<!doctype html>

<html lang="en">

<head>

<meta charset="utf-8">

<meta name="viewport" content="width=device-width, initial-scale=1.0">

<title>Zion Boggan | Security Engineering, Detection Engineering, and Research</title>

<meta name="description" content="Zion Boggan, SOC analyst and independent security researcher. Detection engineering, vulnerability research, and applied cryptography, including Oversight Protocol, a post-quantum data-provenance system in Rust.">

<meta name="author" content="Zion Boggan">

<meta name="robots" content="index, follow, max-image-preview:large, max-snippet:-1">

<link rel="canonical" href="https://zionboggan.com/">

<meta property="og:type" content="profile">

<meta property="og:site_name" content="Zion Boggan">

<meta property="og:title" content="Zion Boggan | Security Engineering, Detection Engineering & Research">

<meta property="og:description" content="SOC analyst and independent security researcher. Vulnerability research with full proof-of-concept exploits, detection engineering, and applied cryptography.">

<meta property="og:url" content="https://zionboggan.com/">

<meta property="og:image" content="https://zionboggan.com/assets/og-default.png">

<meta property="og:image:alt" content="Zion Boggan: Security Engineering & Research">

<meta property="profile:first_name" content="Zion">

<meta property="profile:last_name" content="Boggan">

<meta name="twitter:card" content="summary_large_image">

<meta name="twitter:title" content="Zion Boggan | Security Engineering, Detection Engineering & Research">

<meta name="twitter:description" content="SOC analyst and independent security researcher. Vulnerability research, detection engineering, and applied cryptography.">

<meta name="twitter:image" content="https://zionboggan.com/assets/og-default.png">

<script type="application/ld+json">

{

  "@context": "https://schema.org",

  "@type": "Person",

  "name": "Zion Boggan",

  "givenName": "Zion",

  "familyName": "Boggan",

  "url": "https://zionboggan.com/",

  "image": "https://zionboggan.com/assets/og-default.png",

  "email": "mailto:zionboggan0@gmail.com",

  "jobTitle": "Security Researcher & Detection Engineer",

  "description": "SOC analyst and independent security researcher specializing in vulnerability research, detection engineering, and applied cryptography.",

  "knowsAbout": ["Vulnerability Research", "Detection Engineering", "SOC Analysis", "Applied Cryptography", "Threat Detection", "Security Engineering"],

  "sameAs": [

    "https://www.linkedin.com/in/zion-boggan",

    "https://oversightprotocol.dev"

  ]

}

</script>

<script type="application/ld+json">

{

  "@context": "https://schema.org",

  "@type": "WebSite",

  "name": "Zion Boggan",

  "url": "https://zionboggan.com/",

  "author": { "@type": "Person", "name": "Zion Boggan" }

}

</script>

<link rel="icon" href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 32 32'%3E%3Crect width='32' height='32' rx='6' fill='%230c0e12'/%3E%3Ctext x='16' y='22' font-family='monospace' font-size='15' fill='%236cc7b8' text-anchor='middle'%3Ezb%3C/text%3E%3C/svg%3E">

<style>

  :root{

    --bg:#0c0e12; --bg2:#0f1217; --panel:#14181f; --panel2:#171c24;

    --line:#222936; --line2:#2c3543;

    --ink:#e8eaed; --soft:#c3cad4; --muted:#8a94a3; --faint:#5d6675;

    --accent:#6cc7b8; --accent-dim:#274b47;

    --maxw:1020px;

  }

  *{box-sizing:border-box;}

  html{scroll-behavior:smooth;}

  body{margin:0;background:var(--bg);color:var(--ink);

    font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Helvetica,Arial,sans-serif;

    font-size:16px;line-height:1.65;-webkit-font-smoothing:antialiased;}

  .mono{font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,monospace;}

  a{color:var(--accent);text-decoration:none;}

  a:hover{color:#8fe0d2;}

  .wrap{max-width:var(--maxw);margin:0 auto;padding:0 24px;}

  /* nav */

  nav{position:sticky;top:0;z-index:20;background:rgba(12,14,18,.82);

    backdrop-filter:blur(10px);border-bottom:1px solid var(--line);}

  nav .wrap{display:flex;align-items:center;justify-content:space-between;height:58px;}

  nav .brand{font-weight:600;letter-spacing:.2px;}

  nav .brand .dot{color:var(--accent);}

  nav .links{display:flex;gap:26px;font-size:13.5px;}

  nav .links a{color:var(--muted);}

  nav .links a:hover{color:var(--ink);}

  @media(max-width:680px){nav .links{display:none;}}

  /* hero */

  header.hero{padding:74px 0 54px;border-bottom:1px solid var(--line);

    background:radial-gradient(900px 380px at 78% -10%, #11201e 0%, transparent 60%);}

