Security Engineer & Detection Specialist

Sunny Shah

I turn noisy telemetry into high-fidelity detections and build tooling that accelerates SOC workflows.

Reduced false positives by 60% and compute cost by 95% through detection engineering at scale.

MS Computer Engineering, San Jose State University (Graduating May 2026) · Former Security Engineer Intern @ Meta

Open to New Grad: Security Engineer · Detection Engineer · SOC Analyst · Incident Response (Summer 2026)

SIEM / Alert Triage Detection Engineering MITRE ATT&CK Threat Intel Python Automation Splunk Cloud Logs
LinkedIn GitHub Email

About

Security-focused engineer with hands-on experience in SOC operations, detection engineering, and automation. I specialize in turning noisy telemetry into high-fidelity detections and building tools that accelerate analyst workflows. Seeking New Grad Security Engineering roles starting Summer 2026.

  • Detection engineering — Design and tune alerts, reduce false positives, map to MITRE ATT&CK
  • Incident response — Triage → scope → contain → document, with clear communication and repeatable playbooks
  • Automation — Python tooling for parsing, enrichment, correlation, reporting, and investigation workflow improvements

Experience

Security Engineer Intern — Meta

Summer 2025

Insider Trust — SDR

  • Built and deployed production-grade SQL detections on billion-row datasets supporting 4B+ users, using TTP-based threat modeling to align coverage with real-world attacker behaviors.
  • Reduced false positives by 60% and cut compute costs by 95% through detection tuning, query optimization, and structured validation in controlled test environments.
  • Designed scalable response automation workflows adopted across 10+ detections, decreasing alert triage time by 40% and contributing to a 25% reduction in MTTR.
  • Identified and closed a detection gap between data exfiltration and downstream misuse by engineering correlation logic that strengthened defense-in-depth controls.
  • Collaborated with Security Operations and Incident Response to investigate high-fidelity alerts, shadow SEV escalations, and deliver a standardized threat response playbook.

Security Engineer Intern — Meta

January 2024 – May 2024
  • Led Tier 1 SOC triage in a 24/7 environment, analyzing 150–200 daily SIEM/EDR alerts (Splunk, Microsoft Sentinel, Wazuh) and reducing MTTR by 30% across phishing, malware, and intrusion cases.
  • Performed static and dynamic malware analysis in sandbox environments, extracting IOCs and identifying C2 activity to accelerate threat containment by 40%.
  • Strengthened detection quality by tuning SIEM correlation rules using SPL and KQL, decreasing false positives by 25% and improving alert fidelity.
  • Investigated OWASP Top 10 web application attacks and conducted internal penetration testing, driving remediation that reduced high-risk vulnerabilities by 25%.
  • Mapped adversary TTPs to MITRE ATT&CK and authored executive-ready incident reports, maintaining 95%+ SLA compliance while improving cross-team coordination.

Security Engineer Intern — Meta

August 2022 – December 2023
  • Secured 500+ endpoints across multi-client environments by triaging 40–60 daily alerts using Splunk, Suricata (IDS/IPS), and FortiGate, detecting phishing, malware callbacks, and unauthorized access.
  • Improved SOC efficiency by reducing false positives by 35% through detection tuning, correlation rule refinement, and IDS threshold optimization.
  • Accelerated investigations via host and network forensic analysis (Windows/Linux logs, PCAP), improving mean time to detect by 25%.
  • Strengthened containment with firewall rule updates, IP/domain blocking, and access control corrections, contributing to a 20% reduction in MTTR.
  • Identified exploitable attack paths through vulnerability scanning (Nmap) and validation (Metasploit, Burp Suite), driving remediation that reduced external risk exposure by 40%.

Featured Projects

Research Correlation MITRE

Event Correlation using Agentic AI in SOC

Master’s project: correlation framework to connect related events/alerts and reduce analyst workload with explainable outputs.

  • Designed correlation logic for multi-step incidents across distributed logs (identity/IP/device context)
  • Mapped correlated events to MITRE ATT&CK tactics/techniques for consistent triage and reporting
  • Analyst-friendly workflows: signal prioritization, investigation summaries, clear evidence chains
GitHub Write-up
Python Streamlit IOC

Threat Intelligence Feed Analyzer

IOC matching and correlation across logs, enrichment links, and MITRE ATT&CK mapping for SOC-style investigations.

  • Parses uploaded logs, matches against threat intel feeds, highlights correlated IOCs across events
  • Enrichment workflow (VirusTotal / AbuseIPDB links), risk tagging, analyst notes, investigation-ready outputs
  • Summary metrics: logs scanned, IOCs detected, high-risk IOCs, top MITRE tactics/techniques
GitHub Demo Write-up
AWS Cloud Detection

Cloud Incident Correlation and Detection (CIRC) Platform

Cloud-based log ingestion and incident correlation with IOC matching, enrichment, and MITRE ATT&CK mapping for SOC investigations.

  • Ingests AWS CloudTrail and VPC Flow logs, normalizes events, detects suspicious activity with rule-based logic
  • Correlates related alerts into structured incidents with severity scoring and contextual mapping
  • Streamlit analyst dashboard with investigation-ready outputs and SOC-style workflow visibility
GitHub Demo Write-up
Automation Detection Response

Advanced Threat Detection and Response Automation

Automated threat detection pipeline with IOC matching, alert enrichment, and response-driven analytics for SOC environments.

  • Analyzes security telemetry and detects suspicious activity using rule-based and analytic logic
  • Automates IOC matching and enrichment workflows to accelerate investigation
  • Streamlines incident response through structured alerting and response-ready outputs
GitHub Demo Write-up

Skills

Security

  • SOC workflows · Incident triage · Detection engineering
  • MITRE ATT&CK · Threat intel · IOC enrichment
  • SIEM concepts · Alert tuning · False positive reduction
  • Windows/Linux fundamentals · Networking fundamentals

Tools & Tech

  • Python · Git · Bash
  • Splunk · Falcon · Wazuh · Microsoft Sentinel
  • Cloud logs: AWS CloudTrail · Azure · GCP
  • Streamlit · Pandas · Data parsing & reporting

Contact

Open to New Grad Security Engineering roles (Summer 2026). Reach out via email or LinkedIn.

Email LinkedIn GitHub Blog

No contact form — use email or LinkedIn. (Form would require a backend service.)