STANISLAV BERDAR

Security Engineer

I build detection systems that find attackers based on how they actually behave not just what tools they use. My work involves threat hunting, detection engineering, and incident response: writing KQL and Sigma logic against MITRE ATT&CK techniques, automating triage workflows, and closing the gap between attacker activity and visibility. I care about understanding adversary tradecraft well enough to anticipate it, detections and sharing the knowledge I gained with the wider security community.

What I Do

Detection Engineering

I write behavioral detections grounded in attacker technique: process injection patterns, LOLBin abuse, credential access signals, rather than IOC matching. I map detection logic to MITRE ATT&CK and tune for signal quality over alert volume.

Threat Hunting

Proactive hunting using KQL across endpoint, identity, and network telemetry. I look for anomalies that signature-based rules miss: unusual parent-child process chains, lateral movement patterns, authentication anomalies.

Incident Response & Automation

End-to-end IR from triage through containment. I've built Python and Logic App automation that cut per-incident triage time from an hour to 15 minutes across 200+ monthly alerts — enriching IOCs automatically and routing signal before a human touches it.

SIEM Engineering

Microsoft Sentinel is my primary platform: data connectors, analytic rules, workbooks, and SOAR playbooks. I also have hands-on experience evaluating and standing up SIEM infrastructure from scratch, including open-source alternatives like Wazuh in cloud-native environments.

Skills & Certifications

CERTIFICATIONS

CISSP Azure Administrator (AZ-104) Azure Network Engineer (AZ-700)
Detection & SIEM
Microsoft Sentinel KQL Wazuh Google SecOps MITRE ATT&CK Behavioral Analytics SOAR Playbooks
Incident Response & Forensics
Defender for Endpoint EDR Investigation Process Analysis Digital Forensics Malware Analysis Threat Hunting
Automation & Scripting
Python PowerShell REST APIs Logic Apps Anthropic API
Cloud & Identity
GCP Microsoft Azure Entra ID / Azure AD Okta Microsoft 365
Compliance & Frameworks
HIPAA PCI DSS CJIS MITRE ATT&CK STRIDE OWASP
Security Engineer II
Flexe
Seattle, WA
March 2026 – Present
Conducted comprehensive cloud security architecture assessment across GCP and AWS, identifying unmonitored attack surface across IAM, S3, VPC, and CloudFront layers, then authored a detection program charter and delivered a prioritized remediation roadmap to leadership.
+
The Challenge

Joined as the organization's only dedicated security hire and discovered the existing SIEM (Chronicle/Google SecOps, managed by a third-party MSSP) had been decommissioned, leaving no alerting or detection infrastructure across a multi-cloud environment spanning GCP and AWS.

How I Did It
  • Conducted a comprehensive security architecture assessment across GCP and AWS, mapping unmonitored attack surface across IAM, S3, VPC, and CloudFront layers
  • Authored a detection program charter establishing the foundational framework, data sources, and detection priorities for building from zero
  • Delivered a prioritized remediation roadmap to leadership, sequenced by risk exposure and detection coverage gaps
  • Evaluated Wazuh as an open-source SIEM candidate suited to the multi-cloud stack, producing a cost comparison analysis against commercial alternatives
Impact
Roadmap
Delivered to Leadership
Charter
Detection Program
GCP + AWS
Multi-Cloud Coverage
GCP AWS Wazuh Google SecOps Okta Security Architecture Detection Engineering SIEM Evaluation
Built an AI-powered security questionnaire automation tool using Python and the Anthropic API, integrated with Jira, that significantly reduced manual review time and eliminated a backlog of outstanding security assessments.
+
The Challenge

Security review questionnaires, vendor assessments, customer security reviews, and compliance intake forms represented a significant manual workload with repetitive, high-volume responses that consumed engineering time better spent on detection and response work.