  .avail{font-size:12.5px;letter-spacing:1.5px;text-transform:uppercase;color:var(--accent);

    display:flex;align-items:center;gap:9px;margin-bottom:20px;}

  .avail .pulse{width:7px;height:7px;border-radius:50%;background:var(--accent);

    box-shadow:0 0 0 0 rgba(108,199,184,.5);animation:p 2.4s infinite;}

  @keyframes p{0%{box-shadow:0 0 0 0 rgba(108,199,184,.45)}70%{box-shadow:0 0 0 8px rgba(108,199,184,0)}100%{box-shadow:0 0 0 0 rgba(108,199,184,0)}}

  h1{font-size:clamp(34px,6vw,52px);line-height:1.05;margin:0 0 8px;letter-spacing:-1px;font-weight:680;}

  .hero .sub{font-size:clamp(16px,2.4vw,20px);color:var(--soft);margin:0 0 24px;font-weight:500;}

  .hero .lede{max-width:660px;color:var(--soft);font-size:17px;margin:0 0 28px;}

  .hero .lede b{color:var(--ink);font-weight:600;}

  .cta{display:flex;flex-wrap:wrap;gap:12px;align-items:center;}

  .btn{display:inline-flex;align-items:center;gap:8px;padding:10px 18px;border-radius:8px;

    font-size:14.5px;font-weight:550;border:1px solid var(--line2);color:var(--ink);background:var(--panel);}

  .btn:hover{border-color:var(--accent-dim);background:var(--panel2);color:var(--ink);}

  .btn.primary{background:var(--accent);color:#06231f;border-color:var(--accent);font-weight:650;}

  .btn.primary:hover{background:#8fe0d2;color:#06231f;}

  .meta{margin-top:26px;display:flex;flex-wrap:wrap;gap:8px 22px;font-size:13px;color:var(--muted);}

  .meta .mono{color:var(--faint);}

  /* proof / live-exploit demo */

  .proof{padding-top:48px;}

  .proof-intro{max-width:760px;color:var(--soft);font-size:15.5px;line-height:1.6;margin:0 0 28px;}

  .demo{border:1px solid var(--line2);border-radius:12px;overflow:hidden;background:#0a0c10;

    box-shadow:0 0 0 1px rgba(108,199,184,.08), 0 26px 64px -28px rgba(0,0,0,.75);}

  .demo + .demo{margin-top:30px;}

  .step{display:inline-block;font-size:11px;font-weight:700;letter-spacing:.6px;color:#06231f;

    background:var(--accent);padding:2px 8px;border-radius:5px;margin-right:9px;vertical-align:1px;}

  .step.crit{background:#ff6b6b;color:#2a0606;}

  .demobar{display:flex;align-items:center;gap:8px;padding:11px 14px;background:#11151b;border-bottom:1px solid var(--line);}

  .demobar .d{width:11px;height:11px;border-radius:50%;}

  .demobar .r{background:#ff5f57;}.demobar .y{background:#febc2e;}.demobar .g{background:#28c840;}

  .demobar .dlabel{color:var(--faint);font-size:12.5px;margin-left:8px;}

  .demobar .dbadge{margin-left:auto;color:#06231f;background:var(--accent);font-size:11px;font-weight:700;

    padding:3px 9px;border-radius:5px;letter-spacing:.5px;}

  .demobar .dbadge.alt{background:#7aa2f7;color:#06122a;}

  .demovid{display:block;width:100%;height:auto;background:#0a0c10;cursor:pointer;}

