threat intelligence · threat hunting · detection

Alex Garcia Cyber Analyst

Alex Garcia — Cyber persona
// in the shadows
Alex Garcia — Professional
// in the boardroom
nameAlejandro Garcia
aliasCyberJudoSec · Hackth3br0nx
roleThreat Hunting & Forensics Analyst
originThe Bronx, New York
baseForsyth, Georgia
backgroundUS Navy → QA Engineering → Network → IT Ops → Cloud → SOC → Threat Hunting
philosophyObserve. Hypothesize. Validate. Never guess.
status actively hunting
connect LinkedIn ↗
cyber TryHackMe · Hackth3br0nx ↗ Threat Hunting Labs · hackth3br0nx ↗
devsecops GitHub · Hackth3br0nx ↗ Codefinity · Coding & DevSecOps Practice ↗
live tryhackme rank
20+years experience
14certifications
3lab projects
// 01 — experience

Career Timeline

click any role to expand details
2026 — PRESENT
Contributing to proactive threat detection by building hypothesis-driven hunt workflows and forensic investigation procedures that reduce attacker dwell time and improve detection coverage.
  • Conduct hypothesis-driven threat hunts across enterprise telemetry
  • Investigate suspicious identity, endpoint, and network activity
  • Analyze attacker behavior aligned with MITRE ATT&CK framework
  • Perform forensic investigation to reconstruct incident timelines
  • Develop detection queries and improve monitoring coverage
2024 — 2026
Supported enterprise-level threat detection operations by monitoring and investigating security alerts across SIEM platforms, helping maintain visibility into adversary activity across a large-scale environment.
  • Investigated security alerts within Microsoft Sentinel SIEM
  • Conducted log analysis using KQL queries
  • Monitored authentication events and endpoint telemetry
  • Applied MITRE ATT&CK techniques to analyze adversary activity
  • Escalated security incidents and supported incident response operations
2024 — 2025
Helped ensure cloud migrations were completed with security in mind, reviewing IAM configurations and documenting security considerations that reduced risk exposure during infrastructure transitions.
  • Supported enterprise cloud migration initiatives across AWS and Azure environments
  • Reviewed IAM configurations and access control policies
  • Validated logging and monitoring for cloud workloads
  • Documented security considerations for migrated systems
2021 — 2023
Maintained operational continuity for enterprise IT systems while building foundational security skills in identity and access management, authentication monitoring, and security incident escalation.
  • Monitored enterprise systems and IT infrastructure health
  • Supported authentication systems and MFA troubleshooting
  • Escalated security-related incidents to appropriate teams
  • Managed identity and access management across enterprise platforms
2020 — 2021
Consistently exceeded performance benchmarks by resolving over 258 escalated incidents with a 98% first-call resolution rate, cutting average resolution time by 35% through systematic troubleshooting.
  • Managed and resolved over 258 Tier 2 escalated support incidents
  • Reduced average resolution time by 35% through efficient troubleshooting
  • Achieved 98% first call resolution rate for end-user technical issues
  • Provided system support for enterprise hardware, software, and network issues
2019 — 2020
Built hands-on experience with network security fundamentals by implementing firewall configurations and VLAN segmentation, directly contributing to a more segmented and secure network architecture.
  • Monitored network performance and infrastructure health metrics
  • Configured and maintained LAN and WAN networking equipment
  • Implemented firewall configurations and VLAN segmentation
  • Diagnosed connectivity issues and optimized network performance
2018 — 2020
Ensured the reliability and compliance of clinical trial software used by government agencies and private healthcare and pharmaceutical companies, where software defects carried real-world patient safety implications.
  • Performed manual testing of clinical trial management software used by government and pharmaceutical clients
  • Validated regulatory compliance requirements for healthcare and clinical data platforms
  • Designed and executed test cases to validate software functionality and data integrity
  • Investigated defects and collaborated with engineering teams on root cause analysis
  • Supported regression testing and release validation cycles for mission-critical systems
2017 — 2018
Helped maintain the quality and reliability of airline reservation and operations software used daily by thousands of customers and airline staff, catching defects before they reached production.
  • Performed manual testing of airline reservation and operational software systems
  • Tested hardware and software integrations used by airline operations teams
  • Documented defects and tracked bug reports within issue tracking systems
  • Worked with development teams to validate software fixes and releases
2014 — 2016
Stepped into leadership during operational gaps and system outages, keeping enrollment teams functional and reducing disruption to healthcare services for customers depending on timely enrollment support.
  • Served as liaison between healthcare enrollment teams and IT support
  • Coordinated issue resolution for system outages affecting phones and account access
  • Acted as interim supervisor during operational escalations or staffing gaps
  • Assisted agents with troubleshooting enrollment system issues
2012 — 2014
Helped customers navigate complex healthcare enrollment processes with accuracy and empathy, supporting program access for vulnerable populations including prenatal care and smoking cessation participants.
  • Provided inbound customer support for healthcare enrollment programs
  • Conducted health surveys and intake assessments for pre-existing conditions
  • Assisted with prenatal care and smoking cessation program enrollment
  • Documented patient information and coordinated with healthcare support teams
2010 — 2012
Built a client book through consultative selling and compliance-focused advising, helping individuals and families find appropriate healthcare and financial coverage while maintaining full regulatory standards.
  • Sold health insurance policies, life insurance products, and annuities
  • Maintained compliance with insurance regulations and licensing standards
  • Built long-term client relationships through consultative sales approaches
2008 — 2010
Led day-to-day store operations and team development, maintaining strong sales performance and customer satisfaction through consistent staff coaching and operational discipline.
  • Managed retail sales operations and daily store performance metrics
  • Supervised staff scheduling, training, and performance coaching
  • Oversaw cash management, inventory control, and loss prevention procedures
2003 — 2007
Served honorably in a high-stakes, zero-tolerance environment managing explosive ordnance systems, developing the discipline, attention to detail, and accountability under pressure that defines the foundation of a strong security professional.
  • Managed and maintained explosive ordnance systems following strict safety protocols
  • Conducted inspections and maintenance of weapons support equipment
  • Coordinated logistics, supply chain operations, and mission readiness activities
  • Assisted with operational planning and resource allocation for aviation missions
// 02 — capabilities