How I Did It
  • Built a Python-based automation tool using the Anthropic API to intelligently respond to incoming security questionnaires based on organizational context
  • Integrated directly with Jira for ticket creation, tracking, and workflow routing, eliminating the manual handoff between security review requests and response work
  • Designed the system to handle both per-questionnaire review time reduction and the backlog of accumulated outstanding requests
Impact
Significant
Manual Time Reduction
Backlog
Bottleneck Eliminated
Python Anthropic API Jira Security Automation AI-Assisted Workflows
Enabling AWS threat detection coverage by deploying CloudTrail, GuardDuty with S3 Protection, and VPC Flow Logs across an environment with 3TB+ of S3 data and no prior monitoring in place.
+
The Challenge

AWS environment with 3TB+ of S3 data had no threat detection or logging infrastructure, no CloudTrail, no GuardDuty, no VPC Flow Logs. Attacker activity across IAM, storage, and network layers would have been entirely invisible.

How I Did It
  • Deploying CloudTrail for comprehensive API-level audit logging across the AWS environment
  • Configuring GuardDuty with S3 Protection enabled to surface threat signals across IAM, network, and object storage layers
  • Enabling VPC Flow Logs to establish network visibility and support lateral movement detection
  • Building on findings from the cross-environment architecture assessment to prioritize detection coverage gaps by risk
Impact
3TB+
S3 Data Now Monitored
Zero
Prior AWS Visibility
In Progress
Active Rollout
AWS GuardDuty CloudTrail VPC Flow Logs S3 Protection Threat Detection
Security Engineer II
Overlake Medical Center
Bellevue, WA
April 2022 – February 2026
Automated threat detection and incident response in Microsoft Sentinel using Python, REST APIs, and SOAR playbooks, reducing triage time by 75% (from 1 hour to 15 minutes) for 200+ monthly incidents through IOC enrichment and workflow automation.
+
The Challenge

Security team was processing 200+ monthly incidents with manual triage averaging an hour per alert — analysts context-switching between threat intel sources, Sentinel, and EDR before they could even classify severity.

How I Did It
  • Developed Python and PowerShell scripts for automatic IOC enrichment via VirusTotal and AbuseIPDB APIs, aggregating risk scores and writing context directly back to Sentinel incidents
  • Created Logic App playbooks for automated incident categorization, analyst assignment, and low-severity auto-response (account lockdown, device isolation)
  • Built Teams and Email integration for real-time alert routing without requiring analysts to poll the queue
  • Designed the system to reduce human touchpoints on low-signal alerts while preserving analyst decision authority on ambiguous cases
# Python automation for IOC enrichment import requests def enrich_ioc(indicator, indicator_type): vt_result = query_virustotal(indicator) abuse_result = query_abuseipdb(indicator) risk_score = calculate_risk(vt_result, abuse_result) update_incident_tags(incident_id, risk_score) return risk_score
Impact
75%
Faster Triage
15 min
Avg Response Time
200+
Monthly Incidents
Microsoft Sentinel Python Logic Apps REST APIs SOAR IOC Enrichment
Conducted proactive threat hunting using KQL to identify behavioral anomalies — unusual login patterns, LOLBin abuse, PowerShell execution chains — and converted validated hunt logic into persistent behavioral detection rules mapped to MITRE ATT&CK.
+
The Challenge

Signature-based detection was missing attacker behaviors that didn't match known IOCs — particularly living-off-the-land techniques, abnormal authentication patterns, and PowerShell abuse that blended with legitimate admin activity.

How I Did It
  • Conducted weekly proactive threat hunts using KQL across Sentinel data sources, investigating suspicious login patterns, RDP anomalies, and process execution chains
  • Mapped findings to MITRE ATT&CK techniques to contextualize TTPs and identify detection coverage gaps
  • Converted validated hunt logic into ~10 persistent behavioral detection rules — moving confirmed hypotheses from ad hoc queries into production analytics
  • Built PowerShell scripts to audit Azure configuration drift and surface posture anomalies outside the endpoint telemetry stream
// KQL — detecting suspicious PowerShell execution SecurityEvent | where EventID == 4688 | where Process has "powershell" | where CommandLine has_any ("IEX", "Invoke-Expression", "EncodedCommand") | summarize count() by Computer, Account, CommandLine | where count_ > 3
Impact
~10
Behavioral Detection Rules
Weekly
Hunt Cadence
Zero
IOC Dependency
KQL MITRE ATT&CK Threat Hunting PowerShell Behavioral Analysis
Created and assigned custom RBAC roles across Azure environment, implementing least privilege access for over 100 positions.
+
The Challenge

Over-permissioned accounts and broad role assignments created security risks across Azure infrastructure.

