SIEM & SOAR THREAT HUNTING INCIDENT RESPONSE MITRE ATT&CK LOG ANALYSIS BLUE TEAM CLOUD SECURITY VULNERABILITY MANAGEMENT ENDPOINT DETECTION NETWORK FORENSICS SIEM & SOAR THREAT HUNTING INCIDENT RESPONSE MITRE ATT&CK LOG ANALYSIS BLUE TEAM CLOUD SECURITY VULNERABILITY MANAGEMENT ENDPOINT DETECTION NETWORK FORENSICS
Welcome to my portfolio
JAYDEN
WILLIAMS
|

Attackers leave traces. I find them. Security+ and CySA+ certified, five documented labs, and a Medium write-up that walked through a full kill chain in Splunk. Everything in this portfolio is something I built. No checkboxes. Just bounties.

View Projects → Get in Touch
Scroll
Tools I Use
WHAT I
HUNT WITH.
Splunk· Sysmon· Wireshark· PEStudio· MalwareBazaar· VirusTotal· Nessus· Kali Linux· Python· PowerShell· AWS EC2· Azure· MITRE ATT&CK· VirtualBox· Git· Splunk· Sysmon· Wireshark· PEStudio· MalwareBazaar· VirusTotal· Nessus· Kali Linux· Python· PowerShell· AWS EC2· Azure· MITRE ATT&CK· VirtualBox· Git·
My Certifications
CERTS I
EARNED.
01
CompTIA Security+
Security+
CompTIA · CE
✓ Verified
02
CompTIA CySA+
CySA+
CompTIA · CE
✓ Verified
03
Microsoft SC-200
SC-200
Microsoft · Security Ops
⧗ In Progress
About
THE STORY
SO FAR.

Something about tracing exactly what an attacker did, step by step through logs, clicked in a way that nothing else in tech had. So I chased that feeling into every lab I could build.

First-gen college student at HCC Tampa. 3.66 GPA, Dean's List. Transferring to USF for a B.S. in Cybersecurity in Fall 2027. Security+ and CySA+ are done. SC-200 is in progress. Each cert was a choice, not a checklist.

Six projects in this portfolio. Full malware analysis of Jigsaw ransomware — static in PEStudio, live detonation on Swordfish II with Process Monitor, written up across two Medium posts. A Splunk threat hunt that traced a full kill chain. A live honeypot that took 63 hits in 24 hours. A Wireshark automation that processed 24,834 packets. Real work, real findings, all documented. Recognized by the Last Mile Education Fund’s Microsoft Cybersecurity Talent Fund in Spring 2026.

"They say the bounty hunter who carries their work home will never rest. I carry Splunk dashboards."
3
Certifications
6
Labs Filed
63
Attacks Logged
3.66
GPA
Microsoft Cybersecurity Talent Fund
Last Mile Education Fund · Spring 2026
Projects
SIX LABS.
SIX BOUNTIES.
SIEM Threat Hunting MITRE ATT&CK May 2026 · Featured
Cowboy Bebop
Threat Hunting Lab

Three-VM home lab simulating a full attack chain across four MITRE ATT&CK techniques: Initial Access, Persistence, Credential Access, and Lateral Movement. Built and documented every SPL query used to detect each technique. Wrote up the full investigation on Medium.

Splunk Sysmon Kali Linux Windows 11 MITRE ATT&CK
View on GitHub ↗ Read Write-Up ↗ · 101 views · 42+ reads
Splunk SPL · Process Hunt
| SPL · THREAT DETECTION QUERIES

index=sysmon EventID=1
| where ParentImage LIKE "%powershell%"
| stats count by Image, CommandLine

svchost.exe → 443/TCPC2
procdump.exe -ma lsassCRED
Set-MpPreference -DisableAV OFF
explorer.exe → cmd.exeOK

| 4 ATT&CK TECHNIQUES DETECTED
T1566 · T1547 · T1003 · T1021
Malware Analysis Static Analysis Dynamic Analysis MITRE ATT&CK Jun 2026
Malware
Analysis Lab

Full malware analysis of a 2016 ransomware sample. Static analysis with PEStudio uncovered hardcoded ransom notes, a Bitcoin address, and anti-VM behavior. Dynamic analysis on Swordfish II captured persistence mechanisms, process behavior, and AppData artifacts using Process Monitor. MITRE ATT&CK mapped across both phases.