Skills & Tools

SIEM & Detection
Microsoft Sentinel Splunk Elastic SIEM KQL Splunk SPL ES|QL Log Correlation Detection Engineering Alert Triage UEBA Security Monitoring
Threat Intel & OSINT
Maltego Shodan VirusTotal ZeroFox SpiderFoot Censys SecurityTrails MITRE ATT&CK IOC Analysis Threat Actor Profiling Dark Web Monitoring Intel Report Writing
Endpoint & Identity
Defender XDR Okta Wiz Forcepoint Defender for Endpoint Defender for Identity Defender for Office 365 Microsoft Entra ID Active Directory SAML OAuth 2.0 MFA Zero Trust PAM
Scripting & Analysis
Python KQL PowerShell Bash Splunk SPL Wireshark nmap tcpdump Regex JSON Parsing Log Analysis
Cloud Platforms
AWS Microsoft Azure Google Cloud Platform Cloud Security Monitoring Cloud Migration IAM Policy Review S3 / Blob Storage CloudTrail / Azure Monitor Cloud SIEM Integration
Threat Hunting
Hypothesis-Based Hunting Threat Hunting Labs Observation-Driven Hunting Adversary Profiling Lateral Movement Detection Persistence Mechanism Detection C2 Detection Incident Response Digital Forensics Timeline Reconstruction
Network Security
DNS Analysis TCP/IP HTTP / HTTPS Analysis Firewall Configuration VLAN Segmentation VPN Packet Analysis Network Forensics IDS / IPS Zero Trust Networking
Operating Systems
Linux Windows Kali Linux Ubuntu macOS iOS Android Windows Server REMnux
// 03 — lab work

