September 2022 – November 2023

🛡️ Detection & Response Engineering

• Strengthened threat detection, monitoring, and response capabilities through continuous purple team engagements
• Integrated various SOC technologies with the SIEM platform to centralize and enhance detection capabilities
• Developed comprehensive SOC processes, including tailored use cases and playbooks to align with operational needs

🤖 SOAR & Automation

• Led the implementation and optimization of SOAR platform (TheHive) for effective incident response
• Designed automation workflows to streamline threat investigation and analysis processes

🔍 Incident Response & Investigation

• Conducted deep-dive investigations into escalated security incidents from L1 analysts, identifying root cause and containment strategies
• Authored detailed incident response reports for major cases, providing insights and mitigation recommendations
• Collaborated with the GRC team on PCI log simulation and other compliance-aligned SOC responsibilities

🌐 Threat Intelligence & Hunting

• Monitored Dark Web platforms to identify potential data breaches or compromised business credentials, initiating appropriate takedown or remediation efforts
• Executed threat hunting activities using known adversary TTPs aligned with the MITRE ATT&CK framework
• Investigated IOCs shared by Central Bank of Egypt (CBE) and Threat Intelligence Platforms (TIPs) to detect relevant threats within the environment

👥 Team Development & Process Improvement

• Established and continuously refined SOC operational processes, ensuring alignment with best practices and efficiency goals
• Audited and mentored L1 analysts, identifying knowledge gaps and recommending training paths to enhance team capabilities

---

SOC Analyst

December 2021 – September 2022

🖥️ Security Monitoring & Analysis

• Provided 24x7 security monitoring by analyzing alerts generated from multiple security technologies
• Validated alerts, filtered out false positives, and escalated legitimate threats for appropriate incident handling
• Produced regular SOC performance reports, covering detection metrics, incident trends, and resolution stats

🔍 Threat Hunting & Intelligence

• Monitored cyber threat intelligence feeds, proactively identifying and flagging new and emerging threats
• Conducted threat hunting activities across critical systems and log sources to uncover hidden threats or misconfigurations
• Responded to alerts and IOCs distributed by EG-FinCert and the Central Bank of Egypt (CBE), ensuring prompt action and investigation

🛡️ Detection Engineering & Brand Protection

• Recommended improvements to detection rules and controls to reduce noise and enhance signal fidelity
• Managed brand protection alerts, executing takedowns of impersonating social media profiles, websites, and mobile apps flagged by threat intelligence tools

---

🧾 Certificates

• eCTHPv2 – Certified Threat Hunting Professional
  eLearnSecurity / INE

• Threat Intelligence Analyst
  Group-IB

• Windows Forensics Certification
  Belkasoft

---

🎓 Training & Professional Development

🛡️ Detection Engineering & MITRE ATT&CK

• Threat Detection Engineering – TCM Security
• SIEM Alert Rule Development Fundamentals – Purple Academy by Picus
• Foundations of Operationalizing MITRE ATT&CK – AttackIQ Academy
• Maturing Threat-Informed Defense with M3TID – AttackIQ Academy

🔍 Threat Hunting & Intelligence

• Foundations of Cyber Threat Intelligence – AttackIQ Academy
• Practical Malware Analysis & Triage – TCM Security

🚨 Incident Response & Forensics

• Incident Handler Path – Cybrary
• Practical Windows Forensics – TCM Security

👥 SOC Operations & Analysis

• SOC Analyst Level 2 – Cybrary
• SOC Analyst Level 1 & 2 – TryHackMe
• Security Engineer – TryHackMe

🤖 Automation & Integration

• N8N Workflow Automation (Levels 1 & 2) – N8N Academy

☁️ Cloud Security & Infrastructure

• AWS Cloud Practitioner (CLF-C02) – KodeKloud
• Microsoft Azure Fundamentals (AZ-900) – KodeKloud

💻 Programming & Networking

• PCAP: Python Programming Essentials – KodeKloud
• CCNA / CCNA Security & CyberOps Associate – Cisco Networking Academy

---

🛠️ Technical Expertise & Hands-on Experience

🔍 SIEM & Security Analytics Platforms

• Core SIEM: QRadar, Splunk, ELK Stack (Elasticsearch, Logstash, Kibana)
• Log Management: Centralized logging, parsing, and correlation
• Custom Dashboards: Executive reporting and operational views

🤖 SOAR & Incident Orchestration

• Primary Platforms: TheHive, IBM Resilient
• Workflow Automation: N8N, Shuffle
• Integration Development: API connectors and custom playbooks
• Case Management: Incident tracking, escalation, and reporting

🛡️ Endpoint Detection & Response (EDR/XDR)

• EDR Solutions: Trillex, Fidelis, Group-IB
• Network Detection: IBM QNI (NDR/XDR), Group-IB
• Endpoint Forensics: Velociraptor for memory and disk analysis
• Threat Hunting: Behavioral analysis and anomaly detection

