Cloud Security & Detection Engineering · Microsoft Sentinel · Defender XDR

I work the defensive side of cloud security: detections that fire on a live Microsoft Sentinel and Defender tenant, each one proven end to end. A control isn't real until you can show it catching the thing it claims to catch, so I build the whole loop (rule logic, controlled trigger, the incident it raises, the investigation, the MITRE mapping) versioned and deployed like code, not clicked into a portal. The good signal is quiet; it sits between two events that both look normal, and it rewards patience over cleverness.

• Detection engineering on the Microsoft stack: Sentinel (KQL), Defender XDR, Defender for Endpoint, Entra ID.
• Detection-as-Code: versioned rules, PR-gated CI/CD, OIDC deploy, unit-tested and false-positive measured.
• Three telemetry planes: cloud control plane (Activity Log), endpoint, and identity (sign-ins).
• MITRE ATT&CK mapping, with Sigma for vendor-neutral portability.
• Source-level view: container runtimes and the LLM serving stack, which sharpens what I look for in telemetry.

azure-sentinel-detection-engineering (flagship): Detection-as-Code on a live Microsoft Sentinel + Defender XDR tenant. Nine MITRE-mapped analytics rules across control-plane, endpoint, and identity (including a multi-stage correlation rule, privilege grant → deployment, and a Resource Graph-backed NSG content rule), each proven end-to-end (trigger → incident → investigation) and checked by a live benign + attack harness that measures false positives instead of assuming them. Versioned YAML, deployed by a PR-gated GitHub Actions pipeline via OIDC (no secrets). Built alongside SC-200.

m365-security-operations: detect-and-remediate audit toolkit for Microsoft 365 + Cloudflare in small organizations. Five domains in one PowerShell command; ~60 framework-tagged checks (NIST CSF, NIST 800-53, ISO 27001, MITRE ATT&CK, MCSB), each finding linked to a ready-to-deploy remediation. 30-second demo via mock mode. MIT licensed.

blue-team-engagement: one-week red-team / blue-team enterprise defense engagement. Case study, custom Sigma detection pack, and methodology against sustained attack across a multi-zone WAN/DMZ/LAN.

llm-serving-security: security reference for the LLM serving stack. CVE matrix, vulnerability classes, and hardening for vLLM, Triton, lmdeploy, BentoML, SGLang, Ollama, TGI.

Blue team through live red-team engagement. Hardened a multi-zone WAN/DMZ/LAN: deployed Security Onion IDS/IPS, Suricata, Zeek, Wazuh HIDS, pfSense firewall rules, honeypots, and automated incident response. Maintained service uptime under sustained attack against a NIST + HIPAA baseline.

Alongside detection, I read code in places that are supposed to be safe: container runtimes, protocol stacks, syscall layers, and send hardening upstream when it survives review. Merged contributions to Google gVisor, Kubernetes, and other infrastructure projects; published advisories and a CVE. Knowing how a thing actually breaks, not just how its alert looks, is the view I bring back to detection.

Detection & cloud (primary)

Defensive operations

Platforms & scripting

Open to remote cloud security / detection roles, and to technical conversation with people working in cloud detection, SIEM engineering, or low-level security.

🔗 LinkedIn: ievgen-jack-bondarenko

🐙 GitHub: ibondarenko1