Projects & Write-Ups

// threat intelligence lab
Malicious Infrastructure Investigation · Microsoft Sentinel
  • SCENARIOSuspicious domain and IP addresses appeared in enterprise telemetry with no clear attribution. The SOC needed to determine whether these indicators were part of an active attacker campaign.
  • GOALIdentify the full scope of attacker infrastructure, map relationships between indicators, and produce an actionable intelligence report for the detection team.
  • ACTIONSUsed Maltego to pivot across domains, IPs, and hosting providers. Cross-referenced findings in Shodan, VirusTotal, and Censys. Mapped all observed TTPs to MITRE ATT&CK techniques.
  • OUTCOMEIdentified a cluster of related attacker infrastructure. Delivered a structured threat intelligence report with IOCs, infrastructure relationships, and ATT&CK mappings ready for detection rule development.
MaltegoShodan VirusTotalMITRE ATT&CKCensys
View Write-Up on GitHub ↗
// threat hunting lab
Impossible Travel Detection · KQL + Sentinel
  • SCENARIOAuthentication logs showed user sign-ins from geographically distant locations within timeframes physically impossible to travel. The hypothesis: compromised credentials being used by a remote threat actor.
  • GOALBuild detection logic in Microsoft Sentinel to identify impossible travel login patterns and validate the hypothesis against simulated credential abuse in a personal lab environment.
  • ACTIONSWrote KQL queries against sign-in logs to calculate travel distance and velocity between sequential logins. Filtered for anomalous patterns, correlated with Defender for Identity alerts.
  • OUTCOMESuccessfully detected simulated credential abuse scenarios. Query logic was tuned to reduce false positives and documented as a reusable detection rule template.
Microsoft SentinelKQL Defender for IdentityHypothesis-Based
View Write-Up on GitHub ↗
// network analysis lab
DNS Tunneling Detection · Wireshark + Kali
  • SCENARIOPacket captures contained unusual DNS traffic patterns — high query frequency, abnormally long subdomains, and consistent outbound communication to a single external resolver. Potential C2 channel via DNS tunneling.
  • GOALConfirm whether DNS tunneling was present, identify the exfiltration mechanism, and document the indicators for detection.
  • ACTIONSLoaded PCAP into Wireshark on Kali Linux. Applied DNS and HTTP display filters to isolate suspicious traffic. Analyzed subdomain length, query frequency, and payload patterns consistent with tunneling tools.
  • OUTCOMEConfirmed DNS tunneling behavior used for data exfiltration. Documented IOCs including domain patterns, query intervals, and resolver IPs. Identified the likely tunneling tool based on traffic signatures.
WiresharkKali Linux DNS AnalysisC2 DetectionPCAP Analysis
View Write-Up on GitHub ↗
// network traffic analysis lab
Network Traffic Analysis · Wireshark + tcpdump
  • SCENARIOA simulated enterprise host generated anomalous traffic — high-frequency DNS queries and outbound connections on non-standard ports with no corresponding business justification.
  • GOALAnalyze PCAP files to identify C2 communication, DNS tunneling, and suspicious HTTP activity. Document what normal vs suspicious traffic looks like for SOC use.
  • ACTIONSApplied Wireshark display filters for DNS, TCP SYN, and HTTP POST traffic. Identified beaconing intervals, encoded POST payloads, and high-frequency subdomain queries.
  • OUTCOMEConfirmed C2 beaconing and DNS tunneling behavior. Produced detection notes with IOCs and Wireshark filter signatures for SOC analyst reuse.
Wiresharktcpdump DNS AnalysisTCP/IPC2 Detection
View Write-Up on GitHub ↗
// vulnerability assessment lab
Vulnerability Assessment · Nmap + Nessus
  • SCENARIOA simulated small business environment with 12 assets had not been formally assessed in 18 months. Potential unpatched vulnerabilities and misconfigurations across workstations, servers, and network infrastructure.
  • GOALDiscover all assets, identify and prioritize vulnerabilities by severity, and deliver an executive summary and technical remediation report.
  • ACTIONSRan Nmap discovery and service scans across all subnets. Executed credentialed Nessus scan. Prioritized findings by CVSS score and asset criticality.
  • OUTCOMEIdentified 3 Critical findings including EternalBlue on 6 workstations and default credentials on the firewall. Delivered prioritized remediation roadmap with 30-day action plan.
NmapNessus CVE AnalysisRisk Prioritization
View Write-Up on GitHub ↗
// firewall & segmentation lab
Network Segmentation · pfSense + VLAN Design
