Kim Santos
Open to Cybersecurity Roles
L3 Cybersecurity Consultant  ·  6+ Years

Kim Santos

> Security Engineer & Consultant

L3 Cybersecurity Consultant with 6+ years across security engineering, incident response, SOC operations, network security, penetration testing, and security governance. I build things that make analysts faster, defenses smarter, and organizations harder to breach — and I ship open source tools to prove it.

6+
Years in Cybersecurity
~45%
SIEM False Positive Reduction
85%
Purple Team Detection Rate
View Security Portfolio Contact Me Resume
Flagship Projects
ksantos-tech.github.io/ThreatAnalyzer
v2.0
Indicator of Compromise (IOC) 185.220.101.47 Auto-detected: IP Address
● MALICIOUS
VirusTotal
47/70
engines flagged
AbuseIPDB
98%
abuse confidence
ThreatFox
MATCH
Tor Exit · C2
MalwareBazaar
Found
Trojan.Agent · botnet
URLScan
Suspicious
malicious redirect
WHOIS
Anon
RU · Nov 2025
Risk Score 94 / 100 · CRITICAL
ksantos-tech.github.io/PhishGuard
v1.0
FROM security@paypa1.com ⚠ Lookalike
REPLY-TO attacker@gmail.com ⚠ Mismatch
SUBJECT Urgent: Verify your PayPal account now
Analysis Results — 60+ checks
Authentication
8 / 100 · FAIL
Content
65 / 100 · HIGH RISK
Infrastructure
55 / 100 · SUSPICIOUS
⚠ HIGH RISK 78
/ 100
Credential Phishing
185.220.101.47 paypa1.com +4 more
Expertise

Security domains

Where I operate, build, and defend across the full security lifecycle.

Detection Engineering

Designing SIEM detection rules, Sigma rules, and threat detection logic aligned with MITRE ATT&CK framework.

Threat Investigation

Incident response, malware triage, forensic analysis, and IOC investigations across enterprise environments.

Security Architecture

Security control mapping, NIST CSF alignment, and security maturity improvements for organizations.

Security Automation

SOC tooling, Python automation, API integrations, and SOAR playbooks for operational efficiency.

Red Team / Offensive Security

OWASP Top 10 testing, vulnerability exploitation, and adversary simulation using Caldera and Metasploit.

Impact

Measurable outcomes

0%
Reduced SIEM False Positives
Tuned correlation rules and detection validation across client SIEMs
0+
Analyst Hours Saved Weekly
Python automation for IOC translation and bulk IP checking
0+
Detection Rules Built
Custom KQL and Sigma rules mapped to MITRE ATT&CK
~0%
MTTR Reduction
Automation and playbook optimization across multi-client environments
0%
Detection Rate
Purple team adversary simulation detection success rate
Experience

Career timeline

6+ years building and defending enterprise security capabilities across MSSP, enterprise, and consulting environments.

L3 Cybersecurity Consultant May 2025 — Present
NEVERHACK
  • Incident Response — Tier 3 escalation point across ~85,000 endpoints; led containment, eradication, and recovery reducing average MTTR by 30–40%
  • Detection Engineering — Designed and tuned SIEM detections and correlation rules, reducing false positives by ~45% while improving signal-to-noise ratio
  • Purple Team — Conducted adversary simulation and control validation aligned with MITRE ATT&CK
  • Client Advisory — Delivered executive-level reports translating technical findings into business risk
  • SOC Leadership — Mentored analysts and improved detection maturity and documentation standards
Senior Cybersecurity Engineer Jun 2024 — May 2025
AMUSED GROUP
  • Incident Response — Led end-to-end response for high-severity incidents including root cause analysis, containment, and long-term remediation across multiple tenants
  • Penetration Testing — Web application testing focused on OWASP Top 10 vulnerabilities with remediation support
  • SASE & Networking — Implemented Cato SASE delivering SD-WAN, FWaaS, SWG, CASB, DLP, and ZTNA; engineered IPSec/SSL VPN segmentation and AI governance controls
  • Automation — Built PowerShell automation reducing manual IR effort and accelerating response workflows
SOC Analyst Feb 2022 — Apr 2024
TENERITY INC.
  • Security Automation — Built Python SOC tools (Bulk IP Checker, IOC Translator), saving 10+ analyst hours per week
  • SIEM Engineering — Optimized Exabeam queries and alert logic to improve true-positive detection rates
  • Threat Hunting — Conducted proactive hunting across endpoints, network logs, and cloud telemetry
  • SOAR Automation — Designed and automated playbooks, reducing manual response effort and MTTR
Senior IT Security Oct 2020 — Feb 2022
P&A GRANT THORNTON
  • SIEM Engineering — Built Microsoft Sentinel with dashboards, alerts, and KQL detections aligned with NIST CSF
  • Endpoint Security — Deployed and optimized Microsoft Defender for Endpoint for advanced threat detection
  • Threat Hunting & IR — Proactive threat hunting and incident response across enterprise environments
  • Endpoint Management — Managed Microsoft Intune for conditional access, compliance, and data protection
Network Security Engineer Aug 2019 — Jul 2020
SMITS INC. — IT Company of San Miguel Corporation
  • Network Security Operations — Monitored and managed firewalls, VPNs, IPS/IDS, and SIEM platforms
  • SIEM Content Development — Built McAfee SIEM correlation rules, alerts, dashboards, and reports
  • Infrastructure Security — Supported secure network operations for availability and performance
Security Stack

