🟢 Available for Opportunities

Asad Noor

SOC Analyst & SIEM Engineer at PostEx (Fintech) — building and operating enterprise security monitoring infrastructure using Splunk Enterprise, Wazuh, Elastic Fleet, and Security Onion across 100+ servers and 500+ endpoints. Detection engineer with 40+ MITRE ATT&CK-mapped rules. TryHackMe Top 1%.

Open To:
✓ Cybersecurity Engineer ✓ SIEM Engineer ✓ Detection Engineer ✓ Threat Hunter ✓ Infrastructure Security ✓ VAPT Projects ✓ Web App Security Testing ✓ Bug Bounty Collaboration
View Projects Hire Me ⬇ Download CV
500+Endpoints Managed
100+Servers Monitored
40+Detection Rules
40%FP Reduction
<2 MinMean Time to Notify
218THM Rooms
39THM Badges
Top 1%TryHackMe Global

About

I’m a SOC Analyst & SIEM Engineer (titled Assistant Manager – Data Center) at PostEx, a high-volume fintech and logistics company in Lahore, Pakistan. Over the past 3+ years I’ve designed, deployed, and operated the full enterprise security monitoring stack — from initial log ingestion to detection rule engineering and incident response.

My daily work involves operating a multi-SIEM environment: Splunk Enterprise for log aggregation and SPL-based detection, Wazuh for XDR/HIDS across 500+ endpoints, and Elastic Fleet with Elastic Defend for EDR across 100+ cross-platform servers. I’ve built 40+ MITRE ATT&CK-mapped detection rules and reduced false positive rates by 40% through systematic tuning.

Beyond SIEM work, I design network security architecture, manage MikroTik and Cisco infrastructure, run vulnerability assessments using OpenVAS and Nmap, and conduct web application security testing. I’m a TryHackMe Top 1% ranked practitioner and actively practice offensive security skills.

📏
Current Role
Assistant Manager – Data Center
PostEx Fintech, Lahore
🔥
Specialization
SIEM Engineering · Detection Engineering
Threat Hunting · Infrastructure Security
🎯
TryHackMe
Top 1% Global · Rank #19,078
218 Rooms · 39 Badges
🎓
Education
BS Computer Science
NCBA&E, Lahore — 2022

Experience

SOC Analyst & SIEM Engineer / Assistant Manager – Data Center

PostEx — Fintech / Logistics, Lahore
Jan 2025 – Present
Splunk EnterpriseWazuhElastic FleetElastic DefendSecurity OnionMITRE ATT&CKThreat HuntingIncident Response
  • Architect and operate fully on-premises multi-SIEM environment: Splunk Enterprise (core router, WAN, Windows/Linux log collection, syslog aggregation, dashboards, alerting) + Wazuh (500+ endpoint XDR, FIM, vulnerability detection, compliance) + Elastic Fleet + Elastic Defend (100+ server EDR).
  • Engineered 40+ custom detection rules mapped to MITRE ATT&CK (T1059, T1486, T1110, T1078 and more); reduced false positives by 40% through systematic audit-mode tuning.
  • Built SOC automation pipeline: n8n → Wazuh webhook → VirusTotal/AbuseIPDB enrichment → Telegram alert → JIRA ticket. Mean Time to Notify: <2 minutes.
  • Perform Tier 1 & 2 SOC operations: dashboard monitoring, alert triage, incident investigation, root cause analysis, containment, and post-incident reporting.
  • Conduct proactive threat hunting, vulnerability scanning (OpenVAS/Nmap), OS hardening (CIS benchmarks), and manage network security architecture (MikroTik, VLAN segmentation, VPN).

Assistant Network Administrator

PostEx / CALL Courier — Lahore
May 2023 – Dec 2024
MikroTik RouterOSCisco IOSOSPF / BGPVLANL2VPNFirewallNetwork Security
  • Monitored network infrastructure health across firewalls, routers, and switches; supported early-stage security alert response.
  • Configured and maintained MikroTik routers including OSPF, BGP routing protocols and L2VPN tunnels for high-availability inter-site connectivity.
  • Assisted in firewall rule updates, VLAN configuration, and network segmentation to enforce zero-trust access control.
  • Maintained network topology documentation, device configurations, firewall rules, and operational procedures.

Technical Support Engineer

StormFiber — Pakistan
Feb 2023 – May 2023
L1 / L2 / L3 SupportTCP/IPNetwork TroubleshootingNOC
  • Diagnosed network faults at L1/L2/L3 and escalated unresolved cases per defined procedures.
  • Coordinated with field engineers and NOC teams to restore service availability during outages.

