Detection Engineering · AI Security · Security Automation

Andrew Hannaford

Building detection infrastructure that actually scales — and securing the AI layer on top of it. Version-controlled rules, automated SOC workflows, agentic security controls, and the adversarial thinking that makes alerts catch real attackers, not just pass audits.

10 GIAC Certifications GIAC Advisory Board SANS MS InfoSec Engineering CTF Top 2% NCL AI Security Go · Python · SQL

Numbers that matter

2M+

Events processed
daily across SIEM pipeline

60%

Alert handling time
slashed via 200+ automations

45%

False-positive reduction
in Q1 at Brex

10wk

XSOAR → XSIAM migration
completed on schedule

About

Detection only scales when it's treated as infrastructure, not overhead. AI is no different.

Early in my career I learned the hard way: security automation that isn't engineered breaks under pressure. Rules without tests drift. Playbooks without version control diverge. Pipelines without observability fail silently.

So I took the practices that make application engineering reliable — version-controlled rules, automated regression tests, peer review, CI/CD deployment — and applied them to detection. The result is a detection program that gets better over time instead of just bigger.

Now that same rigor applies to AI. Agentic workflows, MCP traffic, LLM tool use on corporate endpoints — these are new attack surfaces, and they need the same visibility, controls, and enforcement posture that we'd apply to any other part of the stack. I'm building that at Brex.

Detection as Code

Rules in version control, tested in CI, deployed through automation — not manually edited in a UI.

AI Security by Design

Agentic workflows and LLM tooling need DLP, visibility, and policy enforcement from day one — not bolted on after a breach.

Adversarial Thinking

Build detections by reasoning like an attacker. CTF competition keeps that muscle sharp.

Automate the SOC

Analysts shouldn't triage what a machine can. Runbooks, batch workflows, and LLM-assisted investigation free humans for the hard problems.

Experience

Career Timeline

Brex

Senior Security Engineer

Dec 2025 — Present

Own the detection engineering program across corporate, SaaS, and multi-cloud environments — 30+ detection-as-code rules in Go/Python, cutting MTTR 35% and false positives 45% in Q1. Leading AI security infrastructure modernization: implementing controls for agentic workflows (OpenClaw) via Onyx, Surepath, Island, and Wiz, with full visibility into MCP traffic and AI tool usage on corporate endpoints. Built a fully automated SOC workflow using Claude plugins integrated with Sumo Logic — enabling end-to-end ticket triage, runbook-driven investigation, and batch case resolution with minimal analyst intervention.

Go Python Sumo Logic Detection-as-Code AWS / GCP / Azure Kubernetes AI Security Agentic Workflows Claude / LLM Automation Wiz Island

Rockstar Games / Take-Two Interactive

Senior SOAR Engineer → Lead Security Operations Engineer

Jun 2023 — Sep 2025

Owned the Cortex XSOAR platform across 4 business units (Rockstar, 2K, Zynga, Gearbox) serving 50+ SOC analysts. Delivered 200+ automation workflows that slashed alert handling time by 60%. Orchestrated the XSOAR-to-XSIAM migration across all 4 units — defined the 10-week plan, coordinated 8 stakeholder teams, and executed cutover with zero downtime. Refactored 80+ Splunk detection rules, cutting false positive volume by 40% (~3,000 fewer false alerts/month) and improving SOC triage accuracy to 92%.

Cortex XSOAR / XSIAM Splunk Python ServiceNow CodeQL / Semgrep Prisma Cloud

NBCUniversal

Senior Security Automation Engineer

Mar 2022 — Feb 2023

Owned the enterprise SOAR platform (Cortex XSOAR) for 40 SOC analysts, engineering 60+ automation playbooks in Python that cut manual triage effort by 70% and enabled the team to absorb 30% more alert volume. Developed integrations with ThreatConnect SOAR/TIP to ingest and correlate 15+ threat intelligence feeds, slashing threat intel processing time by 55%. Implemented Splunk common data model and alert classification for 80+ custom detection rules, standardizing alert taxonomy across the enterprise.

Cortex XSOAR ThreatConnect Splunk Python Threat Intelligence

Raytheon Intelligence & Space

Security Engineer → Security Engineer II → Development Manager

Oct 2019 — Mar 2022

Managed delivery of 5+ technical projects across a 12-person team for DHS and CISA clients. Conducted 10+ offensive security penetration tests identifying 40+ critical findings. Designed and shipped the Headless Hunter threat hunting platform (Python, MongoDB, Elastic Stack) processing 50K+ threat signals/week across 3 federal programs. Developed an automated threat intelligence platform (Python, PostgreSQL) aggregating 10+ feeds and cutting analyst lookup time by 50%.

Python Elastic Stack MongoDB PostgreSQL Penetration Testing DHS / CISA

Work

Featured Projects

AI Security · SOC Automation · Brex

Automated SOC Workflow

Built a fully automated SOC workflow using Claude-powered plugins integrated with Sumo Logic SIEM and additional data sources. Analysts can triage, investigate, and close tickets end-to-end with minimal manual intervention — the system pulls context, runs the relevant runbook, and surfaces a recommended action.