How I Did It
  • Reviewed existing permissions and identified excessive access across subscriptions
  • Designed custom RBAC roles for specific job functions
  • Assigned roles to 100+ positions across 25+ Azure resources with appropriate scoping
Impact
100+
Role Assignments
25+
Resources
Azure RBAC Least Privilege Access Management
Improved Defender for Cloud secure score through systematic remediation of security recommendations aligned to HIPAA and PCI DSS controls.
+
The Challenge

Cloud infrastructure had numerous security misconfigurations flagged by Defender for Cloud, impacting compliance readiness.

How I Did It
  • Prioritized recommendations based on HIPAA/PCI DSS requirements and risk impact
  • Remediated high-severity findings including encryption gaps, network segmentation issues, and storage misconfigurations
  • Documented controls and mapped them to regulatory frameworks
Impact
Improved
Secure Score
50+
Fixes Implemented
Defender for Cloud HIPAA PCI DSS Compliance
Spearheaded Defender for Endpoint deployment across 200+ Linux/Windows servers, designing automated onboarding workflows using PowerShell, establishing EDR baseline policies, and integrating telemetry with Sentinel for centralized threat detection.
+
The Challenge

Healthcare infrastructure with 200+ heterogeneous servers (Windows/Linux) lacked unified endpoint detection and response capabilities, creating visibility gaps and increasing incident response time.

How I Did It

Designed and executed enterprise-wide EDR deployment with automation focus:

# PowerShell automation snippet for bulk onboarding $servers = Get-Content "servers.txt" foreach ($server in $servers) { Invoke-Command -ComputerName $server -ScriptBlock { Start-Process msiexec.exe -ArgumentList ` "/i WindowsDefenderATPOnboardingPackage.msi /quiet" } }
  • Built PowerShell automation framework for zero-touch onboarding
  • Created EDR baseline policies tailored for healthcare environment
  • Integrated MDE telemetry with Sentinel using Log Analytics connector
  • Developed health monitoring dashboard to track deployment progress
Impact
~200
Servers Onboarded
5-10 days
Deployment Time
~90%
Coverage
Defender for Endpoint PowerShell Microsoft Sentinel Log Analytics EDR
Conducted proactive threat hunting to identify suspicious activity including unusual login patterns, RDP anomalies, and PowerShell execution; created detection rules based on MITRE ATT&CK framework.
+
The Challenge

Signature-based detection was missing suspicious behaviors and techniques that warranted investigation in the healthcare environment.

How I Did It
  • Conducted threat hunts using KQL queries against Sentinel data to identify anomalies
  • Investigated suspicious login attempts, unusual RDP activity, and PowerShell execution patterns
  • Mapped findings to MITRE ATT&CK techniques for better context
  • Created ~10 custom detection rules for behavior-based threat detection
  • Built PowerShell scripts to audit Azure security configurations
// KQL hunting query example SecurityEvent | where EventID == 4688 // Process creation | where Process contains "powershell" | where CommandLine contains_any ("IEX", "Invoke-Expression") | project TimeGenerated, Computer, Account, CommandLine
Impact
~10
Detection Rules
Weekly
Threat Hunts
Threat Hunting KQL MITRE ATT&CK PowerShell Behavioral Analysis
Conducted security architecture reviews and threat modeling for vendor solutions and internal applications; leveraged AI coding assistants to accelerate security automation development and reduce manual investigative effort.
+
The Challenge

Healthcare organization needed to evaluate security posture of third-party vendor solutions and internal applications before deployment, while maintaining rapid development cycles for security tooling.