Tech Stack

🛡

Defensive Security

Splunk Enterprise
Wazuh XDR
Elastic Fleet
Elastic Defend
Security Onion
ELK Stack

Detection Engineering

Sigma Rules
Splunk SPL
MITRE ATT&CK
Sysmon
Elastic EQL
YARA Rules
🌐

Networking

Cisco IOS
MikroTik
VLAN / Subnets
VPN / WireGuard
Firewalls
🖥

Infrastructure

Proxmox VE
VMware ESXi
Docker
Linux (Ubuntu/RHEL)
Windows Server / AD
Ansible
🔍

Offensive / VAPT

Burp Suite
OWASP Top 10
Nmap / OpenVAS
Bug Bounty Research

Projects

🎯Flagship

Enterprise Security Monitoring Platform

Multi-SIEM production platform: Splunk Enterprise + Wazuh XDR + Elastic Fleet + Security Onion on Proxmox VE. 500+ endpoints, 100+ servers, <2 min MTTN.

SplunkWazuhElastic FleetSecurity OnionProxmoxDocker
View Case Study →
📊SIEM

Splunk Enterprise SIEM Deployment

Full Splunk production deployment: core router, WAN, Windows/Linux log collection, syslog aggregation, 20+ SPL detection rules, custom dashboards, alerting.

SplunkSPLUniversal ForwarderHECDashboards
View Case Study →
🔌XDR

Wazuh XDR: 500+ Endpoint Deployment

Production Wazuh deployment: agent management via GPO/Ansible, FIM, vulnerability detection (NVD), PCI-DSS/GDPR compliance monitoring, active response automation.

WazuhFIMVulnerability DetectionComplianceActive Response
View Case Study →
💻EDR

Elastic Fleet + Elastic Defend: 100+ Servers

Elastic Fleet EDR deployment across 100+ cross-platform servers. Malware prevention, memory protection, LSASS guard, behavioral detection, EQL/KQL rules in Elastic SIEM.

Elastic FleetElastic DefendEQLEDRSIEM
View Case Study →
🔎Detection

40+ MITRE ATT&CK Detection Rules

Custom detection rules across Splunk SPL, Wazuh XML, Sigma, and Elastic EQL. Coverage: ransomware (T1486), lateral movement, persistence, privilege escalation.

SigmaSPLWazuh RulesEQLMITRE ATT&CK
View Project →
🔬Automation

SOC Automation Pipeline (n8n)

End-to-end SOC automation: Wazuh webhook → IP/domain enrichment (VirusTotal + AbuseIPDB) → Telegram alert → JIRA ticket. MTTN <2 min.

n8nVirusTotal APIAbuseIPDBTelegramJIRA
View Project →
🏠Infrastructure

Home Lab Architecture

Full Proxmox VE home lab: 8 VMs, 6-VLAN network segmentation, full security stack deployment, WireGuard VPN, IDS/IPS with Suricata, and attack simulation environment.

ProxmoxVLANsSuricataWireGuardDocker
View Architecture →
📋NSM

Security Onion NSM Deployment

Network Security Monitoring with Suricata IDS, Zeek/Bro traffic analysis, JA3/JA3S TLS fingerprinting for encrypted C2 detection, full packet capture.

Security OnionSuricataZeekJA3NSM
View Project →
🐛VAPT

Web Application Penetration Testing

Methodology-driven web app security testing: OWASP Top 10 coverage, SQL injection, XSS, IDOR, authentication flaws, business logic vulnerabilities. Burp Suite Pro.

Burp SuiteOWASP Top 10SQL InjectionXSSIDOR
View Project →
💸Bug Bounty

Bug Bounty Recon Automation

Automated bug bounty reconnaissance pipeline: subdomain enumeration, port scanning, tech fingerprinting, custom nuclei templates, vulnerability chaining methodology.

SubfinderNucleiAmassFFUFRecon Automation
View Project →

Continuous Learning

TryHackMe
Cybersecurity Training Platform
View Profile →
Top 1%
Global Rank
#19,078
Rank Number
218
Rooms Completed
39
Badges Earned
✓ Cyber Security 101 ✓ Jr. Penetration Tester ✓ SOC Level 1 ✓ DevSecOps ✓ Web Fundamentals ✓ Advent of Cyber 2025
PortSwigger Web Security Academy
Advanced Web Application Security
Visit Academy →
Practicing real-world web application attack techniques through PortSwigger’s hands-on labs. Each topic includes theory, interactive labs, and expert-level challenges mirroring actual bug bounty and pentest scenarios.
📉SQL Injection
📉Cross-Site Scripting (XSS)
📉SSRF & XXE
📉Access Control Vulnerabilities
📉Authentication Flaws
📉CSRF
📉Business Logic Vulnerabilities
📉Web Cache Poisoning

Security Research

Custom detection content, threat hunting queries, and detection engineering outputs from production work.