  .democap{margin:0;padding:15px 18px;color:var(--soft);font-size:14px;line-height:1.55;

    background:var(--panel);border-top:1px solid var(--line);}

  .democap b{color:var(--ink);font-weight:600;}

  /* sections */

  section{padding:64px 0;border-bottom:1px solid var(--line);}

  .shead{display:flex;align-items:baseline;gap:14px;margin-bottom:30px;}

  .shead .idx{font-size:13px;color:var(--accent);letter-spacing:1px;}

  .shead h2{font-size:14px;letter-spacing:2px;text-transform:uppercase;color:var(--muted);margin:0;font-weight:600;}

  .shead .rule{flex:1;height:1px;background:var(--line);}

  /* flagship */

  .flag{background:linear-gradient(180deg,var(--panel) 0%,var(--bg2) 100%);

    border:1px solid var(--line2);border-radius:14px;overflow:hidden;}

  .flag .top{padding:30px 32px 8px;}

  .flag .tag{font-size:12px;letter-spacing:1.5px;text-transform:uppercase;color:var(--accent);margin-bottom:12px;}

  .flag h3{font-size:27px;margin:0 0 6px;letter-spacing:-.4px;}

  .flag h3 .v{font-size:13px;color:var(--muted);font-weight:500;margin-left:8px;letter-spacing:0;}

  .flag .grid{display:grid;grid-template-columns:1.25fr 1fr;gap:30px;padding:14px 32px 30px;}

  .flag p{color:var(--soft);margin:0 0 16px;}

  .flag .stats{display:grid;grid-template-columns:1fr 1fr;gap:12px;margin-top:6px;}

  .stat{background:var(--bg);border:1px solid var(--line);border-radius:9px;padding:13px 15px;}

  .stat .n{font-size:21px;font-weight:680;color:var(--ink);}

  .stat .k{font-size:12px;color:var(--muted);margin-top:2px;}

  .spec{background:var(--bg);border:1px solid var(--line);border-radius:10px;padding:18px 18px;}

  .spec .sk{font-size:11px;letter-spacing:1.5px;text-transform:uppercase;color:var(--faint);margin-bottom:10px;}

  .spec ul{margin:0;padding:0;list-style:none;font-size:13.5px;}

  .spec li{padding:6px 0;border-top:1px solid var(--line);color:var(--soft);display:flex;justify-content:space-between;gap:14px;}

  .spec li:first-child{border-top:none;}

  .spec li span{color:var(--muted);}

  .flag .foot{padding:0 32px 28px;display:flex;gap:18px;flex-wrap:wrap;font-size:14px;}

  @media(max-width:720px){.flag .grid{grid-template-columns:1fr;}}

  /* lab cards */

  .cards{display:grid;grid-template-columns:1fr 1fr;gap:20px;}

  @media(max-width:680px){.cards{grid-template-columns:1fr;}}

  .card{border:1px solid var(--line);border-radius:12px;overflow:hidden;background:var(--panel);

    display:flex;flex-direction:column;transition:border-color .15s,transform .15s;}

  .card:hover{border-color:var(--accent-dim);transform:translateY(-2px);}

  .card .thumb{height:172px;overflow:hidden;border-bottom:1px solid var(--line);background:#fff;}

  .card .thumb img{width:100%;height:100%;object-fit:cover;object-position:top left;display:block;}

  .card .body{padding:18px 20px 20px;display:flex;flex-direction:column;flex:1;}

  .card h3{margin:0 0 9px;font-size:17px;}

  .card p{margin:0 0 14px;font-size:14px;color:var(--soft);flex:1;}

  .tags{display:flex;flex-wrap:wrap;gap:6px;margin-bottom:14px;}

  .tags span{font-size:11.5px;color:var(--muted);background:var(--bg);border:1px solid var(--line);

    border-radius:5px;padding:3px 8px;}

  .card .lnk{font-size:13.5px;font-family:ui-monospace,Menlo,monospace;}

  .card .lnk::after{content:" →";}

  /* research */

  .rlede{color:var(--soft);max-width:680px;margin:-6px 0 26px;}

  .research{display:flex;flex-direction:column;gap:0;border:1px solid var(--line);border-radius:12px;overflow:hidden;}

