David Sarkisyan

Security Operations Analyst & Builder

New York City

Understand the system. Prove the risk. Leave it clearer.

Security operations, identity cleanup, endpoint review, detection notes, and network controls built from real troubleshooting habits.

Careful investigation
Defensive tooling
Clear documentation

View work Try lapse dry run Resume

GitHub LinkedIn

One timestamp can lie.

Device	Device seen	Person seen	Decision
NYC-WIN-014	recent	recent	Healthy
BK-MAC-022	old	recent	Review
LAB-WIN-007	old	old	Stale candidate

A cleanup decision changes when a second signal is checked.

Index

Start with the kind of problem being worked.

Featured lab

lapse dry run

Mock Entra ID stale-device review. Local only.

A small local demo showing how lapse checks more than one signal before calling a device truly stale.

One timestamp can lie. A device may look abandoned from one directory timestamp, while a recent human sign-in shows it still needs review.

Mock data.
No tracking.
No storage.
No network request.
No Microsoft Graph connection.

--days 90 --company-only --skip-vdi --dry-run

This mock run ignores personal devices, skips VDI-style registrations, and reports only. No changes are made. The table label "approx device sign-in" stands in for Microsoft Graph approximateLastSignInDateTime.

Evidence Chain

1. Scan Active
2. Review Waiting
3. Report Waiting
4. Note Waiting

Mock lapse dry-run device records
Device	Approx device sign-in	Scope	Interactive person sign-in	lapse result	Operator note
NYC-WIN-014	recent	company device	not checked	Not scanned	Awaiting dry run
BK-MAC-022	old	company device	recent	Not scanned	Awaiting dry run
LAB-WIN-007	old	company device	none found	Not scanned	Awaiting dry run
VDI-WIN-031	old	VDI registration	not checked	Not scanned	Awaiting dry run
BYOD-MAC-019	old	personal/BYOD	not checked	Not scanned	Awaiting dry run
HYBRID-WIN-044	old	hybrid joined	not checked	Not scanned	Awaiting dry run

Featured technical work

Splunk Detection Content

Detection notes for Windows, Active Directory, Sysmon, and PowerShell activity. Each search is written around behavior, assumptions, noise, and what an analyst should check next.

Persistence Credential Access Lateral Movement

Open Splunk repository → View detection notes →

behavior: Windows scheduled task created or updated

mapping: ATT&CK T1053.005

source: WinEventLog:Security, EventCode 4698 or 4702

noise: software updaters, endpoint management tooling, maintenance windows

next step: review task action, author, run context, binary path, related process creation, and recent logons

Work

Projects written as tools, detections, labs, and notes, with the reasoning kept visible.

Identity

lapse

Entra ID device hygiene

One timestamp can lie. lapse checks stale-device entries against interactive sign-in evidence before treating a device as truly stale.

Entra IDGraphDry run

Open lapse repository →

Read note

ProblemA stale timestamp alone can point at the wrong cleanup decision.

CheckedDevice age, scope filters, and interactive user sign-in evidence.

NoiseBackground activity can update fields without proving user activity.

Next actionRun a dry report, review entries, then disable only after approval.

LimitThe tool supports review; it should not decide ownership or business need by itself.

relic

Active Directory hygiene

Reviews stale users, old computers, group leftovers, password age, and service-account cleanup candidates.

Active DirectoryLDAPCleanup

Open relic repository →

Read note

ProblemDirectory leftovers create access risk and operational noise.

CheckedDormant users, old computers, disabled accounts, group memberships, and password-age signals.

NoiseService accounts and ownerless groups often need human confirmation.

Next actionReport cleanup candidates, remove risky leftovers, and disable only through review.

LimitFindings need ownership context before removal.

Endpoint

Undertaker

Scheduled task review

A read-only tool for finding old or privileged scheduled jobs across Windows Scheduled Tasks, Linux cron, and systemd timers.

EndpointScheduled tasksPrivilege

Open Undertaker repository →

Read note

ProblemScheduled automation can become stale, over-privileged, or persistence-like.

CheckedTask names, run paths, schedules, privilege context, and last-run signals.

NoiseLegitimate updaters and maintenance jobs can look suspicious without context.

Next actionKeep, allowlist, investigate, or remove through the operating system outside the tool.

LimitThe project is read-only and does not remove tasks.

Browser

Browser Bailiff

Extension risk review

A local browser extension auditor for permissions, host access, manifest details, extension age, and broad-access patterns.

