Threat Detection | Portfolio View

Threat detection signals, triage paths, and evidence-first response.

This is a static portfolio dashboard, not a live production feed. It shows how I think about cloud, identity, endpoint, and CI/CD telemetry when the evidence is fragmented.

I look for drift, correlate weak signals, reproduce the failure path, and document the next action clearly enough that engineers and auditors can follow the reasoning.

  • Identity and access drift
  • Cloud and Kubernetes telemetry
  • Endpoint and pipeline evidence
  • Triage and root cause analysis
Overview

What the dashboard surfaces

The cards below show the kinds of signals, sources, and triage habits I use when something looks off.

Detection Lens

How I read the signal

  • Correlate cloud, identity, endpoint, and CI/CD activity before calling something real.
  • Prefer evidence and reproduction over guesswork or alarm fatigue.
  • Capture the next action in language that engineers and auditors can both follow.
Telemetry Sources

What feeds the view

  • AWS CloudTrail
  • GuardDuty
  • GitHub Actions
  • Kubernetes audit logs
  • Linux journald
  • Windows Event Logs
  • LogicMonitor
  • SIEM
Triage Rules

What I do first

  • Reproduce the failure path and separate symptom from cause.
  • Check whether the change fits the deployment window and expected baseline.
  • Document evidence, escalation notes, and follow-up actions in plain English.
Signals

Representative detections

These are sample signals, not live incidents. They show the kinds of issues I would investigate and how I would frame the next action.

AWS CloudTrail

IAM policy expanded outside baseline

High

Identity and access drift detected during a routine change window. The first step is to compare the policy diff against the intended deployment and prior trust model.

  • Identity
  • Cloud
  • Audit trail
GitHub Actions

Workflow secret pattern needs review

Elevated

A change introduces a new secret-like value in pipeline output. I would validate the scan result, check provenance, and decide whether the finding is noise or exposure.

  • CI/CD
  • Secrets
  • Supply chain
LogicMonitor

Collector heartbeat gap on an endpoint

Watch

Endpoint telemetry stopped arriving on schedule. I would verify network reachability, service health, and any recent certificate or permission changes.

  • Endpoint
  • Telemetry
  • Linux
Kubernetes audit logs

Namespace permissions drifted

High

RBAC behavior no longer matches the expected least-privilege model. I would compare the current role bindings to the approved configuration and escalate with evidence.

  • Kubernetes
  • RBAC
  • Least privilege
Response

Triage flow

How I move from noisy alerts to a defensible conclusion, without pretending the answer is obvious too early.

01

Ingest and correlate

Collect the signal, line it up against the time window, and compare it to the surrounding telemetry.

02

Test the hypothesis

Reproduce the behavior where possible, isolate the root cause, and decide whether the event is benign, broken, or risky.

03

Escalate with evidence

Write the conclusion, the artifact trail, and the next action so engineers, customers, and auditors can act on it.

Contact

Reach out

If the dashboard gives you the context you need, these are the fastest ways to get in touch.