  .ritem{display:grid;grid-template-columns:120px 1fr auto;gap:18px;align-items:center;

    padding:18px 22px;border-top:1px solid var(--line);}

  .ritem:first-child{border-top:none;}

  .ritem:hover{background:var(--panel);}

  .ritem .cls{font-size:11px;letter-spacing:.5px;text-transform:uppercase;color:var(--accent);}

  .ritem h3{margin:0 0 3px;font-size:16px;}

  .ritem p{margin:0;font-size:13.5px;color:var(--muted);}

  .ritem .go{font-family:ui-monospace,Menlo,monospace;font-size:13px;white-space:nowrap;}

  @media(max-width:680px){.ritem{grid-template-columns:1fr;gap:6px;}.ritem .go{margin-top:4px;}}

  .progs{margin-top:22px;}

  .progs .sk{font-size:11px;letter-spacing:1.5px;text-transform:uppercase;color:var(--faint);margin-bottom:11px;}

  .progs .row{display:flex;flex-wrap:wrap;gap:7px;}

  .progs .row span{font-size:12.5px;color:var(--soft);background:var(--panel);border:1px solid var(--line);

    border-radius:6px;padding:4px 10px;}

  /* credentials */

  .cred{display:grid;grid-template-columns:1.1fr 1fr;gap:28px;}

  @media(max-width:680px){.cred{grid-template-columns:1fr;}}

  .cred p{color:var(--soft);margin:0 0 14px;}

  .cred .role{font-size:14px;color:var(--muted);}

  .cred .role b{color:var(--ink);font-weight:600;}

  .certs{list-style:none;margin:0;padding:0;}

  .certs li{padding:9px 0;border-top:1px solid var(--line);font-size:14px;color:var(--soft);

    display:flex;gap:10px;align-items:baseline;}

  .certs li:first-child{border-top:none;}

  .certs li .c{color:var(--accent);font-family:ui-monospace,Menlo,monospace;font-size:12px;}

  footer{padding:46px 0 64px;}

  footer .row{display:flex;flex-wrap:wrap;justify-content:space-between;gap:18px;align-items:center;}

  footer .links a{color:var(--soft);margin-right:20px;font-size:14px;}

  footer .note{color:var(--faint);font-size:12.5px;max-width:520px;}

  /* featured finding teaser */

  .featured{display:block;margin:30px 0 0;border:1px solid var(--line2);border-radius:14px;

    background:linear-gradient(180deg,#11181c 0%,var(--panel) 100%);overflow:hidden;

    transition:border-color .15s,transform .15s;}

  .featured:hover{border-color:var(--accent-dim);transform:translateY(-2px);}

  .ff-status{display:flex;align-items:center;gap:9px;font-size:12px;letter-spacing:1.2px;

    text-transform:uppercase;color:var(--accent);padding:12px 24px;border-bottom:1px solid var(--line);background:#0e1a18;}

  .ff-status .pulse{width:7px;height:7px;border-radius:50%;background:var(--accent);

    box-shadow:0 0 0 0 rgba(108,199,184,.5);animation:p 2.4s infinite;}

  .ff-main{display:flex;align-items:center;gap:22px;padding:22px 24px;}

  .ff-tag{font-size:11px;letter-spacing:1.5px;color:#ff8a8a;margin-bottom:9px;}

  .ff-main h3{margin:0 0 8px;font-size:21px;letter-spacing:-.3px;line-height:1.2;color:var(--ink);}

  .ff-main p{margin:0 0 12px;color:var(--soft);font-size:14.5px;max-width:690px;}

  .ff-main p b{color:var(--ink);font-weight:600;}

  .ff-facts{display:flex;flex-wrap:wrap;gap:6px 8px;}

  .ff-facts span{font-size:11.5px;color:var(--muted);background:var(--bg);border:1px solid var(--line);

    border-radius:5px;padding:3px 9px;}

  .ff-go{flex:none;color:var(--accent);font-size:14px;white-space:nowrap;}

  @media(max-width:680px){.ff-main{flex-direction:column;align-items:flex-start;gap:14px;}}