PEStudio Process Monitor Wireshark VirusTotal VirtualBox
View on GitHub ↗ Static Write-Up ↗ Dynamic Write-Up ↗
PEStudio + ProcMon · JigsawRansomware.exe
# SHA256: F32A14E2...548BF687
# Source: MalwareBazaar · tag:Jigsaw

entropy7.356 obfuscated
virustotal56 / 72 malicious

# Dynamic — ProcMon (3.6M events)
deltasec.exe → AppData\RoamingPERSIST
RegQueryKey HKLM\SOFTWARET1012
Encryption: not triggeredWin11

# MITRE: T1486·T1547·T1036·T1083·T1012
Cloud Security Honeypot AWS Apr 2026
24-Hour AWS
Honeypot Lab

Spun up T-Pot 24.04.1 on an AWS EC2 instance and left it exposed. In 24 hours, 63 attacks came in from 5 unique source IPs. Caught NMAP scans and SSH brute-force attempts. Used Kibana and Suricata to map each TTP back to MITRE ATT&CK.

T-Pot AWS EC2 Kibana Elasticsearch Suricata
View on GitHub ↗
T-Pot · Kibana · 24hr Capture
# AWS EC2 us-east-2 · m7i-flex.large
# T-Pot 24.04.1 Hive · Cowrie + Ciscoasa

47.199.225.13831 hits · AS5650
AS16509 (Amazon)23 hits
63 total attacks5 source IPs
OriginUnited States (all)

# Top Suricata signatures
ET SCAN NMAP -sS
ET INFO SSH session initiated
ET DROP Dshield Blocklist

# MITRE: T1595·T1110·T1046·T1190·T1071
Vulnerability Management Azure Mar 2026
Azure VM
Vulnerability Management

Deployed a Windows VM in Azure, ran Tenable Nessus scans to surface vulnerabilities, then remediated with PSWindowsUpdate via PowerShell. Wrapped the whole thing in a GitHub Actions pipeline so the scan-patch-validate cycle runs automatically.

Azure Nessus PowerShell GitHub Actions
View on GitHub ↗
Nessus · patch-windows.ps1
# Nessus Essentials · Basic Network Scan
# Azure Windows VM · scan → patch → rescan

# patch-windows.ps1
Import-Module PSWindowsUpdate
Get-WindowsUpdate -Install
-AcceptAll -AutoReboot

# GitHub Actions · .github/workflows/patch.yml
✓ Initial scan complete
✓ Patches applied
✓ Rescan validated
✓ CI/CD pipeline: PASS
Network Forensics Traffic Analysis Python Malware Traffic Mar–Jun 2026
Wireshark
Traffic Analysis Automation

Analyzed 24,834 packets to identify anomalous top-talker IPs and unexpected protocol distribution across TCP, UDP, QUIC, and TLSv1.3. Automated triage of raw PCAP exports using Python and Pandas to cut down initial investigation time. Extended the project to include real-world malware PCAP analysis, investigating a Koi Stealer infection from Malware-Traffic-Analysis.net, identifying C2 beaconing to 79.124.78.197 via POST requests to /index.php and /foots.php, and correlating Suricata alerts with Wireshark HTTP stream analysis to confirm credential exfiltration.

Wireshark Python Pandas PCAP Analysis Suricata MITRE ATT&CK
View on GitHub ↗
Python · Wireshark CSV Analysis
# 24,834 packets · Wireshark → CSV → Pandas

df = pd.read_csv('capture.csv')

# Top source IPs
df.groupby('ip.src')
.size().sort_values(ascending=False)

# Protocol summary
df['Protocol'].value_counts()

# Outputs
top_source_ips.csv
top_dest_ips.csv
protocol_summary.csv
port_activity.csv
Koi Stealer · Malware Traffic Analysis

Malware-Traffic-Analysis.net · "Big Fish in a Little Pond" (2024-09-04). Victim 172.17.0.99 on bepositive.com domain. C2 at 79.124.78.197:80 — nginx. Suricata ETPRO rule confirmed Koi Stealer C2 checkin. SMB scanning on 172.17.0.0/24 consistent with lateral movement.

T1071.001 T1041 T1021.002
Wireshark · Koi Stealer C2 Analysis
# C2 beacon — GET /index.php (17:35:13 UTC)
GET /index.php HTTP/1.1
Host: 79.124.78.197
Cookie: session=qIOuKk7U

# Exfil loop — POST /foots.php (~60s intervals)
POST /foots.php HTTP/1.1
Host: 79.124.78.197

# Suricata alert
ETPRO TROJAN Koi Stealer C2 Checkin
Contact
LET'S
CONNECT.

SOC analyst roles, blue team internships, cybersecurity opportunities. Tampa, FL.

jwilliams.cyber@gmail.com
J.W.
End of Portfolio
THANK
YOU.

If you made it here, thank you. Hiring manager, fellow analyst, or just curious about the work — reach out. Everything here I built and documented myself.

Jayden Williams
Security Analyst · SOC Candidate · Blue Teamer