121 hands-on rooms across SOC, SIEM, EDR, and blue-team practice.
View TryHackMeDavid Sarkisyan
Cybersecurity Analyst + Security Operations Builder
New York City
Top 1% TryHackMe · STIGPilot on PyPI · Upstream fixes to Atomic Red Team, Splunk, SigmaHQ, Elastic
I came up through healthcare IT and an embryology lab, where small mistakes have real consequences. Now I build defensive tools and write security work another analyst can verify, reuse, and act on.
A small CLI for one real problem: compare the release, keep the reason beside the action, and make the next step easier to assign.
Best fit: careful investigation, useful automation, and trustworthy notes.
Track record
Built, shipped, reviewed.
Tools you can install. Merged fixes in security projects teams rely on. Hands-on practice, all public.
- 01Builddefensive tools
- 02Contributeupstream fixes
- 03Detectqueries and fixes
- 04Documenthandoffs teams can trust
Merged and open fixes across Atomic Red Team, Splunk security_content, SigmaHQ, Elastic, and LLMForge.
View PRsPublic tools, labs, case studies, and contribution notes, including STIGPilot on PyPI.
View workFeatured build
STIGPilot
STIG change triage - published to PyPI
Local Python CLI that compares DISA STIG releases and turns the output into change briefs, remediation backlogs, review checklists, manager summaries, and Jira/ServiceNow exports.
- Published install path: pip install stigpilot.
- PowerShell-only fallback for restricted Windows environments.
- No external dependencies needed for fallback mode.
- 01CompareDISA release files
- 02Explainchanged controls
- 03Exportbacklog and tickets
Flagged for review before remediation work is assigned.
Change brief keeps the reason beside the action.
Backlog item stays readable for technical and nontechnical review.
Review method
One timestamp can lie.
lapse dry run, Entra ID stale-device review. Local only.
lapse checks device age against sign-in history before marking anything stale — one old timestamp shouldn't be the whole case.
- Problem
- One directory timestamp can make active access look abandoned.
- Check
- Compare device activity, ownership scope, and human sign-in context.
- Safe path
- Report first, review outliers, then decide what should change.
- Mock data.
- No tracking.
- No storage.
- No network request.
- No Microsoft Graph connection.
No access change from device age alone. Human context changes the review path.
Selected work
A few pieces worth starting with, plus the full archive when you want the rest.
Home Network Security Control Plane
Production-style HomeNet operations
Firewall policy, DNS control, logs, canary checks, and recovery state separated by function and tracked in a private control plane. Daily-use home network run like a production environment.
IdentityRiskGraph
CloudTrail IAM risk review
Splunk Detection Content
Detection library
Open source review
Open source work.
Small upstream fixes: detection logic, scope corrections, test content, and maintainer review. All public.
- redcanaryco/atomic-red-teamView merged PR #3354Merged Atomic Red Team command fixmerged: accepted upstream PR #3354
- splunk/security_content #4116View merged PR #4116Merged broken regex alternation fixmerged: accepted upstream PR #4116
- splunk/security_content #4112View merged PR #4112Merged AD self-add field comparison fixmerged: accepted upstream PR #4112
- SigmaHQ/sigmaView merged PR #6038Merged event log clear filter-scope fixmerged: accepted upstream PR #6038
- splunk/security_content #4117View merged PR #4117Merged detection typo fixmerged: approved upstream PR #4117
- elastic/detection-rulesView PR #6253Bug fix: filter-only KQL rule exportsopen: review required, community and python labels
- SasanLabs/LLMForgeView PR #22Indirect prompt injection payload hintsopen: replacement PR after fork branch rename
Local lab
Browser Surface Check
A quiet browser self-check. It shows what ordinary JavaScript can see from any page you visit — the same signals used in fingerprinting, session tracking, and fraud detection. The result stays on your machine.
- Local only.
- No tracking.
- No storage.
- No network request.
- Surface
- screen, browser, timezone, language
- Rendering
- canvas, audio, WebGL
- Use
- compare privacy settings and browser profiles
Method
Before I trust the result.
A finding is only useful after it holds up under scrutiny. My approach is simple: read the system, compare what changed, avoid early conclusions, and leave a cleaner note behind.
01Identity cleanup Do not remove access from one stale timestamp.
- Seen
- Old device activity in Entra ID.
- Check
- Interactive sign-ins, owner context, join type, management status, and dry-run output.
- Avoid
- Disabling access before person and device context agree.
- Leave
- Dry-run list with review, owner, and approval notes.
02Detection triage Persistence needs a maintenance check.
- Seen
- A scheduled task is created or changed.
- Check
- Task action, author, run context, binary path, parent process, recent logons, and maintenance windows.
- Avoid
- Calling normal endpoint management activity malicious too early.
- Leave
- Triage note with host, user, command line, and tuning detail.
03Browser review Exposure is not the same as compromise.
- Seen
- A browser or LMS workflow reveals more surface than expected.
- Check
- What JavaScript can observe, what leaves the page, account context, screenshots, and permission boundaries.
- Avoid
- Turning a privacy concern into a security claim without evidence.
- Leave
- Local-only surface note with plain-language risk boundaries.
04Network controls Convenience changes the attack path.
- Seen
- A home or lab service needs easier access.
- Check
- Ingress rules, DNS, firewall policy, admin surface exposure, backups, and recovery path.
- Avoid
- Publishing management panels just to make monitoring easier.
- Leave
- Control note with exposed surface, recovery path, and deferred work.
Contact
Open to security operations, detection, IAM, and analyst work.
If you're building a defensive security team and want someone who can investigate, automate small workflows, tune detections, and leave useful notes, reach out.
Start with STIGPilot, lapse, the open source PRs, or the home network case.