Tools & platforms

Hands-on experience across the full security toolchain — from SIEM and EDR to offensive security and cloud.

SIEM & XDR
Microsoft Sentinel Exabeam Stellar Cyber McAfee SIEM Kibana
EDR & Endpoint
Microsoft Defender for Endpoint Microsoft Intune CrowdStrike Falcon
Cloud & Identity
Microsoft Entra ID Microsoft Azure Defender for Cloud Microsoft Purview CASB / Cloudflare
Automation & Dev
Python KQL SOAR Playbooks Sigma Rules PowerShell Bash
Threat Intelligence
VirusTotal AbuseIPDB MalwareBazaar ThreatFox URLScan WHOIS / OSINT
Network & SASE
Cato Networks Palo Alto Check Point Netskope VPN / IDS/IPS
Red Team / Offensive
BurpSuite Metasploit Caldera Qualys / Tenable Kali Linux Nmap
Open Source

Security projects

Tools built to solve real SOC problems — production-deployed, open source.

Featured · JavaScript

ThreatAnalyzer

Web-based threat intelligence platform aggregating IOC data from VirusTotal, AbuseIPDB, URLScan, and WHOIS. Supports IP, domain, URL, and hash analysis with auto-detection, bulk scanning, threat scoring, and CSV export. Deployed via Cloudflare Workers.

VirusTotal API AbuseIPDB URLScan Cloudflare Workers
Live Demo Source
Featured · JavaScript · New

PhishGuard

Single-file phishing email analyzer that runs entirely in your browser. Paste a raw email or drop a .eml file — it checks SPF, DKIM, DMARC, HTML body threats, URL lookalikes, attachment risk, and evasion techniques. Extracts IOCs and sends them straight to ThreatAnalyzer for bulk enrichment. No install, no server, no data leaving your machine.

Phishing Analysis SPF · DKIM · DMARC IOC Extraction Offline / Client-side
Live Demo Source
Python

SocTranslate

SOC analyst utility for translating and normalizing IOC formats across different SIEM and threat intelligence platforms. Reduces manual copy-paste work during investigations and alert triage.

PythonIOC NormalizationSOC Automation
Source
Python

Python Automation: Bulk IP Checker

Automated bulk IP reputation checker that queries threat intelligence APIs at scale. Processes lists of IPs and outputs structured reputation reports for triage.

PythonIP ReputationSOC Tooling
Source
View all projects on GitHub
Flagship Project

ThreatAnalyzer

SOC analysts waste hours manually querying VirusTotal, AbuseIPDB, and URLScan one tab at a time. Copy-pasting IOCs, switching contexts, trying to correlate fragmented results.

A production-grade threat intelligence platform that queries 6 intel sources simultaneously, auto-detects IOC types, scores risk, and returns a unified investigation report in seconds instead of minutes.

Launch Live Demo View Source Code
ksantos-tech.github.io/ThreatAnalyzer
v2.0
185.220.101.47 |
Auto-detected: IP Address
VirusTotal AbuseIPDB MalwareBazaar abuse.ch URL ThreatFox WHOIS
Bulk mode available — analyze multiple IOCs at once
185.220.101.47 ⬤ MALICIOUS
Risk Score
94 / 100
VirusTotal
47/70
Engines flagged
Tor exit node · C2 traffic · Malware distribution
AbuseIPDB
98%
Abuse confidence
1,847 reports · Hacking · DDoS · Spam
MalwareBazaar
Found
Known sample
Trojan.Agent · Tagged: botnet, c2
abuse.ch URL
Blacklisted
URL status
Malware distribution · Active C2
ThreatFox
IOC Match
Threat actor
Emotet · Confidence: 75%
WHOIS
DE
Origin country
ASN: AS205100 · Org: F3 Netze e.V.
Export CSV Export TXT Report
6 Intel Sources Queried Simultaneously
<3s Average IOC Analysis Time
4 IOC Types Auto-Detected
0 API Keys Exposed to Client

Why I Built This

During incident response engagements I noticed analysts spending 15-20 minutes per IOC manually checking each intelligence source. Multiply that by dozens of indicators per incident and it becomes a real bottleneck.

