AJT icon mark Aaron Johnson Tech — Security Operations, Detection Engineering, AI Security

Selected security projects

Case studies built for SOC, IR, detection, hardening, and AI-security hiring signals.

Each project now follows the same review path: security problem, lab environment, build steps, validation evidence, analyst takeaway, and the role skills it demonstrates.

Detection EngineeringIncident ResponseLinux HardeningAI-Assisted SOC WorkflowsDocumentationAnalyst Validation
Evidence-first case studies

Project pages now read like case studies instead of disconnected lab notes.

Recruiter goal

Make it easy to connect each project to real SOC, MDR, IR, detection, and AI-security work.

Primary evidence

Screenshots, architecture diagrams, validation steps, and documented analyst takeaways.

Narrative control

Projects emphasize defensive impact, operational discipline, and practical implementation.

Proof matrix

How the projects map to hiring needs

Hiring signalPortfolio evidence
Can investigate and tune SIEM alertsWazuh SSH brute-force detection lab with custom rule logic, controlled activity generation, and Threat Hunting validation.
Can harden systems safelyLinux secure-access baseline with UFW default-deny, trusted-host SSH restriction, ED25519 keys, and rollback documentation.
Can use AI without ignoring security riskPrivate RAG stack for SOC notes with local embeddings, Qdrant vector storage, FastAPI retrieval, OpenWebUI integration, and guardrails.
Can document repeatable response workflowsPhishing defense workflow with triage stages, escalation decision points, containment actions, and user-risk reduction steps.
Understands attacker behavior defensivelyControlled offensive lab series reframed around detection opportunities, telemetry questions, and hardening lessons.

AI security and workflow design

Featured

Private RAG Stack for SOC Notes

A local AI-assisted SOC knowledge workflow designed around privacy, repeatable retrieval, and analyst usability.

Problem: Private SOC notes should not be pasted into public AI tools.
Build: Ollama, OpenWebUI, Qdrant, Docker Compose, FastAPI retriever.
Validation: OpenWebUI connected to a local retrieval API and returned private evidence chunks.
Signal: AI security, workflow design, local LLM deployment, documentation.
Open full case study →View GitHub repo →Local AIRAGQdrantOllamaSOC notes

Detection engineering

Wazuh Detection Engineering Lab: SSH Brute Force Against Windows

An end-to-end detection loop: controlled authentication activity, Windows endpoint telemetry, custom Wazuh rule logic, triage notes, and alert validation.

Problem: Authentication noise needed a higher-confidence analyst signal.
Build: Windows OpenSSH endpoint, Kali test host, Wazuh manager, custom rule.
Validation: Level 10 custom alerts confirmed in Wazuh Threat Hunting.
Signal: SIEM, detection tuning, investigation workflow, false-positive analysis.
Open full case study →View GitHub repo →WazuhWindows auth logsThreat huntingCustom rules

Hardening and secure access

Linux Hardening & Secure Access Control

A secure Linux access baseline that pairs technical controls with change discipline and rollback planning.

Problem: Linux SSH exposure needed tighter access control.
Build: UFW default deny, trusted-host SSH rule, ED25519 keys, sshd hardening.
Validation: Firewall status, service restart checks, key-only login confirmation.
Signal: Secure administration, control validation, rollback planning.
Open full case study →View GitHub repo →LinuxUFWOpenSSHChange control

Incident response and phishing defense

Phishing Defense & Investigation Workflow

A repeatable investigation workflow for user-reported suspicious emails, indicator review, risk scoring, escalation, containment, and documentation.

Problem: Suspicious emails require consistent triage and escalation.
Build: Triage stages, indicator review, containment decision points, user-awareness loop.
Validation: Scenario-based workflow with expected evidence fields and analyst notes.
Signal: IR discipline, documentation, user-risk reduction, analyst communication.
Open full case study →Phishing triageIR workflowEscalationDocumentation

Supporting lab evidence

Controlled Offensive Security Lab Series — Defensive Perspective

Controlled CTF-style exercises reframed around what defenders should log, detect, investigate, and harden.

Problem: Defensive analysts need attacker-methodology context.
Build: Enumeration, web review, credential exposure awareness, privilege-escalation context.
Validation: Lab notes translated into SOC/IR and hardening takeaways.
Signal: Adversary thinking without branding the site as offensive-first.
Open full case study →EnumerationTelemetry questionsDefensive hardeningMITRE mindset

Recruiter packet

Need the one-page version?

Download a concise hiring brief with target roles, credentials, project proof, and contact links.

Download hiring brief