Detection Engineering · Security Automation · Threat Intelligence

Andrew Hannaford

Building detection infrastructure that actually scales — version-controlled rules, automated tests, peer review, CI/CD pipelines, and the adversarial thinking that makes alerts catch real attackers, not just pass audits.

10 GIAC Certifications GIAC Advisory Board SANS MS InfoSec Engineering CTF Top 2% NCL Splunk / Cortex XSIAM Go · Python · SQL

Numbers that matter

2M+

Events processed
daily across SIEM pipeline

60%

Alert handling time
slashed via 200+ automations

45%

False-positive reduction
in Q1 at Brex

10wk

XSOAR → XSIAM migration
completed on schedule

About

Detection only scales when it's treated as infrastructure, not overhead.

Early in my career I learned the hard way: security automation that isn't engineered breaks under pressure. Rules without tests drift. Playbooks without version control diverge. Pipelines without observability fail silently.

So I took the practices that make application engineering reliable — version-controlled rules, automated regression tests, peer review, CI/CD deployment — and applied them to detection. The result is a detection program that gets better over time instead of just bigger.

I've done this at scale at Brex, built tooling for it at Rockstar Games, and learned the adversarial half by competing in CTFs — because the best detection comes from genuinely understanding how attackers think.

Detection as Code

Rules in version control, tested in CI, deployed through automation — not manually edited in a UI.

Adversarial Thinking

Build detections by reasoning like an attacker. CTF competition keeps that muscle sharp.

Enrichment First

An alert without context is noise. Context at detection time means analysts spend time hunting, not pivoting.

Measure Everything

False-positive rate, mean time to detect, coverage gaps — detection health is only improvable when it's measurable.

Experience

Career Timeline

Brex

Senior Security Engineer

Dec 2025 — Present

Own the detection engineering program across corporate, SaaS, and multi-cloud environments (AWS/GCP/Azure/Kubernetes). Design 30+ detection-as-code rules in Go/Python, cutting MTTR by 35% and false positives by 45% in Q1. Lead incident response end-to-end — triage, forensics, containment, remediation, and post-incident reviews — standardizing 12 runbooks and running quarterly tabletop exercises. Core contributor to Substation, Brex's open-source Go toolkit for security event processing (CNCF Sandbox candidate), designing transformation functions processing 2M+ events/day and mentoring external contributors.

Go Python Splunk Detection-as-Code AWS / GCP / Azure Kubernetes Substation OSS

Rockstar Games / Take-Two Interactive

Senior SOAR Engineer → Lead Security Operations Engineer

Jun 2023 — Sep 2025

Owned the Cortex XSOAR platform across 4 business units (Rockstar, 2K, Zynga, Gearbox) serving 50+ SOC analysts. Delivered 200+ automation workflows that slashed alert handling time by 60%. Orchestrated the XSOAR-to-XSIAM migration across all 4 units — defined the 10-week plan, coordinated 8 stakeholder teams, and executed cutover with zero downtime. Refactored 80+ Splunk detection rules, cutting false positive volume by 40% (~3,000 fewer false alerts/month) and improving SOC triage accuracy to 92%.

Cortex XSOAR / XSIAM Splunk Python ServiceNow CodeQL / Semgrep Prisma Cloud

NBCUniversal

Senior Security Automation Engineer

Mar 2022 — Feb 2023

Owned the enterprise SOAR platform (Cortex XSOAR) for 40 SOC analysts, engineering 60+ automation playbooks in Python that cut manual triage effort by 70% and enabled the team to absorb 30% more alert volume. Developed integrations with ThreatConnect SOAR/TIP to ingest and correlate 15+ threat intelligence feeds, slashing threat intel processing time by 55%. Implemented Splunk common data model and alert classification for 80+ custom detection rules, standardizing alert taxonomy across the enterprise.

Cortex XSOAR ThreatConnect Splunk Python Threat Intelligence

Raytheon Intelligence & Space

Security Engineer → Security Engineer II → Development Manager

Oct 2019 — Mar 2022

Managed delivery of 5+ technical projects across a 12-person team for DHS and CISA clients. Conducted 10+ offensive security penetration tests identifying 40+ critical findings. Designed and shipped the Headless Hunter threat hunting platform (Python, MongoDB, Elastic Stack) processing 50K+ threat signals/week across 3 federal programs. Developed an automated threat intelligence platform (Python, PostgreSQL) aggregating 10+ feeds and cutting analyst lookup time by 50%.

Python Elastic Stack MongoDB PostgreSQL Penetration Testing DHS / CISA

Work

Featured Projects

Open Source · Detection Infrastructure

Substation OSS

I designed the core transformation pipeline — the composable functions detection engineers use to filter, enrich, and route events. Substation is a cloud-native toolkit for building event-driven security data pipelines: ingest raw telemetry, normalize it, enrich with threat intel, and route to your SIEM or data lake — all in version-controlled, testable configuration.