</style>

</head>

<body>

<nav><div class="wrap">

  <span class="brand mono">zion_boggan<span class="dot">.</span></span>

  <span class="links">

    <a href="#oversight">Oversight</a>

    <a href="#labs">Labs</a>

    <a href="#research">Research</a>

    <a href="#background">Background</a>

    <a href="https://github.com/zionboggan">GitHub</a>

  </span>

</div></nav>

<header class="hero"><div class="wrap">

  <div class="avail"><span class="pulse"></span>Open to detection engineering &amp; security roles · relocation OK</div>

  <h1>Zion Boggan</h1>

  <p class="sub">SOC analyst · independent security researcher · applied cryptography</p>

  <p class="lede">SOC analyst by trade, security researcher by hobby: I defend production

  networks, research vulnerabilities in the lab, and build systems that close the gaps I

  find. This is the work I can show: <b>detection

  pipelines and labs</b> that run end to end, <b>vulnerability research</b> across

  cryptographic and database internals, and <b>Oversight Protocol</b>, a post-quantum

  data-provenance system I maintain in Rust. Almost all of it runs on my own homelab.</p>

  <div class="cta">

    <a class="btn primary" href="#proof">▶ Watch a live break-in</a>

    <a class="btn" href="#oversight">See the work</a>

    <a class="btn" href="https://github.com/zionboggan">GitHub</a>

    <a class="btn" href="https://www.linkedin.com/in/zion-boggan">LinkedIn</a>

    <a class="btn" href="https://oversightprotocol.dev/">oversightprotocol.dev</a>

  </div>

  <div class="meta mono">

    <span>zionboggan0@gmail.com</span>

    <span>Security+ · SC-200 · AZ-104</span><span>Bugcrowd · HackerOne</span>

  </div>

</div></header>

<div class="wrap"><a class="featured" href="/featured-finding/">

  <div class="ff-status mono"><span class="pulse"></span>Coordinated disclosure in progress</div>

  <div class="ff-main">

    <div>

      <div class="ff-tag mono">★ FEATURED FINDING · LIVE VULNERABILITY RESEARCH</div>

      <h3>A certificate path-length limit that vanishes when you remove an unrelated field</h3>

      <p>A widely-deployed open-source crypto library enforces an RFC&nbsp;5280 CA path-length

        constraint <b>only when a separate extension is present</b>, so a CA forbidden from

        delegating can mint rogue sub-CAs the library still trusts. Found by variant-hunting a

        security patch the maintainers had just shipped. <b>Interactive proof you can run in the browser.</b></p>

      <div class="ff-facts mono">

        <span>CWE-295</span><span>RFC 5280 §6.1.4</span><span>CA constraint bypass</span>

        <span>Confirmed on the current shipped release</span>

      </div>

    </div>

    <span class="ff-go mono">Open the finding →</span>

  </div>

</a></div>

<section id="proof" class="proof"><div class="wrap">

  <div class="shead"><span class="idx mono">00</span><h2>See it in action</h2><span class="rule"></span></div>

  <p class="proof-intro">Three recordings, all real output, nothing staged: a web-app data

    breach and a full server takeover against targets I host in a lab I control, then a real

    cryptographic flaw I found and responsibly disclosed in production software. Offensive

    web, infrastructure, and deep code review, the range I actually work in. Never against

    systems I don't own.</p>

  <div class="demo">

    <div class="demobar">

      <span class="d r"></span><span class="d y"></span><span class="d g"></span>

      <span class="dlabel mono">01 · web-app breach · controlled lab</span>

      <span class="dbadge mono">REAL PoC</span>

    </div>

    <video class="demovid" autoplay muted loop playsinline preload="auto"

      poster="/assets/hero/exploit-demo-poster.jpg"

      onclick="if(this.requestFullscreen)this.requestFullscreen()">

      <source src="/assets/hero/exploit-demo.mp4" type="video/mp4">

    </video>

    <p class="democap"><span class="step mono">01 · DATA BREACH</span> A real SQL-injection chain

      against a web app (OWASP Juice Shop): <b>bypass the login with no password</b>, then