I built ThreatAnalyzer to solve a workflow problem I lived every day, not as a tutorial exercise. Find the friction, design the fix, ship it.

Cloudflare Workers over a traditional backend — latency near zero, no server to manage
Environment secrets over client-side storage — API keys never touch the browser
Parallel API calls over sequential — all 6 sources fire at once, not one at a time
Strict IOC validation before every outbound request — blocks misuse and bad API consumption

Architecture

Analyst Browser HTML · CSS · JS
Cloudflare Workers Secrets · Validation · Rate Limiting
VirusTotal
AbuseIPDB
MalwareBazaar
abuse.ch URL
ThreatFox
WHOIS
JavaScript Cloudflare Workers GitHub Actions CI/CD REST APIs abuse.ch ThreatFox Secrets Management
Auto IOC DetectionIP, Domain, URL, and Hash types identified automatically
Bulk ScanningAnalyze multiple IOCs in a single submission
Export ReportsOne-click CSV and TXT report download
Scan HistoryRecent scans stored locally for quick re-access
Unified Risk ScoreAggregated score across all 6 intel sources
Zero Key ExposureAll API credentials isolated in Cloudflare secrets
Open Source · Email Forensics

PhishGuard

Phishing investigations are repetitive. Check the headers, look up SPF, scan the URLs — 15 minutes gone before you've started. Drop in any email and get auth failures, lookalike URLs, credential-harvesting forms, and all extracted IOCs scored in seconds. Nothing leaves your browser.

Open PhishGuard View Source
60+ checks per email, scored in 3 categories
Email Evidence
suspicious-donation.eml
FROM security@paypa1.com Lookalike
REPLY-TO attacker@gmail.com Mismatch
SUBJECT Urgent: Verify your PayPal account immediately Urgency
DATE 21 Mar 2026, 03:47 UTC

Dear valued customer,

We detected unusual activity on your account. Your access will be suspended within 24 hours unless you verify immediately.

Click here to verify: https://paypa1.com/secure/login

This message contains a <form> with a <input type="password"> harvesting credentials.

Attack type: Credential Phishing
Analysis Results
60+ checks
Authentication 8 / 100 · FAIL
SPF: FAIL  ·  DKIM: NONE  ·  DMARC: FAIL
Content 65 / 100 · HIGH RISK
3 lookalike URLs · 2 <password> inputs · Hidden <form>
Infrastructure 55 / 100 · SUSPICIOUS
Routing anomalies · Unknown ASN · No WHOIS match
78
/ 100
⚠ HIGH RISK
Credential Phishing via lookalike domain
Copy IOCs Send to ThreatAnalyzer
Extracted IOCs 7 found
185.220.101.47 paypa1.com paypa1.com/secure/login track.r.mailer.ru 91.108.4.226 +1 more
60+ Checks per Email
0 Bytes Sent Outside Your Browser
3 Attack Categories Scored
1 HTML File. No Install. No Server.
How It Works
Six steps, all client-side, all offline.
01
Drop Email
Paste raw text or drag .eml file
02
Parse
Headers, body, URLs, attachments
03
60+ Checks
Auth · Content · Infrastructure
04
Extract IOCs
IPs, domains, emails, URLs deduped
05
Verdict
Score + category + attack type
06
Export
CSV, TXT or → ThreatAnalyzer

Why I Built This

Phishing triage gets repetitive fast. Every report turns into the same routine — check headers, look up SPF, open the HTML, scan URLs. It takes time, but most of it isn't real analysis. It's just process.

PhishGuard puts all of that in one place. Drop in an email and get a full breakdown in seconds — without jumping between tools or leaking sensitive emails to external APIs.

Design Decisions

Offline by design — analysts deal with sensitive emails. Nothing phones home.
Levenshtein + homoglyph checks — catches pаypal.com vs paypal.com, not just exact matches.
ThreatAnalyzer handoff — IOCs go straight into bulk scan. No re-entry.
Scored by category — auth, content, infrastructure scored separately so you know where the risk actually is.

