Security engineer building open-source DFIR and incident-response tooling — from acquisition to a searchable, detection-rich case.
Most of my public work is a suite of standalone forensic tools that share contracts and normalize everything to Elastic Common Schema (ECS) v8, so they compose but also stand on their own.
| Project | What it does |
|---|---|
| citadel | DFIR platform composing the tools below — acquire, ingest, parse, normalize, detect, analyze, and report a case end to end. |
| cumulonimbus | Cloud forensics & IR toolkit — collects and normalizes AWS, Azure, GCP, and Kubernetes logs to ECS v8. |
| mneme | Memory forensics automation on top of Volatility3 — orchestration, malware detection, timeline, ECS/STIX export. |
| triager | Cross-OS forensic acquisition agent — collects host/image/device artifacts into a signed, content-addressed bundle. |
| carvX | Signature-based file carver for disk images and block devices — recovers deleted files with no filesystem metadata. |
| atktimeline | Self-hosted attack timeline builder mapping events to MITRE ATT&CK. |
| Project | What it does |
|---|---|
| planX | Native macOS task manager — Kanban, dependency graph, and time tracking (SwiftUI / SwiftData). |
Python · Elasticsearch · Sigma · ECS · STIX · MITRE ATT&CK · Docker · Kubernetes · React · SwiftUI
Incident response · cloud & memory forensics · artifact acquisition · detection engineering