How I Did It

Established security review process and leveraged modern development practices:

  • Created threat modeling framework based on STRIDE methodology
  • Conducted architecture reviews for 10+ vendor solutions evaluating authentication, data flow, encryption
  • Reviewed internal applications for OWASP Top 10 vulnerabilities
  • Used AI coding assistants (GitHub Copilot, ChatGPT) to accelerate Python/PowerShell automation development
  • Reduced time spent writing boilerplate code for data parsing, API integrations, and automation workflows
Impact
10+
Reviews Conducted
Threat Modeling STRIDE Security Architecture OWASP AI-Assisted Development
Performed EDR investigations using Defender for Endpoint, analyzing process trees, network connections, and file activity to determine root cause and scope of security incidents in healthcare environment.
+
The Challenge

Security incidents in healthcare environment require rapid investigation to determine scope, contain threats, and protect patient data while minimizing operational disruption to clinical systems.

How I Did It

Developed systematic EDR investigation methodology:

  • Used Defender for Endpoint timeline analysis to reconstruct attack chain
  • Analyzed process trees to identify parent-child relationships and injection techniques
  • Examined network connections for C2 communication patterns
  • Investigated file activity (creation, modification, execution) to identify malware persistence
  • Correlated EDR data with Sentinel logs for comprehensive incident scope
  • Conducted containment actions (device isolation, credential resets) while preserving forensic evidence
Example Investigation

Detected suspicious PowerShell execution spawned from Word.exe → Identified macro-based malware delivery → Traced network connection to known malicious IP → Isolated affected workstation → Prevented lateral movement to clinical systems → Full remediation within 2 hours

Defender for Endpoint Incident Response Digital Forensics Process Analysis Network Analysis
Senior Service Desk Technician
City of Renton
Renton, WA
Sept. 2018 – April 2022
Deployed comprehensive Defender security policies via SCCM to 600+ endpoints, servers, and mobile devices across municipal infrastructure.
+
The Challenge

City's IT infrastructure had inconsistent security configurations across 600+ devices, creating vulnerabilities and compliance gaps.

How I Did It
  • Designed standardized Defender security policies for workstations, servers, and mobile devices
  • Deployed policies via SCCM for centralized management and enforcement
  • Created configuration baselines for consistent threat protection settings
  • Monitored compliance and remediated non-compliant devices
Impact
600+
Devices Protected
100%
Policy Coverage
Microsoft Defender SCCM Endpoint Protection Policy Management
Spearheaded EDR rollout across 600+ endpoints, establishing real-time threat detection capability and eliminating critical security gap.
+
The Challenge

Municipal government lacked endpoint detection and response capabilities, creating blind spots in security monitoring.

How I Did It
  • Led organization's first EDR implementation across all endpoints
  • Configured detection policies and alert thresholds for municipal environment
  • Trained IT staff on EDR console usage and alert triage
  • Established incident response procedures for EDR alerts
Impact
600+
Endpoints Monitored
First
EDR Deployment
EDR Threat Detection Incident Response Security Monitoring
Hardened municipal systems via Windows GPOs, MFA enforcement, and endpoint baselines aligned to CJIS requirements.
+
The Challenge

City systems required compliance with Criminal Justice Information Services (CJIS) security policy for law enforcement data access.

How I Did It
  • Implemented Windows GPOs enforcing password complexity, account lockout, and audit policies
  • Deployed MFA for all administrative and privileged accounts
  • Created endpoint configuration baselines aligned to CJIS security requirements
  • Documented security controls for compliance audits
Impact
100%
CJIS Compliance
MFA
Full Deployment
Group Policy MFA CJIS System Hardening

Get In Touch

I'm always interested in discussing security engineering opportunities, collaborating on projects, or sharing insights about cloud security and threat detection. Feel free to reach out!

Email

[email protected]

LinkedIn

linkedin.com/in/stanislavberdar

Location

Seattle, WA