Khalid · Cybersecurity Portfolio

A collection of writeups on projects, certifications, and work experience in cybersecurity.

Writeups

My Cybersecurity Internship Journey: Lessons Learned and Impact Made

For students entering cybersecurity, internships are one of the best ways to build practical experience before stepping into a full-time role. Between 2023 and 2025 I completed three: a Cybersecurity Analyst role at Leonardo DRS, a cybersecurity internship at Dark Wolf Solutions, and an Information Security Operations internship at Seagate Technology. Each role covered a different area of the discipline: SOC operations, compliance, and detection engineering.

Leonardo DRS: Where It Started

My first role was a Cybersecurity Analyst internship in Dayton, where I was embedded within the CERT team supporting network and endpoint security operations. Being part of the CERT team meant working directly on active security operations: triaging alerts in Splunk, analyzing logs, and escalating verified threats. The volume was high and the environment operated at a consistent pace, and it established early that most SOC work is pattern recognition and structured triage, not reactive incident response.

Phishing investigation was among the most hands-on work. Proofpoint generated the initial alerts; from there, I'd trace the sending infrastructure, extract IOCs, and work the incident through to close. That repeated process contributed to a 40% reduction in mean time-to-close. On the network side, Zscaler Web Gateway provided visibility into outbound traffic, which was useful when correlating anomalies during threat hunting. Carbon Black Cloud and Microsoft Defender covered endpoint telemetry. Between the two, it was generally possible to reconstruct process execution and determine origin.

Participating in the annual tabletop exercise was a different kind of experience. That year's scenario was a ransomware incident, and working through it with the full team, working through detection decisions, containment steps, escalation paths, and recovery coordination, made clear how much of incident response depends on organizational process rather than technical execution alone.

Dark Wolf Solutions: The Compliance Side

Dark Wolf was a different area of security entirely. The work centered on Risk Management Framework activities: reviewing and assessing controls aligned with NIST SP 800-53 and supporting system authorization. It was process-driven and documentation-heavy rather than operational. I came in with limited exposure to compliance work and left with a clearer understanding of why the framework exists. An organization with strong technical controls but weak documentation is difficult to audit, and that gap creates real exposure.

Seagate Technology: Going Deeper on Detection Engineering

The Seagate Technology internship was structured differently from the previous two. I worked directly alongside security engineers, which gave me a clearer picture of what that role looks like in practice and confirmed it as the direction I want to go. Being embedded with people doing detection engineering and incident response at an enterprise scale made the career goal concrete rather than abstract.

The work itself centered on a Microsoft Sentinel SIEM deployment: building automated workflows that generated tickets in the IT case management system and writing KQL analytic detection rules that extended threat coverage across the environment. In CrowdStrike Falcon, I created and tuned Indicators of Attack and Indicators of Compromise to improve alert fidelity.

I also handled endpoint incident response directly, identifying and removing malware from affected systems. Working through that process end-to-end several times gave the incident response lifecycle a concreteness that theoretical study doesn't provide.

The takeaway across all three Each role was a different environment: defense contractor, federal solutions firm, and enterprise technology company. Together they covered the main areas of security work: operations, compliance, and detection engineering.

Building a Home Lab: An Active Directory Attack and Defense Environment

This writeup covers the setup and walkthrough of a home lab I built following the Project Security E101 curriculum. The goal was to simulate a realistic enterprise environment, then attack it, covering both the offensive and defensive sides.

The Environment

Everything runs inside VirtualBox on a single 10.0.0.0/24 NAT network with seven machines, each with a distinct role in a simulated small company. Before this, I'd only worked in environments where the detection infrastructure was already in place. Building it from scratch was a different kind of exercise.

Machine	OS	Role	IP
project-x-dc	Windows Server 2025	Domain Controller, DNS, DHCP	10.0.0.5
project-x-win-client	Windows 11 Enterprise	Corporate workstation	10.0.0.100
project-x-linux-client	Ubuntu 22.04 Desktop	Dev workstation	10.0.0.101
project-x-sec-work	Security Onion	Network monitoring	10.0.0.103
project-x-sec-box	Ubuntu 22.04 Server	Wazuh SIEM	10.0.0.10
project-x-corp-svr	Ubuntu Server 22.04	MailHog email server	10.0.0.8
attacker	Kali Linux 2024.4	Attack machine	dynamic

Defensive Stack

Wazuh handled SIEM duties, ingesting logs from every machine in the domain. Security Onion handled network traffic analysis. MailHog ran as a fake internal mail server, which became relevant during the phishing stage. Getting everything configured and communicating correctly took longer than expected. That setup process was where most of the early learning happened.

One immediate observation: the event log volume on a Windows domain under normal operating conditions is substantial. Getting a clear sense of which event IDs actually matter, not just a memorized list but an intuition for what constitutes noise, required spending real time in the data.

The Attack

The offensive side used the tools from the curriculum: Hydra for credential brute-forcing, NetExec to validate and move laterally with stolen credentials, Evil-WinRM to establish a shell on the compromised workstation, and a PowerShell reverse shell for C2. The kill chain traces a realistic path from phishing through to domain compromise.

