Security Software
Engineer

Static analysis, DFIR, threat intelligence, and detection engineering. Writing in Python, Go, and Rust.

Five years of security engineering for the USAF, including building and running in-house software. Three years SIGINT analysis at NSA. Pivoting to pure software engineering in 2027.

View projects → GitHub ↗
Clearance TS/SCI · CI Poly
Certifications GREM · GXPN · GCFA · GNFA
Availability California — 2027
01 /

About

Security software engineer with five years in USAF cyber operations and three years of SIGINT analysis at NSA. Active TS/SCI clearance with counterintelligence polygraph. GIAC-certified in reverse engineering (GREM), exploit research (GXPN), forensics (GCFA), and network forensics (GNFA).

I build detection pipelines, endpoint security software, and backend services that translate analyst workflows into systems that run. Python is my primary language; Go for services; Rust for systems programming that needs zero dependencies.

Pursuing a B.S. in Software Engineering at WGU, expected August 2026. Separating from the Air Force in 2027 and relocating to California for a pure software engineering role.

Languages
Python Go Rust
Disciplines
Detection Engineering Security Software macOS Security Threat Intelligence Malware Analysis Incident Response Reverse Engineering Threat Hunting
Certifications
GREM — Reverse Engineering Malware GXPN — Exploit Researcher GCFA — Forensic Analyst GNFA — Network Forensic Analyst
02 /

Projects

Statica Shipped v1.0
Python

Format-agnostic static analysis pipeline for malware triage. Extracts file hashes, printable strings, and IOC patterns — IPs, URLs, domains, file artifacts — via a two-pass modular extractor architecture. Outputs deterministic, deduplicated JSON for downstream automation.

MD5 / SHA256 String Extraction IOC Detection Modular Architecture Full Test Coverage Cross-platform
View on GitHub
gorelate In Development
Go

Threat intelligence pipeline ingesting public IOC feeds (AlienVault OTX, abuse.ch, URLhaus). Normalizes indicators, correlates across sources for confidence scoring, generates YARA detection stubs from high-confidence IOCs, and provides LLM-assisted triage summaries via a read-only REST API. Target ship: late 2026.

Threat Feed Ingestion IOC Correlation HTTP API PostgreSQL Detection Stubs LLM Triage Dockerized CI/CD
pydetect In Development
Python · Sigma · Falco · KQL

Detection-as-code repository covering Sigma, Falco, and KQL rules organized by attacker TTP across endpoint logs, host syscalls, and Defender XDR. Python pytest harness with per-framework adapters generates tests from rule files; collection-time fixture validation makes it structurally impossible to ship a rule without its tests. GitHub Actions CI gates every commit. Per-rule decision docs capture threat model and false-positive profile. Target ship: late 2026.

Sigma Rules Falco Rules KQL Rules Pytest Harness Decision Docs GitHub Actions CI TTP-Cluster Authorship Synthetic KQL Evaluator
View on GitHub
macollect Shipped v1.0
Python

Modular macOS forensic artifact collector. Eight independent modules covering persistence mechanisms, process snapshots, code signing metadata, TCC permissions, extended attributes, credential artifacts, and Unified Log analysis. Zero third-party dependencies; read-only collection model.

LaunchAgents / Daemons Process Enumeration Persistence Detection Code Signing Validation TCC Permissions Unified Log Structured JSON
View on GitHub
03 /

Contact

GitHub
ryoshu404
Email
rsantosplus [at] gmail [dot] com