BrowserPermissionsEndpoint

Open Browser Bailiff repository → Open Browser Signal Lab →

Read note

ProblemBrowser extensions can quietly expand endpoint exposure.

CheckedPermissions, host access, content scripts, update URL, manifest details, and age.

NoiseSome broad permissions are normal for password managers, blockers, or enterprise tools.

Next actionApprove, investigate, or remove through the browser outside the tool.

LimitThe auditor reviews local metadata; it does not prove extension intent.

AppSec

Authorized AI/LMS Security Assessment

Private report, public-safe case study

Performed an authorized AI assistant assessment from a standard-user session, documented 16 validated findings privately, and published only the reusable control lessons.

AI securityOWASP LLMResponsible disclosure

Open AI security repository →

Read note

ProblemAI assistants inside learning platforms can inherit more authority, context, and trust than users realize.

CheckedExternal tool behavior, user-editable instructions, safety configuration, injected user context, retrieval scope, memory behavior, messaging authority, and evidence handling.

NoiseAI/LMS risk is rarely one single bug; it is often the combination of tools, context, defaults, and unclear boundaries.

Next actionRestrict tool scopes, require visible approval for external actions, minimize LMS context, enforce document ownership, add logging, and regression-test known failure modes.

LimitThe public case study intentionally withholds the confidential report, target identifiers, exploit prompts, screenshots, student data, internal endpoints, and reproduction steps.

Network

OPNsense + Proxmox Security Control Plane

Network visibility and control notes

Documents a live OPNsense firewall on repurposed hardware and an 8 GB Proxmox laptop node for logs, canary alerts, asset awareness, and safe on-demand checks.

OPNsenseProxmoxLogs

Open network lab repository →

Read note

ProblemNetwork controls are hard to trust when rules, logs, assets, and alert paths are scattered.

CheckedRepurposed hardware constraints, DNS path, firewall intent, DNSSEC, DNS-over-TLS, bypass blocking, CrowdSec, central logs, unknown-device review, and canary signal.

NoiseSmall networks change quickly, and future segmentation should not be described as current state.

Next actionKeep enforcement on OPNsense, use Proxmox for visibility, and run scanners only on demand.

LimitThe public notes avoid exact internal ranges, device inventory, secrets, and management details.

Network

Packet Tracer Network Defense Labs

Per Scholas lab portfolio

Hands-on Cisco Packet Tracer and security labs covering network traffic flow, secure remote access, wireless hardening, ACLs, authentication, DNS, logs, and endpoint fundamentals.

Packet TracerNetwork defensePer Scholas

Read note

ProblemSOC work depends on understanding normal network behavior before calling something suspicious.

CheckedTraffic flow, addressing, wireless security, remote access, access control, DNS, server logs, and endpoint behavior.

NoiseTraining labs simplify production networks, so the value is in reasoning and documentation rather than claiming enterprise ownership.

Next actionUse the labs as proof of network, endpoint, and analyst fundamentals while continuing to build public writeups.

LimitCourse files and personal lab answers are kept private; the public portfolio summarizes the skills demonstrated.

Detection

Splunk Detection Content

Detection library

Windows, AD, Sysmon, and PowerShell searches organized by tactic, with tuning notes and analyst pivots.

SPLATT&CKTriage

Open Splunk repository →

Read note

ProblemDetection logic is easy to write and hard to trust without context.

CheckedWindows, AD, Sysmon, and PowerShell patterns mapped to ATT&CK.

NoiseAdmin scripts, deployment tooling, and maintenance activity can resemble suspicious behavior.

Next actionValidate host, user, parent process, command line, and recent logons before escalation.

LimitSearches depend on available logging and local field names.

Browser Signal Lab

A local-only check for browser-exposed signals. Run it to see what ordinary JavaScript can observe before anything is sent anywhere.

Local only.
No tracking.
No storage.
No network request.

surface:screen, browser, timezone, language

rendering:canvas, audio, WebGL

hardening:extensions, profiles, privacy settings

Open the lab

Notes

The thread running through the work: learn the system, verify the signal, act carefully, and make the next step easier to see.

01

Understand the system

Read the environment before deciding what the problem is.

02

Prove the risk

Separate what is observed from what is assumed, then show the evidence clearly.

03

Act carefully

Prefer dry runs, reviewable output, and changes that can be explained.

04

Leave it clearer

Document the edge cases so the next person can keep moving.

Contact

For security work, project review, or direct conversation:

contact [at] srkyn.com

GitHub LinkedIn Resume