Developed the runbook library and batch case-working framework that now serves as the standard response operating procedure — consistent, auditable, and scalable across the entire incident backlog.

See experience →

AI Security · Brex

AI Security Infrastructure

Modernized enterprise AI security controls for agentic workflows (including OpenClaw), integrating Onyx, Surepath, Island, and Wiz to enforce DLP, browser isolation, and cloud security posture. Extended visibility to MCP (Model Context Protocol) traffic and AI tool usage on corporate endpoints — inspection, logging, and policy enforcement at the host layer.

OnyxSurepathIslandWizMCP Security

Internal Tool · Automation

XSOAR → XSIAM Migration

Led a 10-week platform migration from Palo Alto XSOAR to Cortex XSIAM across 4 business units with zero production downtime. Migrated all 200+ automation playbooks and integrations, added observability, and established CI/CD deployment patterns for ongoing development. Presented outcomes to security leadership.

Cortex XSIAMPythonCI/CD

Detection Engineering · Automation

Alert Enrichment & SOAR Automation

Engineered 60+ automation playbooks in Python for NBCUniversal's SOAR platform, cutting manual triage effort by 70% and enabling the SOC to absorb 30% more alert volume. Integrated 15+ threat intelligence feeds via ThreatConnect, cutting intel processing time by 55%.

PythonThreatConnectCortex XSOAR

Skills

Technical Toolkit

AI Security

Agentic Workflow Security MCP Traffic Inspection AI Endpoint Visibility LLM Automation (Claude) Onyx Surepath Island Wiz DLP Browser Isolation

Detection Engineering

Detection-as-Code Threat Hunting Alert Triage MITRE ATT&CK Threat Modeling Purple Teaming Sigma Rules YARA

Languages & Scripting

Go Python SQL SPL (Splunk) JavaScript Bash PowerShell Java

Platforms & Tools

Cortex XSIAM Splunk Enterprise XSOAR ThreatConnect CrowdStrike EDR SentinelOne Elastic / ELK Security Onion Sigma Rules YARA CodeQL / Semgrep Prisma Cloud (CSPM)

Cloud & Infrastructure

AWS GCP Azure Kubernetes Terraform Docker Buildkite Flux Kinesis / Lambda

Certifications

Credentials

🛡️

GSEC — Security Essentials

Foundational security concepts, network protocols, cryptography, and incident handling.

GIAC

🔥

GCIH — Incident Handler

Incident response techniques, malware analysis, and network traffic investigation.

GIAC

🔍

GCIA — Intrusion Analyst

Network traffic analysis, intrusion detection, and packet-level forensics.

GIAC

🏗️

GDSA — Defensible Security Architecture

Designing and building layered, defensible enterprise security architectures.

GIAC

🌐

GWEB — Web Application Defender

Web application security, common attack patterns, and defensive coding practices.

GIAC

☁️

GCSA — Cloud Security Automation

Automating cloud security controls, DevSecOps pipelines, and cloud-native threat detection.

GIAC

⚔️

GCPN — Cloud Penetration Tester

Offensive security techniques targeting cloud environments and infrastructure.

GIAC

📋

GCPM — Certified Project Manager

Security program planning, delivery management, and stakeholder communication.

GIAC

🎯

GSTRT — Strategic Planning, Policy & Leadership

Security strategy, policy development, and organizational leadership for security programs.

GIAC

🧠

SSAP — Security Awareness Professional

Building and managing security awareness programs across organizations.

GIAC

📝

GIAC Advisory Board

Review and refine GIAC certification exams, contribute to curriculum development, and advise on security education standards with SANS faculty.

Advisory

🎓

ITIL 4

IT service management framework covering service delivery, operations, and continual improvement.

ITIL

🔄

CSM — Certified ScrumMaster

Agile delivery methodology, sprint facilitation, and cross-functional team coordination.

Scrum Alliance

CTF & Competitions

Competitive Hacking

Competitive CTF sharpens the adversarial thinking that makes detection rules actually catch attackers — not just pass audits. Understanding how exploits chain, how attackers move laterally, and what traces they leave is what separates a detection that fires on real TTPs from one that fires on a textbook example.

Top 0.9%

NCL Team — 2021

Ranked 36 out of 3,917 teams — National Cyber League

Top 2%

NCL Team — 2024

Ranked 8 out of 386 teams — National Cyber League

Top 4%

NCL Individual — 2024

Ranked 24 out of 526 individual competitors — National Cyber League

Education

Academic Background

M.S. Information Security Engineering — Cloud Security

SANS Technology Institute, Bethesda, MD

B.A. Computer Science

North Dakota State University, Fargo, ND

Contact

Let's Talk

Open to conversations about detection engineering leadership, security tooling, and hard problems in scale-out security operations.

✉ andrewj.hannaford@gmail.com in LinkedIn ⬇ Download Résumé