The goal was to treat security data pipelines the same way engineers treat application pipelines: observable, tested, deployed through CI/CD, and composable by anyone on the team without bespoke scripting.

GitHub → Docs →

Internal Tool · Automation

XSOAR → XSIAM Migration

Led a 10-week platform migration from Palo Alto XSOAR to Cortex XSIAM across 4 business units with zero production downtime. Migrated all 200+ automation playbooks and integrations, added observability, and established CI/CD deployment patterns for ongoing development. Presented outcomes to security leadership.

Cortex XSIAMPythonCI/CD

Detection Engineering · Automation

Alert Enrichment & SOAR Automation

Engineered 60+ automation playbooks in Python for NBCUniversal's SOAR platform, cutting manual triage effort by 70% and enabling the SOC to absorb 30% more alert volume. Integrated 15+ threat intelligence feeds via ThreatConnect, cutting intel processing time by 55%.

PythonThreatConnectCortex XSOAR

Federal · Threat Intelligence

Headless Hunter Platform

Designed and shipped a threat hunting platform at Raytheon (Python, MongoDB, Elastic Stack) processing 50K+ threat signals per week across 3 federal programs for DHS and CISA clients.

PythonMongoDBElastic Stack

Skills

Technical Toolkit

Detection Engineering

Detection-as-Code Threat Hunting Alert Triage MITRE ATT&CK Threat Modeling Purple Teaming Sigma Rules YARA

Languages & Scripting

Go Python SQL SPL (Splunk) JavaScript Bash PowerShell Java

Platforms & Tools

Cortex XSIAM Splunk Enterprise XSOAR ThreatConnect CrowdStrike EDR SentinelOne Elastic / ELK Security Onion Sigma Rules YARA CodeQL / Semgrep Prisma Cloud (CSPM)

Cloud & Infrastructure

AWS GCP Azure Kubernetes Terraform Docker Buildkite Flux Kinesis / Lambda

Certifications

Credentials

🛡️

GSEC — Security Essentials

Foundational security concepts, network protocols, cryptography, and incident handling.

GIAC

🔥

GCIH — Incident Handler

Incident response techniques, malware analysis, and network traffic investigation.

GIAC

🔍

GCIA — Intrusion Analyst

Network traffic analysis, intrusion detection, and packet-level forensics.

GIAC

🏗️

GDSA — Defensible Security Architecture

Designing and building layered, defensible enterprise security architectures.

GIAC

🌐

GWEB — Web Application Defender

Web application security, common attack patterns, and defensive coding practices.

GIAC

☁️

GCSA — Cloud Security Automation

Automating cloud security controls, DevSecOps pipelines, and cloud-native threat detection.

GIAC

⚔️

GCPN — Cloud Penetration Tester

Offensive security techniques targeting cloud environments and infrastructure.

GIAC

📋

GCPM — Certified Project Manager

Security program planning, delivery management, and stakeholder communication.

GIAC

🎯

GSTRT — Strategic Planning, Policy & Leadership

Security strategy, policy development, and organizational leadership for security programs.

GIAC

🧠

SSAP — Security Awareness Professional

Building and managing security awareness programs across organizations.

GIAC

📝

GIAC Advisory Board

Review and refine GIAC certification exams, contribute to curriculum development, and advise on security education standards with SANS faculty.

Advisory

🎓

ITIL 4

IT service management framework covering service delivery, operations, and continual improvement.

ITIL

🔄

CSM — Certified ScrumMaster

Agile delivery methodology, sprint facilitation, and cross-functional team coordination.

Scrum Alliance

CTF & Competitions

Competitive Hacking

Competitive CTF sharpens the adversarial thinking that makes detection rules actually catch attackers — not just pass audits. Understanding how exploits chain, how attackers move laterally, and what traces they leave is what separates a detection that fires on real TTPs from one that fires on a textbook example.

Top 0.9%

NCL Team — 2021

Ranked 36 out of 3,917 teams — National Cyber League

Top 2%

NCL Team — 2024

Ranked 8 out of 386 teams — National Cyber League

Top 4%

NCL Individual — 2024

Ranked 24 out of 526 individual competitors — National Cyber League

Education

Academic Background

M.S. Information Security Engineering — Cloud Security

SANS Technology Institute, Bethesda, MD

B.A. Computer Science

North Dakota State University, Fargo, ND

Contact

Let's Talk

Open to conversations about detection engineering leadership, security tooling, and hard problems in scale-out security operations.

✉ andrewj.hannaford@gmail.com in LinkedIn