      <b>dump every account's stored credentials</b> straight from the database.</p>

  </div>

  <div class="demo">

    <div class="demobar">

      <span class="d r"></span><span class="d y"></span><span class="d g"></span>

      <span class="dlabel mono">02 · server takeover · controlled lab</span>

      <span class="dbadge mono">REAL PoC</span>

    </div>

    <video class="demovid" autoplay muted loop playsinline preload="auto"

      poster="/assets/hero/rce-demo-poster.jpg"

      onclick="if(this.requestFullscreen)this.requestFullscreen()">

      <source src="/assets/hero/rce-demo.mp4" type="video/mp4">

    </video>

    <p class="democap"><span class="step mono crit">02 · FULL TAKEOVER</span> Command injection in

      an appliance's diagnostics tool: a "ping" box that <b>runs whatever I type, as root</b>.

      One request turns into <b>remote code execution and the server's production secrets</b>.</p>

  </div>

  <div class="demo">

    <div class="demobar">

      <span class="d r"></span><span class="d y"></span><span class="d g"></span>

      <span class="dlabel mono">03 · cryptographic research · production code</span>

      <span class="dbadge alt mono">DISCLOSED</span>

    </div>

    <video class="demovid" autoplay muted loop playsinline preload="auto"

      poster="/assets/hero/crypto-demo-poster.jpg"

      onclick="if(this.requestFullscreen)this.requestFullscreen()">

      <source src="/assets/hero/crypto-demo.mp4" type="video/mp4">

    </video>

    <p class="democap"><span class="step mono">03 · CRYPTO RESEARCH</span> Not a lab, a real flaw I

      found and responsibly disclosed in <b>Fireblocks' MPC threshold-signature library</b>. A

      one-byte type confusion cut a 40-bit check down to 8 bits, so I <b>forge an invalid proof the

      production verifier accepts</b>, about 1 in 256 tries, with a control run that proves the cause.

      The difference between running tools and reading the crypto.</p>

  </div>

</div></section>

<section id="oversight"><div class="wrap">

  <div class="shead"><span class="idx mono">01</span><h2>Flagship</h2><span class="rule"></span></div>

  <div class="flag">

    <div class="top">

      <div class="tag mono">Open-source · Rust + Python</div>

      <h3>Oversight Protocol<span class="v mono">v0.4.11</span></h3>

    </div>

    <div class="grid">

      <div>

        <p>A cryptographic data-provenance system: a verifiable, tamper-evident record of

        where data came from and what happened to it, designed to hold up against a future

        with quantum computers. I'm the lead maintainer and primary contributor.</p>

        <p>The hard part is correctness across two languages, the Rust implementation and

        the Python reference are built to produce <b>bit-identical</b> output, enforced by a

        shared conformance suite. It pairs classical and post-quantum primitives so signatures

        and key exchange stay sound even if one side breaks.</p>

        <div class="stats">

          <div class="stat"><div class="n">12 crates</div><div class="k">~10.3k lines of Rust</div></div>

          <div class="stat"><div class="n">~13.4k lines</div><div class="k">Python reference impl</div></div>

          <div class="stat"><div class="n">141 tests</div><div class="k">125 Rust · 16 Python conformance</div></div>

          <div class="stat"><div class="n">FIPS 203/204</div><div class="k">ML-KEM-768 · ML-DSA-65</div></div>

        </div>

      </div>

      <div class="spec">

        <div class="sk mono">Cryptography</div>

        <ul>

          <li>Key exchange <span>X25519</span></li>

          <li>AEAD <span>XChaCha20-Poly1305</span></li>

          <li>Signatures <span>Ed25519</span></li>

          <li>KDF <span>HKDF-SHA256</span></li>

          <li>PQ KEM <span>ML-KEM-768</span></li>

          <li>PQ signatures <span>ML-DSA-65</span></li>

          <li>Transparency <span>Sigstore Rekor v2</span></li>

          <li>Timestamping <span>RFC 3161 TSA</span></li>

        </ul>

      </div>

    </div>

    <div class="foot">

      <a class="mono" href="https://oversightprotocol.dev/">oversightprotocol.dev →</a>

      <a class="mono" href="https://github.com/oversight-protocol/oversight">github.com/oversight-protocol/oversight →</a>

      <span class="mono" style="color:var(--faint)">Targeting USENIX Security &amp; Black Hat EU 2026</span>