🧠 Threat Intelligence Platforms & CTI Tools

• Central Platforms: MISP, Threat-Q, Group-IB (GIB)
• Commercial TIPs: Dark Atlas, Criminal IP, CTM360
• Global Intelligence: SOC Radar, Google Threat Intelligence
• CTI Automation: Feed aggregation, IOC enrichment, and distribution

🌐 Digital Risk Protection & Attack Surface Management

• Attack Surface Management (ASM): External asset discovery and vulnerability assessment
• Digital Risk Protection (DRP): Brand monitoring, data leak detection
• Dark Web Monitoring: Credential compromise and threat actor tracking
• Platforms: GIB, Dark Atlas, Cynerv, Criminal IP, Tenable, CTM360, SOC Radar

🎯 Red Team Tools & Purple Team Operations

• Command & Control Frameworks: Covenant, Havoc
• Adversary Emulation: Caldera for automated attack simulation
• Purple Team Activities: Detection validation, gap analysis, and security control testing
• TTPs Mapping: MITRE ATT&CK framework implementation

💻 Development & Automation Engineering

• Programming Languages: Python for security automation and tool development
• API Development: Custom middleware for SIEM and TIP integrations
• Workflow Automation: End-to-end security process orchestration
• Custom Tools: ThreatOps platform and specialized security utilities

📊 Security Assessment & Strategic Analysis

• MITRE ATT&CK Assessments: Technology coverage and detection content gap analysis
• Detection Engineering: Custom rule development, testing frameworks, and DaC methodologies
• Technology Evaluation: PoC assessments for EDR, TIP, SOAR, and security tools
• Metrics & KPIs: MTTR/MTTD improvement and security program effectiveness measurement

---

🏆 Key Projects & Achievements

1. ThreatOps: Custom CTI Automation Platform ⭐

2024 - Present | Python, RSS Processing, MISP Integration

• Built from scratch: Custom RSS feed aggregation and intelligence processing platform
• Business Impact: Reduced manual CTI processing time by 80%, enabling real-time threat analysis
• Core Features: Multi-source feeds, automated tagging, MISP integration, intelligent alerting
• Architecture: Python, MISP API, N8n, Docker, REST APIs
• Innovation: First-of-its-kind RSS-based CTI automation in the organization

2. Enterprise SOAR Implementation: TheHive Platform

2022 - 2024 | SOC Orchestration & Incident Response

• Achievement: Led the first complete SOAR deployment for Egypt’s first digital bank
• Integrations: Cortex, MISP, QRadar, TIP platforms, MS Teams, Email, N8n, Shuffle

3. MISP Threat Intelligence Ecosystem

2023 - Present | Cyber Threat Intelligence Platform

• Strategic Implementation: Centralized IOC sharing and correlation platform
• Automation: Automated IOC ingestion, enrichment, and distribution workflows
• Integration: Seamless SIEM and TIP system connectivity for enhanced detection capabilities

4. Comprehensive Security Technology Assessment Program

2023 - 2024 | Strategic Technology Evaluation

• Scope: Evaluated 12+ security solutions across EDR, TIP, ASM, DRP, and Dark Web Monitoring
• Assessment Areas:
  • EDR Solutions: Threat detection, incident response, forensic analysis capabilities
  • Intelligence Platforms: TIP, Dark Web Monitoring, DRP, and ASM solution effectiveness
• Methodology: PoC testing, technical deep-dives, integration assessments

5. Purple Team & Adversary Emulation Program

2023 - Present | Security Validation & Testing

• Platform: Caldera for automated adversary emulation and attack simulation
• Activities: Real-world attack simulations, detection validation, control effectiveness testing
• MITRE ATT&CK: Comprehensive TTPs mapping and gap analysis
• Continuous Improvement: Quarterly purple team exercises with measurable security improvements

6. API-to-SIEM Integration Middleware

2024 | Custom Integration Development

• Technical Achievement: Built custom middleware for API-to-SIEM data integration
• Business Impact: Enabled centralization of 5+ previously siloed security data sources
• Architecture: Python, REST APIs, syslog protocols, QRadar integration
• Documentation: Created comprehensive integration guide published on blog
• Reusability: Solution adopted across multiple environments and data sources

🎯 Current Focus Areas (2025)

• 🤖 AI/ML in CTI: Exploring LLM integration for threat analysis
• ☁️ Cloud Security: AWS/Azure security architecture
• 🔐 Zero Trust: Implementation strategies and detection
• 📊 Metrics-Driven Security: KPI development and measurement

---

🔒 Security Projects Overview

• TheHive: Open Source SOAR
• MISP: Malware Information Sharing Platform
• BookStack: Documentation Platform
• EDR Assessment
• ELK: Elasticsearch, Logstash, Kibana
• C2 Frameworks
• Attack Simulation
• How to Send Logs From an API to QRadar SIEM Through Syslog Middleware

---

⚡ Nothing Is Better Than A Quiet Night, Cup Of Coffee & Dark Mode IDE