# kill chain — rough progression 1. Phishing site deployed → fake corp login harvests creds 2. Hydra brute-forces SMB with SecLists wordlist 3. NetExec validates creds across domain hosts 4. Evil-WinRM opens shell on project-x-win-client 5. PowerShell reverse shell establishes C2 callback 6. Privilege escalation → domain controller access

The more instructive exercise was going back afterward and trying to identify the attack in the logs. Some activity surfaced clearly: failed logon spikes, suspicious process creation, unusual outbound connections. Other things didn't appear at all, which led to rewriting Wazuh rules. That cycle of attack, detect, miss, and improve was the most useful part of the project.

What It Reinforced

Building AD from scratch changes how you see it. At Leonardo DRS I worked in a domain environment daily without ever having to provision one. Configuring it from the ground up, including users, groups, GPOs, and DNS records, made the attack surface concrete in a way that working inside an existing deployment doesn't.

Phishing is the easiest part of the kill chain to miss. The credential-harvesting stage generated almost nothing in the SIEM until email header logging was specifically added. In production environments, the window between a phishing email landing and the first authentication attempt is where early detection has to happen.

C2 traffic has a recognizable pattern. Generating the reverse shell and then observing it in Security Onion made the beaconing behavior immediately apparent: consistent intervals, an unusual outbound port, and low-volume steady data transfer. Having produced it myself made the pattern far easier to identify in alert data later.

Detection is an iterative process, not a one-time configuration. Writing a Wazuh rule precise enough to catch something specific without generating excessive false positives requires more iteration than it appears to. That experience informed how I approach detection work in practice.

Passing the BTL1: My Experience

The BTL1 is a 24-hour practical exam with no multiple choice and no memorization. You work through a set of investigation tasks inside a simulated SOC environment using real tools. Pass mark is 70%; scoring above 90% earns a physical gold coin.

I sat the exam with only Security+ completed at that point. It was my second certification, taken before any internship experience. In retrospect, the timing was useful. It required building investigation methodology before having a production environment to rely on.

The Six Domains

Domain	What You're Actually Doing
Phishing Analysis	Email header inspection, IOC extraction, infrastructure tracing
Threat Intelligence	Pivoting on IOCs via VirusTotal, AbuseIPDB, MITRE ATT&CK
Digital Forensics	Disk image analysis, artifact recovery, timeline reconstruction
SIEM	Writing Splunk queries, correlating events, building investigation timelines
Incident Response	Working an IR process from detection through containment
Network Forensics	Wireshark pcap analysis, traffic reconstruction, C2 identification

How I Prepared

The official course covers all six domains thoroughly. The Blue Team Labs Online free challenges were equally useful. There are many challenges mapped directly to BTL1 topics, and working through them builds the pace the exam requires. For Splunk in particular, the syntax needs to be second nature before exam day; time spent working out queries during the investigation is time not spent on the investigation itself.

Phishing analysis was the domain I underestimated going in. Reading raw email headers, identifying spoofed return paths, tracing infrastructure through passive DNS and URLScan. It is a distinct discipline that takes deliberate preparation before exam day.

The Exam Itself

The investigation tasks are interconnected. Context gathered from one question frequently informs an earlier one. Working forward rather than stalling on a single task, keeping detailed notes throughout, and treating the incident report as part of the work rather than a closing formality all made a difference to the final result.

One thing I'd change Early on I tried to resolve each question completely before advancing. The more effective approach is to keep moving. In a real investigation, the picture develops as evidence accumulates, and the BTL1 exam is structured the same way.

Where It Sits in the Bigger Picture

CompTIA CySA+, PenTest+, and Network+ came after this, along with the SSCP from ISC2. Those are valuable certifications, but they are largely knowledge-based: multiple choice exams that test whether you understand the material. The BTL1 is different: it's a practical exam that tests whether you can apply that knowledge under realistic conditions. That distinction is what made it worth pursuing early, and what sets it apart from the rest of the stack.

Competing in SANS DFIR NetWars

DFIR NetWars is a SANS competition focused on digital forensics and incident response. You're given evidence files from compromised systems and six hours to reconstruct what happened: attack vectors, artifacts, and indicators of compromise, with a live leaderboard running throughout.

I used Zeek for network log analysis, Wireshark for packet inspection, and Elastic SIEM to search and correlate events across the evidence set. Most challenge questions are interconnected, so findings from one artifact inform others. The time constraint forces quick decisions about what to prioritize and what to revisit. That judgment is a separate skill from the technical analysis itself.

A timed competition surfaces gaps that self-paced study doesn't. Certain artifact types I hadn't worked with extensively, and some tools I was less efficient with than I realized. That kind of feedback is difficult to get any other way.

About

Khalid

Cybersecurity & Information Assurance graduate from Western Governors University. The past few years have included security work across a defense contractor, a federal solutions firm, and a Fortune 500 technology company, each a different context for the same discipline.

My focus is blue team: detection engineering, incident response, threat hunting. I write here to showcase the work I've done.

Certifications

Blue Team Level 1, Security Blue Team
SSCP, ISC2
CySA+, CompTIA
PenTest+, CompTIA
Security+, CompTIA
Network+, CompTIA

Skills

Windows OS, Linux OS, Splunk, Microsoft Sentinel, KQL, CrowdStrike, EDR, IDS/IPS, Log Analysis, DLP, Networking, Vulnerability Management, NIST Standards, TCP/IP, Azure, Active Directory, Incident Response, Threat Hunting, Wireshark, MITRE ATT&CK, SQL, Python