What It Checks

Authentication
  • SPF — sender policy validation
  • DKIM — signature presence & validity
  • DMARC — alignment & policy enforcement
  • ARC — forwarding chain integrity
  • Reply-To vs From domain mismatch
  • Received header chain analysis
Content & URLs
  • Lookalike URLs — Levenshtein distance check
  • Homoglyph & Unicode substitution detection
  • Punycode & internationalized domains
  • <form> tags, password fields, credential harvest
  • Hidden elements, base64 blobs, obfuscated JS
  • Suspicious TLDs & credential params in URLs
Evasion & IOCs
  • Zero-width characters & invisible text
  • Spaced-out keywords (v e r i f y)
  • Double extensions (.pdf.exe, .doc.js)
  • Macro-enabled & executable attachments
  • IP, domain, email, URL extraction — deduped
  • One-click send to ThreatAnalyzer bulk scan
JavaScript Client-side only Email Forensics IOC Extraction MIME Parsing Levenshtein Algorithm
Drag & Drop .EMLLoad any raw email file. Supports .eml, .txt, .msg — no copy-paste gymnastics.
3 Score CategoriesAuth, content, and infrastructure scored independently — you know exactly where the risk lives.
IOC ExtractionIPs, domains, emails, URLs — deduped. Copy all or export as TXT/CSV in one click.
ThreatAnalyzer HandoffOne click sends extracted IOCs straight to ThreatAnalyzer's bulk scan. No re-entry.
Offline. No APIs. No Tracking.Single HTML file. Open it, analyze the email, close it. Nothing leaves your machine.
Attack ClassificationTells you if it's BEC, Credential Phishing, or Malware Delivery — not just "suspicious."
Credentials

Certifications

CompTIA Security+ SY0-601
CompTIA
2022
Proofpoint AI/ML Specialist
Proofpoint
2024
Proofpoint Identity Threat Specialist
Proofpoint
2024
Stellar Cyber SOC Analyst Associate
Stellar Cyber
2025
Testimonials

Trusted by security leaders

What colleagues and managers say about working alongside Kim.

Professional Reference

Kim Santos stands out as a Cybersecurity Consultant with remarkable dedication, consistently investing time in studying emerging threats and solutions. He has made significant contributions to policy implementation and ISO/NIST certification efforts, ensuring compliance and strengthening organizational resilience. His involvement in collaborative and consultation projects, ranging from engineering-focused initiatives to small external engagements goes to show both his versatility and practical impact. With deep technical expertise and a proven record of advancing standards, Kim is recognized as a trusted and impactful professional in cybersecurity.

Ma. Klarissa Mendoza
Ma. Klarissa Mendoza
GRC & Vendor Risk Management Specialist
Cloudpay Philippines Inc.
Project Collaboration · 2024
Global IT Manager · Colleague

I highly recommend Kim Santos as an exceptional professional in the cybersecurity field. They bring a rare combination of deep technical expertise, strategic thinking, and a proactive mindset to every challenge they tackle. Kim consistently demonstrates a strong understanding of evolving threat landscapes, coupled with the ability to design and implement robust, scalable security solutions. Beyond their technical capabilities, Kim is a trusted collaborator who communicates complex security concepts with clarity and precision, making them invaluable to both technical and non-technical stakeholders. Their commitment to staying ahead of emerging risks, along with their integrity and attention to detail, sets them apart as a leader in the cybersecurity space. Any organization would greatly benefit from Kim's expertise, professionalism, and dedication to protecting critical systems and data.

Ryan Sztanski
Ryan Sztanski
Business Systems Manager
LPA Energy Group · Melbourne, Australia
Global IT Manager · Colleague
Professional Reference

I'm proud to see how far Kim has come since his time as a SOC Analyst. Even then, he stood out by making recommendations and creating automations that made our jobs easier. Despite being at a junior level, Kim showed strong ownership of his work and wasn't afraid to share his ideas or provide feedback. He consistently went beyond expectations. He was also a reliable team player—easy to work with, supportive, and always willing to contribute. Over time, I saw him grow in both confidence and capability, which makes his progression to a Security Engineer well deserved. I'm genuinely glad to see his growth, and I'm confident that Kim will continue to excel in whichever company he works for.

Jetter Damistades
Jetter Damistades
Triage Security Engineer 3
Arctic Wolf · Toronto, Ontario, Canada
Security Escalation Officer · 2022–2023
Professional Reference

I'm so proud of Kim's achievement in the cyber security field. Remembering his early days in the field he was our SOC trainee, he was easy to teach and very willing to learn the crafts. He was also a team player back then. Seeing how far he's grown is a testament to his drive and dedication.

Jane Christine Rivarez-Icban
Jane Christine Rivarez-Icban
Cyber Solutions Architect
CyberQ Group · Quezon City, Philippines
SOC & Network Security Supervisor · 2019–2020
Contact

Let's connect

Whether you're building a SOC from scratch, responding to an active incident, or looking for someone who can turn technical findings into business decisions — I'd love to connect.

Send an Email LinkedIn GitHub