Open to detection engineering & security roles · relocation OK

Zion Boggan

SOC analyst · independent security researcher · applied cryptography

I work a SOC desk at a managed security provider by day and build and break security systems the rest of the time. This is the work I can show: detection pipelines and labs that run end to end, vulnerability research across cryptographic and database internals, and Oversight Protocol — a post-quantum data-provenance system I maintain in Rust. Almost all of it runs on my own homelab.

See the work GitHub LinkedIn oversightprotocol.dev
Memphis, TNzionboggan@gmail.com Security+ · SC-200 · AZ-104Bugcrowd · HackerOne
01

Flagship

Open-source · Rust + Python

Oversight Protocolv0.4.11

A cryptographic data-provenance system: a verifiable, tamper-evident record of where data came from and what happened to it, designed to hold up against a future with quantum computers. I'm the lead maintainer and primary contributor.

The hard part is correctness across two languages — the Rust implementation and the Python reference are built to produce bit-identical output, enforced by a shared conformance suite. It pairs classical and post-quantum primitives so signatures and key exchange stay sound even if one side breaks.

12 crates
~10.3k lines of Rust
~13.4k lines
Python reference impl
141 tests
125 Rust · 16 Python conformance
FIPS 203/204
ML-KEM-768 · ML-DSA-65
Cryptography
  • Key exchange X25519
  • AEAD XChaCha20-Poly1305
  • Signatures Ed25519
  • KDF HKDF-SHA256
  • PQ KEM ML-KEM-768
  • PQ signatures ML-DSA-65
  • Transparency Sigstore Rekor v2
  • Timestamping RFC 3161 TSA
oversightprotocol.dev → github.com/oversight-protocol/oversight → Targeting USENIX Security & Black Hat EU 2026
02

Security Labs

One Sigma rule compiled to Splunk, Sentinel KQL and Elastic ES|QL

Detection-as-Code

Sigma rules mapped to MITRE ATT&CK, linted and tested in CI, and compiled to Splunk, Elastic, and Microsoft Sentinel KQL — one rule, every SIEM. Detection engineering done as a pipeline, not a console click.

SigmaSplunkSentinel KQLElastic
detection-as-code
Emulated ATT&CK techniques detected in Wazuh

Purple-Team Lab

Adversary emulation that validates the detections. Atomic Red Team techniques run against an instrumented endpoint; custom Wazuh rules catch each one, with a coverage matrix proving the ATT&CK techniques fire at the right severity.

Atomic Red TeamCalderaWazuh FIMMITRE ATT&CK
purple-team-lab
Wazuh Threat Hunting dashboard with MITRE ATT&CK mapping

SOC Automation Lab

Wazuh detection into Shuffle SOAR into TheHive case management. Endpoint telemetry, custom MITRE-mapped rules, automated enrichment and case creation. Deployed and shown live with an enrolled agent and a replayed SSH brute force.

WazuhTheHiveShuffleMITRE ATT&CK
soc-automation-lab
Custom Semgrep rules failing the SAST gate

Secure CI/CD Pipeline

A GitHub Actions pipeline that gates every merge on four checks — SAST, secret scanning, dependency audit, tests — with custom Semgrep rules and findings routed back to the SOC.

GitHub ActionsSemgrepgitleakspip-audit
secure-cicd-pipeline
Cosign signing and tamper detection

CI/CD Supply-Chain Security

Proves the artifact, not just the source: keyless Cosign signing, a signed SBOM, grype scanning, and a Kyverno admission policy that refuses anything it can't verify.

CosignSigstoresyftKyverno
cicd-supply-chain-security
CTI rule-approval email with MITRE techniques

CTI Detection Automation

Pulls indicators from live threat-intel feeds, dedupes across them, extracts the MITRE techniques, generates Wazuh rules — and emails an analyst for sign-off before anything goes live.

PythonThreatFox / OTXWazuh CDBATT&CK
cti-detection-automation
03

Vulnerability Research

Coordinated-disclosure research on Bugcrowd and HackerOne, focused on the places bugs are easy to miss and expensive to get wrong: cryptographic libraries, database engine internals, blockchain consensus, and authorization layers. Source-code analysis, protocol review, reproducible proof-of-concept.

MPC / crypto

Fireblocks MPC research notebook

Findings against an MPC threshold-signature library — memory safety, signature verification, and zero-knowledge proof soundness, with reproducible PoCs.

notebook →
JWT / auth

Schism — JWT differential fuzzer

Differentially tests JWT libraries against each other and the RFCs to surface algorithm-confusion and parsing-divergence bypasses.

fuzzer →
Markets / quant

Prediction-market bot postmortem

A trading bot taken from edge hypothesis to a documented, honest negative result — the evaluation harness and why the edge didn't survive fees.

postmortem →
Programs researched
Aiven (PostgreSQL · MySQL · ClickHouse · Valkey · Kafka) Fireblocks MPCElectroneumCloudinary AXIS OSMattermostGitLabDatabricks The Trade DeskNew RelicAutomattic / WordPress SnapchatVimeoAirtable
04

Background

Two years on a SOC desk at a managed security provider — triaging 150–300 alerts a shift across Splunk, Microsoft Sentinel, SentinelOne, and Stellar Cyber, running forensic investigations on ransomware intrusions (Cactus, BlackByte), and managing vulnerability remediation against NIST 800-171 / CMMC baselines.

SOC Analyst · Cyber Guards (MSSP) · 2024–present
Prior: Relationship Banker · Bank of America

  • SEC+ CompTIA Security+ (SY0-701)
  • SC-200 Microsoft Security Operations Analyst
  • AZ-104 Microsoft Azure Administrator
  • AZ-900 Microsoft Azure Fundamentals
  • S1 SentinelOne Incident Responder
  • CySA+ CompTIA — scheduled June 2026