    </div>

  </div>

</div></section>

<section id="labs"><div class="wrap">

  <div class="shead"><span class="idx mono">02</span><h2>Security Labs</h2><span class="rule"></span></div>

  <div class="cards">

    <a class="card" href="/detection-as-code/">

      <div class="thumb"><img loading="lazy" src="assets/detection.png" alt="One Sigma rule compiled to Splunk, Sentinel KQL and Elastic ES|QL"></div>

      <div class="body">

        <h3>Detection-as-Code</h3>

        <p>Sigma rules mapped to MITRE ATT&CK, linted and tested in CI, and compiled to

        Splunk, Elastic, and Microsoft Sentinel KQL, one rule, every SIEM. Detection

        engineering done as a pipeline, not a console click.</p>

        <div class="tags"><span>Sigma</span><span>Splunk</span><span>Sentinel KQL</span><span>Elastic</span></div>

        <span class="lnk mono">detection-as-code</span>

      </div>

    </a>

    <a class="card" href="/purple-team-lab/">

      <div class="thumb"><img loading="lazy" src="assets/purple.png" alt="Emulated ATT&CK techniques detected in Wazuh"></div>

      <div class="body">

        <h3>Purple-Team Lab</h3>

        <p>Adversary emulation that validates the detections. Atomic Red Team techniques run

        against an instrumented endpoint; custom Wazuh rules catch each one, with a coverage

        matrix proving the ATT&CK techniques fire at the right severity.</p>

        <div class="tags"><span>Atomic Red Team</span><span>Caldera</span><span>Wazuh FIM</span><span>MITRE ATT&CK</span></div>

        <span class="lnk mono">purple-team-lab</span>

      </div>

    </a>

    <a class="card" href="/soc-automation-lab/">

      <div class="thumb"><img loading="lazy" src="assets/soc.png" alt="Wazuh Threat Hunting dashboard with MITRE ATT&CK mapping"></div>

      <div class="body">

        <h3>SOC Automation Lab</h3>

        <p>Wazuh detection into Shuffle SOAR into TheHive case management. Endpoint telemetry,

        custom MITRE-mapped rules, automated enrichment and case creation. Deployed and shown

        live with an enrolled agent and a replayed SSH brute force.</p>

        <div class="tags"><span>Wazuh</span><span>TheHive</span><span>Shuffle</span><span>MITRE ATT&CK</span></div>

        <span class="lnk mono">soc-automation-lab</span>

      </div>

    </a>

    <a class="card" href="/secure-cicd-pipeline/">

      <div class="thumb"><img loading="lazy" src="assets/cicd.png" alt="Custom Semgrep rules failing the SAST gate"></div>

      <div class="body">

        <h3>Secure CI/CD Pipeline</h3>

        <p>A GitHub Actions pipeline that gates every merge on four checks, SAST, secret

        scanning, dependency audit, tests, with custom Semgrep rules and findings routed

        back to the SOC.</p>

        <div class="tags"><span>GitHub Actions</span><span>Semgrep</span><span>gitleaks</span><span>pip-audit</span></div>

        <span class="lnk mono">secure-cicd-pipeline</span>

      </div>

    </a>

    <a class="card" href="/cicd-supply-chain-security/">

      <div class="thumb"><img loading="lazy" src="assets/supply-chain.png" alt="Cosign signing and tamper detection"></div>

      <div class="body">

        <h3>CI/CD Supply-Chain Security</h3>

        <p>Proves the artifact, not just the source: keyless Cosign signing, a signed SBOM,

        grype scanning, and a Kyverno admission policy that refuses anything it can't verify.</p>

        <div class="tags"><span>Cosign</span><span>Sigstore</span><span>syft</span><span>Kyverno</span></div>

        <span class="lnk mono">cicd-supply-chain-security</span>

      </div>

    </a>

    <a class="card" href="/cti-detection-automation/">

      <div class="thumb"><img loading="lazy" src="assets/cti.png" alt="CTI rule-approval email with MITRE techniques"></div>

      <div class="body">

        <h3>CTI Detection Automation</h3>

        <p>Pulls indicators from live threat-intel feeds, dedupes across them, extracts the

