/ now · may 2026

What I'm working on.

Last updated · May 04, 2026 Updated monthly

/ current focus

Running shift coverage at CyberSheath — coordinating triage across analysts, owning runbook drift, and pulling escalations when the queue gets noisy. Refining detection content in Sentinel and Google SecOps with a focus on tuning out the alerts that always end in dismissal. Expanding the CARL toolset for the analyst floor — small utilities that cut repeated investigation steps and keep tenant context consistent. Reading more than I'm writing this month, which usually means a writing batch is coming.

/ recently shipped · 03

Latest work out the door.

Last 30 days

01

Incident Console portfolio refactor (the site you're reading)

·
02

BASTION multi-tenant branch

→
03

ThreatWatch fingerprinting v2

→

/ reading · 03

On the desk.

In rotation

Practical Threat Intelligence and Data-Driven Threat Hunting

Valentina Costa-Gazcón
The Pragmatic Programmer

Hunt & Thomas
Crafting Interpreters

Robert Nystrom

/ next up

Document the CARL tenant-context module and ship a short writeup on detection-as-product tradeoffs.