Detection Engineer focused on high-fidelity detections built from real Windows telemetry and grounded in attacker behavior, not keyword-based alerts.

I work across Windows internals, Sysmon, Sigma, and SIEM pipelines, with an emphasis on:

• Signal quality over alert volume
• Correct parsing and normalization
• False-positive reduction through context

I’m also the author of the Detection Fidelity Score (DFS) and a contributor to OpenTelemetry Collector, working on telemetry pipelines that make reliable security analytics possible at scale.

• Windows telemetry (Sysmon, native Event Logs)
• Detection engineering & adversary tradecraft modeling
• Sigma rule design and refinement
• SIEM parsing and normalization (Wazuh, Elastic)
• Telemetry pipelines (OpenTelemetry Collector)
• Alert fidelity, tuning, and signal-to-noise optimization

Creator and maintainer of Detection Fidelity Score (DFS) — a practical framework to evaluate the quality of detection rules, not just their coverage.

DFS scores detections based on:

• Behavioral accuracy
• Telemetry reliability
• Context richness
• Expected false-positive rate
• Operational impact on SOC workflows

The goal is to move detection engineering away from “does it detect?” toward
“is this detection worth an analyst’s time?”

Repository: https://github.com/gustavo89587/detection-fidelity-score

I contribute to security tooling used by blue teams and SOCs in production.

• Improving Windows-focused detections based on real attacker tradecraft
• Context-aware detection logic (execution paths, parent-child relationships)
• Reducing administrative and tooling noise without losing coverage

Examples include:

• Detection of password-protected archive creation (MITRE ATT&CK T1560.001)
• Refinements to avoid common false positives in enterprise environments

• Improving Windows and Sysmon decoding reliability
• Fixing malformed or ambiguous decoders
• Enhancing Sysmon Event ID 1 (Process Create) parsing
• Normalizing telemetry to make downstream detection viable

• Contributions focused on telemetry collection and processing pipelines
• Improving the reliability and structure of data consumed by security analytics
• Bridging observability practices with detection engineering requirements

All contributions are public and visible in my GitHub activity.

Good detection is not about more alerts.
It’s about deciding which events deserve human attention.

I design detections around:

• Adversary intent, not tool names
• Behavioral context instead of single events
• Telemetry trustworthiness
• Sustainable SOC operations

If a detection cannot survive contact with a real SOC, it is not finished.

• GitHub: https://github.com/gustavo89587

I don’t just study security concepts —
I help improve the detections and telemetry pipelines that SOC teams actually rely on.