SPL

Splunk Detection: Brute Force

T1110.001 — Detect 5+ failed logins from a single source within 2 minutes using Splunk stats command.

index=windows EventCode=4625
| stats count by src_ip, Account_Name
| where count >= 5
| eval severity="HIGH"
| table src_ip, Account_Name, count, severity
T1110.001WindowsAuthentication
Sigma

Sigma: Suspicious PowerShell

T1059.001 — Detect encoded PowerShell execution and download cradles commonly used in malware delivery.

title: Suspicious PowerShell Execution
id: a4e4c5e1-b2f3-4d6a-8c9b
mitre: T1059.001
detection:
  selection:
    CommandLine|contains:
      - 'encodedcommand'
      - 'iex (new-object'
      - 'downloadstring'
  condition: selection
T1059.001PowerShellExecution
Wazuh XML

Wazuh: Web Shell Detection

T1505.003 — FIM-based detection of PHP/ASP files dropped in web document roots.

<rule id="100003" level="15">
  <if_sid>550,554</if_sid>
  <field name="file">\.php$|\.aspx$</field>
  <match>/var/www|inetpub</match>
  <description>Web shell dropped [T1505.003]</description>
  <mitre><id>T1505.003</id></mitre>
</rule>
T1505.003FIMWeb Shell
EQL

Elastic EQL: Lateral Movement

T1021 — Detect PsExec-style lateral movement using Elastic EQL sequence correlation.

sequence by host.name with maxspan=2m
  [network where process.name == "services.exe"
   and network.direction == "outgoing"]
  [process where event.type == "start"
   and process.parent.name == "services.exe"
   and process.name != "svchost.exe"]
T1021Lateral MovementEQL
Threat Hunt

Hunt: Living-off-the-Land Binaries

Threat hunt query identifying LOLBins (certutil, mshta, wmic, regsvr32) used for malware download or code execution.

index=windows EventCode=4688
  (Process_Name="certutil.exe" AND CommandLine="*-urlcache*")
  OR (Process_Name="mshta.exe" AND CommandLine="*http*")
  OR (Process_Name="wmic.exe" AND CommandLine="*process call create*")
| table _time, host, Process_Name, CommandLine, Account_Name
LOLBinsT1218Threat Hunting
Wazuh XML

Wazuh: Ransomware Behavior

T1486 — Detect mass file rename/modification indicative of ransomware encryption activity via FIM correlation.

<rule id="100010" level="14">
  <if_sid>554</if_sid>
  <same_source_ip/>
  <occurrence>20</occurrence>
  <timeframe>30</timeframe>
  <description>Ransomware: mass FIM modification [T1486]</description>
  <mitre><id>T1486</id></mitre>
</rule>
T1486RansomwareFIM

Certifications

Only verified certifications from completed courses and learning paths. No invented credentials.

Cisco Cisco
CyberOps AssociateMITRE ATT&CK · Incident Handling · Detection Engineering
Ethical HackerOWASP Top 10 · Burp Suite · Digital Forensics
Cybersecurity EssentialsMITRE ATT&CK · Ransomware Mitigation · Forensics
CCNARouting Protocols · Network Security · MikroTik
Palo Alto Palo Alto Networks
Security Operations Center (SOC)MITRE ATT&CK · Digital Forensics · IR
Fundamentals of Network SecurityNGFW · Access Control · Firewalls
Fundamentals of Cloud SecurityCloud Security · Information Security
THM TryHackMe
Cyber Security 101 PathCore Security · Threat Analysis · SOC Basics
Jr. Penetration Tester PathWeb App Pentesting · SQLi · XSS · Auth Testing
DevSecOps PathCI/CD Security · Container Security · Hardening
Advent of Cyber 2025Blue Team · Log Analysis · Threat Investigation
Web Fundamentals PathHTTP · Authentication · Web App Security
EC-Council EC-Council
Hands-on Web Application SecurityBurp Suite · TCP/IP · Vulnerability Reporting
SQL Injection AttacksSQLi Methodology · Prevention Techniques

Get In Touch

Open to cybersecurity roles, SIEM/detection engineering contracts, VAPT projects, and bug bounty collaboration.

asadnoor951@gmail.com
linkedin.com/in/asadnoor951
github.com/asadnoor951
🏙 Lahore, Pakistan
📱 +92-343-4666264
⬇ Download Resume PDF Connect on LinkedIn