  • SCENARIOA flat network gave every compromised host unrestricted lateral movement capability across all servers and infrastructure. Zero segmentation meant a single breach could reach everything.
  • GOALDesign and implement VLAN segmentation with firewall rules to contain lateral movement, restrict server access, and isolate management infrastructure.
  • ACTIONSConfigured pfSense with 3 VLANs (User, Server, Management). Wrote default-deny firewall rules with explicit allow policies. Validated all rules using Nmap from each segment.
  • OUTCOMEAll 5 validation tests passed. Lateral movement from User VLAN to Management VLAN blocked. Server access limited to SMB only from User VLAN. Attack surface significantly reduced.
pfSenseVLAN Firewall RulesNetwork Hardening
View Write-Up on GitHub ↗
// siem threat hunting lab
Credential Compromise Hunt · Sentinel + Splunk
  • SCENARIONo alert had fired, but routine log review flagged statistical anomalies in sign-in behavior. Hypothesis: a threat actor was authenticating with stolen credentials from geographically inconsistent locations.
  • GOALHunt for credential compromise evidence using authentication telemetry, correlate with endpoint data, and map findings to MITRE ATT&CK.
  • ACTIONSBuilt KQL impossible travel queries in Sentinel. Correlated findings with Splunk endpoint logs. Reconstructed attacker timeline across 3 compromised accounts and 4 workstations.
  • OUTCOMEConfirmed credential compromise. Accounts disabled, sessions terminated. Detection rule documented. Timeline mapped from initial auth to lateral movement attempt in under 60 minutes.
Microsoft SentinelKQL SplunkMITRE ATT&CKIncident Response
View Write-Up on GitHub ↗
// cloud security lab
Cloud Hardening · AWS + Azure
  • SCENARIOA simulated remote business migrated to AWS and Azure without security review. Public S3 buckets, wildcard IAM policies, disabled CloudTrail, and no alerting left the environment fully exposed.
  • GOALIdentify and remediate cloud misconfigurations across both platforms. Establish logging, restrict public access, enforce least-privilege IAM, and document the before/after security posture.
  • ACTIONSBlocked public S3 access, replaced wildcard IAM with least-privilege policies, enforced MFA conditions, enabled CloudTrail multi-region logging, and hardened Azure Blob storage access.
  • OUTCOMEAll 6 critical misconfigurations remediated. CloudTrail logging enabled across all regions. Azure Monitor alerts configured. Environment moved from fully exposed to security baseline.
AWSAzure IAMCloudTrailCloud Security
View Write-Up on GitHub ↗
// security architecture case study
NIST Security Architecture · 50-User Hybrid Company
  • SCENARIOA 50-user hybrid company handling sensitive client data had no formal security program — antivirus only, no MFA, no SIEM, no segmentation, no incident response plan. NIST CSF maturity score: 1.2/5.
  • GOALDesign a secure target architecture aligned to NIST CSF, map NIST 800-53 controls to identified risks, and deliver a phased implementation roadmap.
  • ACTIONSAssessed environment against all 5 NIST CSF functions. Designed VLAN-segmented network, identity architecture with MFA and Conditional Access, and Sentinel-based detection stack. Mapped 10 priority controls to SP 800-53.
  • OUTCOMEDelivered target architecture design, full control mapping, 4-phase implementation roadmap, and 5 policy templates. Projected NIST CSF maturity improvement from 1.2 to 3.8/5 post-implementation.
NIST CSFNIST 800-53 Risk AssessmentSecurity Architecture
View Write-Up on GitHub ↗
+ More write-ups in progress — TryHackMe rooms, OSINT investigations, and detection rule library coming soon. View Full Portfolio on GitHub →
// 04 — credentials

Certifications

EC-COUNCIL
Certified Ethical Hacker
GIAC
GSEC — Security Essentials
GIAC
GFACT — Foundational Cyber
CompTIA
Security+
CompTIA
Network+
CompTIA
A+
CompTIA
Infrastructure Specialist
CompTIA
Operations Specialist
AWS
Solutions Architect Associate
AWS
Cloud Practitioner
MICROSOFT
Azure Administrator AZ-104
MICROSOFT
Azure Fundamentals AZ-900
CISCO
CCNA
OKTA
Certified Professional
// 05 — connect

Get In Touch

Open to threat analyst roles, consulting, and collaboration on security research.

email
CyberJudoSec@gmail.com
location
Forsyth, Georgia
linkedin
mralejandrogarcia85 ↗
download resume
// alejandro garcia
Threat Hunting & Detection Engineering Resume
Covers threat hunting, DFIR, detection engineering, SIEM operations, cloud security, OSINT investigation, and MITRE ATT&CK. Includes lab projects and full certification list.
Download Resume
Send Email ↗ LinkedIn ↗