Daniel Nascimento

// ABOUT

About

EXPERIENCE

Experience

1. Feb 2023 — present

   Cybersecurity Analyst (Mid-Senior) · eSecurity

   Blue team embedded in a single enterprise client (Client A), with shared ownership of the SOC stack — detection engineering on Wazuh, end-to-end vulnerability management program, multi-engine SOAR pipeline and custom detection rules on CrowdStrike Falcon. Recognized by the team senior as the maintainer of the stack documentation.

   • Wazuh SIEM — 3 years of cluster evolution: architected the transition from standalone manager with stock rules to a multi-node deployment sized through capacity planning based on real telemetry. Authored 100+ custom detection rules — PCRE2 XSS, AD bruteforce tuning, Vulnerability Detection module with inventory at scale — and proposed centralization strategy replacing the current NG-SIEM.
   • End-to-end vulnerability management program as one of the responsibles: designed the DefectDojo pipeline with multi-scanner ingestion (Nessus + Acunetix + ProjectDiscovery), PT-BR translation automation for findings in bulk via Google Cloud Translate, priority dashboard by severity × product × region, and remediation SLA covering a growing scope of web applications. Program extended to Attack Surface Management after Censys × ProjectDiscovery comparison (86 vs. 159 domains mapped) — vendor negotiations reduced total cost by ~US$30k over 12 months.
   • SOAR pipeline (TheHive + Cortex + n8n) in production: orchestrated containment via 3 integrated responders — CrowdStrike Falcon, Microsoft Defender, F5 BigIP — with dual auto/manual flow preserving human approval on network blocks. IOC blocking MTTD went from ~30min manual to <2min automated; NOC gained self-service case creation via TheHive without escalating to an analyst.
   • Detection engineering on CrowdStrike Falcon: led 11-week comparative POC SentinelOne × CrowdStrike with 10 structured scenarios derived from real incidents (Win + Linux). Delivered 5 custom IOA rules in production (detect/kill mode, validated kill of /usr/bin/dash) which became permanent capability of the detection program even after the decision to keep CrowdStrike.
   • Owned components and hardening at scale: ModSec Sync in Flask/Python on port 10080, synchronizing WAF rules cross-distro with git-based versioning and Cortex responder for layer-7 blocking. CIS L1 scripts published for 10 platforms (6 Linux + 4 Windows: RHEL 7/8, Debian 11, Ubuntu 18/20/22, Windows 10/Server 2012R2/2016/2019), adopted by the Networks team as the corporate hardening standard.
   • Incident response technical leadership: night-shift focal point on credential compromise and lateral movement cases — Linux privilege escalation case (91 emails extracted, 835 accounts validated via SocRadar API), utilman.exe bypass, large-scale Entra ID MFA incident, post-RDS forensic collection, EdgeWebView2/DNS-poisoning. Publicly recognized by the team senior as "maintainer of the stack documentation" and designated technical escalation point for the junior on holiday rotation.

   WazuhCrowdStrike FalconMicrosoft DefenderTheHiveCortexn8nDefectDojoProjectDiscoveryF5 BigIPModSecurityMITRE ATT&CK
2. Feb 2022 — Feb 2023

   Cybersecurity Analyst · eSecurity

   First allocation in offense-for-defense work at eSecurity. Internal pentest, federated password spraying respecting lockout policies, SMB/AD enumeration at scale, Active Directory hardening with Lithnet/OpenPasswordFilter and identification of GPO-based privilege escalation path.

   • Internal pentest respecting lockout policies: wordlists derived from typical corporate patterns, valid credential capture via federated password spraying, ADFS endpoint identification and exploitation of the wsignin1.0 flow. Formal deliverables in PDF/DOCX for the customer.
   • Active Directory hardening: configured Lithnet AD Password Protection + OpenPasswordFilter for a proactive password policy, validated in lab the blocking of compromised passwords, executed SharpHound + Purple Knight + PingCastle on the customer AD and produced a prioritized remediation plan.
   • SMB/AD enumeration at scale: null-session and ADMIN$/C$/IPC$ share verification across ~4,274 hosts in the assessment cycle, correlation with Nessus findings, enumeration of accounts with PreauthNotRequired via PowerView.
   • Identified privilege escalation paths via group with write permission on GPO linked to broad OU (excluding only DCs and Domain/Enterprise Admins) — analysis shared with the customer as basis for AD remediation.
   • Recurring deliverables and honest OT/SCADA exposure: produced pentest reports, hardening plans and remediation documentation throughout the customer engagement, with Nessus containerized on Docker for recurring scans. Identified RCE on an industrial server via outdated service, validated exploitability in lab, and contributed to remediation planning. No work with industrial protocols or large-scale OT architecture.

   PingCastleBloodHoundPurple KnightPowerViewLithnetOpenPasswordFilterNessusADFS
3. Nov 2019 — Nov 2020

   Data Center Technician · AWS (Amazon Web Services)

   12-month internship at an AWS data center — first formal exposure to infrastructure operations at hyperscaler scale. Hardware networking, hands-on troubleshooting, strict change management under rigorous runbooks. Operational discipline that underpins my detection engineering work today.

   • Physical infrastructure operations at hyperscaler scale: bench work on rack and network gear in an AWS data center, under approved change windows and formal rollback procedures — 12 months of continuous exposure to rigorous runbooks and blast-radius awareness.
   • First formal exposure to cloud-scale infrastructure: capacity planning, electrical and cooling redundancy, production maintenance flow in a multi-tenant environment — operational foundation that today underpins technical conversations with SREs and SOC capacity planning.
   • Operational discipline inherited from the hyperscaler: change discipline, runbook obsession and "production-first" posture — principles later applied to detection engineering (never run a new rule in production without prior lab validation) and to SIEM architecture (capacity-justified vs. capacity-guessed).

SKILLS

Technical stack

CERTIFICATIONS

Credentials