        MITRE techniques, generates Wazuh rules, and emails an analyst for sign-off before

        anything goes live.</p>

        <div class="tags"><span>Python</span><span>ThreatFox / OTX</span><span>Wazuh CDB</span><span>ATT&CK</span></div>

        <span class="lnk mono">cti-detection-automation</span>

      </div>

    </a>

  </div>

</div></section>

<section id="research"><div class="wrap">

  <div class="shead"><span class="idx mono">03</span><h2>Vulnerability Research</h2><span class="rule"></span></div>

  <p class="rlede">Coordinated-disclosure research on Bugcrowd and HackerOne, focused on the

  places bugs are easy to miss and expensive to get wrong: cryptographic libraries, database

  engine internals, blockchain consensus, and authorization layers. Source-code analysis,

  protocol review, reproducible proof-of-concept.</p>

  <div class="research">

    <div class="ritem">

      <span class="cls mono">Notebook</span>

      <div><h3>Security research notebook</h3>

        <p>37 coordinated-disclosure writeups and methodology notes, 8 Fireblocks MPC findings

        (memory safety, signature verification, ZK-proof soundness), Postgres privilege-escalation

        chains, blockchain consensus, and camera firmware, each leading with how the bug was reached.</p></div>

      <a class="go" href="/security-research-notebook/">notebook →</a>

    </div>

    <div class="ritem">

      <span class="cls mono">JWT / auth</span>

      <div><h3>Schism, JWT differential fuzzer</h3>

        <p>Differentially tests JWT libraries against each other and the RFCs to surface

        algorithm-confusion and parsing-divergence bypasses.</p></div>

      <a class="go" href="/jwt-differential-fuzzer/">fuzzer →</a>

    </div>

    <div class="ritem">

      <span class="cls mono">Markets / quant</span>

      <div><h3>Prediction-market bot postmortem</h3>

        <p>A trading bot taken from edge hypothesis to a documented, honest negative result, the evaluation harness and why the edge didn't survive fees.</p></div>

      <a class="go" href="/prediction-market-bot-postmortem/">postmortem →</a>

    </div>

  </div>

  <div class="progs">

    <div class="sk mono">Programs researched</div>

    <div class="row">

      <span>Aiven (PostgreSQL · MySQL · ClickHouse · Valkey · Kafka)</span>

      <span>Fireblocks MPC</span><span>Electroneum</span><span>Cloudinary</span>

      <span>AXIS OS</span><span>Mattermost</span><span>GitLab</span><span>Databricks</span>

      <span>The Trade Desk</span><span>New Relic</span><span>Automattic / WordPress</span>

      <span>Snapchat</span><span>Vimeo</span><span>Airtable</span>

    </div>

  </div>

</div></section>

<section id="background"><div class="wrap">

  <div class="shead"><span class="idx mono">04</span><h2>Background</h2><span class="rule"></span></div>

  <div class="cred">

    <div>

      <p>Two years on a SOC desk at a managed security provider, triaging 150 to 300 alerts a

      shift across Splunk, Microsoft Sentinel, SentinelOne, and Stellar Cyber. I have supported

      incident response on ransomware cases (Cactus, BlackByte) and helped track vulnerability

      remediation against NIST 800-171 and CMMC baselines.</p>

      <p class="role"><b>SOC Analyst</b> · MSSP · 2024-present<br>

      <b>Prior:</b> Relationship Banker · Bank of America</p>

    </div>

    <ul class="certs">

      <li><span class="c">SEC+</span> CompTIA Security+ (SY0-701)</li>

      <li><span class="c">SC-200</span> Microsoft Security Operations Analyst</li>

      <li><span class="c">AZ-104</span> Microsoft Azure Administrator</li>

      <li><span class="c">AZ-900</span> Microsoft Azure Fundamentals</li>

      <li><span class="c">S1</span> SentinelOne Incident Responder</li>

      <li><span class="c">CySA+</span> CompTIA, scheduled June 2026</li>

    </ul>

  </div>

</div></section>

<footer><div class="wrap row">

  <div class="links">

    <a href="https://github.com/zionboggan">GitHub</a>

    <a href="https://www.linkedin.com/in/zion-boggan">LinkedIn</a>