Kenneth Cho - based in Warrington, UK
Some people learn about attacks from textbooks. I learned by containing one, isolating hundreds of live systems under real pressure, building the recovery plan, and making sure it never happened again. That experience shaped how I think about every security problem: assume breach, move fast, document everything.
I got into security because I find the adversarial nature of it genuinely fascinating. Every attacker has a technique; every technique has a tell. My job is to know the tells before the attack happens, and build systems that catch what human attention misses.
My background spans hands-on incident response and structured cloud architecture, so I can hold a conversation about IAM policy misconfigurations just as easily as I can triage a SIEM alert at 2am. Good security people are also good communicators, the technical work only matters if stakeholders understand the risk.
Outside of work I run a home lab where I simulate attack scenarios, build detection tooling, and deliberately break things in controlled ways. It's where I stay sharp and stay honest about what I actually know versus what I think I know.
I approach every defensive task by asking: how would I get past this? That perspective keeps controls honest and detection logic grounded in reality, not wishful thinking.
Every incident I've worked, every system I've hardened, I leave a paper trail. Good documentation turns a one-off fix into institutional knowledge that survives personnel changes.
Seven active repositories. A home SOC running 24/7. I learn by making things, not just reading about them, and that habit compounds fast.
I build SIEM detection logic that actually fires on real threats, not noise. I've mapped live attack behaviour to MITRE ATT&CK and tuned pipelines in both Splunk and Wazuh to cut false-positive fatigue.
AWS environments I touch get hardened with least-privilege IAM, GuardDuty coverage, and CloudTrail visibility from day one. Security by design, not as an afterthought.
Repetitive security tasks shouldn't stay manual. I write Python, Rust, and Bash automation to remove toil, from log parsing to endpoint compliance checks to custom alerting pipelines.
I've found and responsibly disclosed real vulnerabilities. I use CVSS prioritisation and have hands-on experience with Nessus and Burp Suite in structured assessment workflows.
I've led a live incident response under real pressure, not a simulation. Containing spread, coordinating with authorities, authoring the DR plan, and restoring operations across hundreds of endpoints.
Orphaned accounts and privilege creep are silent risks. I've run joiner-mover-leaver reviews and access audits, turning IAM hygiene from a checklist into a repeatable process.
I don't list tools I've only watched tutorials on. Every item here is something I've used to solve a real problem, in a lab, an internship, or a live incident.
Highlighted items are where I'm strongest and most immediately effective on day one.
Running IoT-connected production machinery in a high-throughput environment isn't far from running infrastructure. You develop an eye for anomaly, when a system deviates from expected behaviour, you investigate before it becomes a failure. I built that instinct here: staying alert in noisy fast-moving environments, maintaining zero reportable safety incidents, and keeping 100% accurate logs that survived every audit cycle.
My first direct exposure to enterprise security workflows. I handled 20–30 support tickets weekly at 95%+ first-contact resolution, but the more interesting work was IAM hygiene, running user access reviews, catching stale accounts from leavers before they became a liability, and tightening endpoint antivirus compliance across the fleet. I left with runbooks that actually got used by the team after I left, which is the metric I care about.
This wasn't a tabletop exercise. A real attack hit school infrastructure during my T-Level studies, and a small team including myself stepped in to contain it. We isolated around 500 endpoints under pressure, executed a controlled shutdown to stop lateral spread, and I helped write the disaster recovery plan that brought systems back online securely. The post-incident documentation I contributed to became the foundation for the school's revised security posture. Coordinating that under real stakes, with external authorities involved, is the kind of experience that can't be manufactured in a lab.
My personal threat lab, ELK Stack and Wazuh running 24/7, ingesting logs from deliberately triggered attack scenarios. I simulate brute-force and lateral movement to test whether my detection logic actually catches them. Every rule I ship here is one I believe in.
Built from scratch: a secure VPC with least-privilege IAM, GuardDuty enabled from day one, CloudTrail covering every API call, and automated alerting that fires when something looks off. The goal was to make insecure actions the hard path, not the easy one.
Identified SQL injection and XSS vulnerabilities in test applications and disclosed them responsibly. The point wasn't just finding bugs, it was writing clear, actionable reports a developer could act on immediately. Proof that offensive skills and communication aren't mutually exclusive.
A private tool for structured malware analysis, static examination, behavioural logging, and IOC extraction into a usable format. Built to make analysis repeatable rather than ad-hoc every time a new sample arrives. Consistency is what makes analysis defensible.
A hands-on TypeScript environment for exploring JWT vulnerabilities: algorithm confusion, none-alg bypass, key injection. Understanding these attack paths deeply makes me more effective when reviewing authentication implementations in real systems.
A publicly available security utility built in JavaScript. Open source by design, I think the security community improves when people share tools rather than sit on them. Pull it, use it, improve it.
Whether you're building a security team, dealing with an uncomfortable alert, or just want to know if your AWS environment would survive an audit, I'm immediately available and interested in hearing about it.