Turning attack surfaces into learning labs.
I’m Aaron Anderson, a hands-on cybersecurity analyst and HSOC IT Cyber Operations Lead. I build and defend lab environments, deploy SIEMs, investigate incidents, and mentor future cyber professionals through practical, real-world scenarios.
Educator turned SOC & Blue Team Operator
I bring together 10+ years in education and project management with hands-on cybersecurity experience. I design and run lab environments, lead IT cyber operations, and explain security concepts in clear, accessible language to technical and non-technical audiences.
After a decade as an educator and project manager building online schools and leading large-scale initiatives, I transitioned into cybersecurity. I now focus on SOC operations, detection engineering, and incident response, with a strong emphasis on documentation, reproducible labs, and mentoring analysts.
As the HSOC IT Cyber Operations Lead, I coordinate day-to-day cyber operations for a virtual SOC, integrate tools like Splunk, Wazuh, Zeek, and TheHive, and help guide our Home Security Operations Center (HSOC) toward an Enterprise SOC (ESOC) model.
I thrive in environments where I can combine hands-on security work, teaching, and process-building — especially roles in SOC analysis, blue-team operations, IR, and security-focused IT positions with strong growth paths.
Education
-
University of Colorado – Boulder
Cybersecurity Certificate (2024–2025)
Network & Application Security, Incident Handling, Cyber Forensics, Malware Analysis, Ethical Hacking -
Central Washington University
B.A. – Elementary Education
Dual Minors: Middle Level Mathematics & Middle Level Science
Certifications & Focus Areas
- CompTIA Security+
- Scrum Fundamentals Certified
- Google Project Management
- Microsoft Innovative Educator
- Edge Coach Training; Culturally Responsive Teaching & The Brain
- AWS Cloud – Expected October 2025
SOC operations, assessment, and teaching
From blue-team monitoring and incident response to offensive labs and packet analysis, I work across the defensive and offensive spectrum — and document everything so it can be taught and repeated.
Blue Team & SOC Operations
- Deploy and operate SIEM stacks using Splunk and Wazuh with Sysmon, Zeek, and endpoint telemetry.
- Create and tune correlation searches, dashboards, and alerts mapped to MITRE ATT&CK and NIST CSF.
- Build IR playbooks for phishing, malware, insider threats, and network intrusions to reduce MTTD/MTTR.
- Oversee vulnerability management lifecycle using tools like Nessus and OpenVAS.
Offensive Security & CTF Labs
- Use Nmap, Amass, theHarvester, Shodan, and Censys for recon and asset discovery.
- Run password attacks with Hydra, John the Ripper, and Hashcat; generate custom wordlists with CeWL and Patator.
- Perform web testing and URL/parameter tampering labs using Burp Suite and OWASP ZAP.
- Compete in CTF challenges (NCL, HSOC labs) to sharpen OSINT, crypto, and exploitation skills.
Networking, Systems & Forensics
- Work across Windows, Linux (Kali, Ubuntu), and macOS in VirtualBox-based labs.
- Analyze .pcap files with tcpdump/Wireshark to uncover suspicious traffic, exfil paths, and anomalies.
- Use Autopsy and Volatility to reconstruct attacker timelines from disk and memory images.
- Implement Wi-Fi security, segmentation, firewall rules, and endpoint hardening in home and lab networks.
Teaching, Docs & Leadership
- Lead HSOC fellows through A+, Security+, and PenTest+ topics using custom labs and CTF scenarios.
- Design gamified learning (Security+ escape room) with branching paths, scoring, and scenario-based decisions.
- Document procedures, write runbooks, and create slide decks and reports for leadership and stakeholders.
- Leverage project management background to coordinate multi-tool SOC and lab projects end-to-end.
Selected cybersecurity labs & deliverables
A snapshot of how I turn theory into practice: building labs, investigating incidents, hardening networks, and documenting everything like a real-world SOC analyst.
LabShock | ICS/OT Security & Modbus MITM
- Configured Kali Linux with IP forwarding and ARP spoofing to sit inline between HMI and PLC.
- Used Scapy and NetfilterQueue to intercept and alter Modbus register values in real time.
- Demonstrated industrial sabotage scenarios and related them to layered OT defense strategies.
SIEM Deployment & Monitoring | Wazuh & Splunk
- Deployed Wazuh and Splunk Enterprise in a VirtualBox lab with Windows & Linux endpoints.
- Collected and analyzed logs (Sysmon, Zeek, endpoint security) to detect brute force, priv esc, and abnormal logins.
- Built dashboards and alerting, aligning rules to MITRE ATT&CK and SOC performance metrics.
Boss of the SOC (BOTS) | Splunk Blue Team Challenge
- Investigated a website defacement attack scenario using Splunk searches and dashboards.
- Correlated attacker IPs, suspicious web requests, and compromised accounts to determine root cause.
- Produced a case-study style report tying evidence to SOC workflows and detection improvements.
Home Network Hardening Project
- Audited home network: documented connected devices, router firmware, and exposed services.
- Implemented WPA3, segmentation, firmware updates, and tuned firewall rules to reduce attack surface.
- Delivered a report mapping vulnerabilities and controls to Security+ and NIST CSF guidance.
Digital Forensics & IR Casework
- Analyzed compromised system images to uncover persistence mechanisms and attacker movement.
- Reconstructed timelines from disk artifacts and memory captures using Autopsy and Volatility.
- Documented evidence handling, chain of custody, and IR procedures for future investigations.
Security+ Escape Room | Gamified Training
- Designed a Twine-based interactive escape room covering core Security+ domains and scenarios.
- Implemented branching storylines, hints, and scoring to simulate real-world trade-offs and decisions.
- Used with HSOC fellows as a teaching aid to reinforce exam concepts in an engaging format.
Packet Capture & Analysis Labs
- Captured live traffic with tcpdump to investigate suspicious processes (e.g., MsMpEng.exe, PowerShell).
- Analyzed DNS, ping, and HTTP/S traffic in Wireshark to identify key IPs and potential exfil paths.
- Used findings to illustrate attacker behavior, persistence, and command-and-control patterns.
Offensive Tooling & OSINT | NCL Gymnasium
- Conducted password cracking labs using Hydra, John the Ripper, and Hashcat with custom wordlists.
- Performed OSINT using theHarvester, Maltego, and Shodan to identify subdomains and exposed assets.
- Ranked in the top 10% in the 2025 National Cyber League Gymnasium, reinforcing CTF and reconnaissance workflows.
How I put these skills into practice
From classrooms and retail leadership to virtual SOC operations, my experience centers on building systems, improving processes, and helping people succeed.
- Lead hands-on, performance-based cybersecurity fellowship focused on offensive and defensive training, critical thinking, and open-source tool mastery.
- Direct day-to-day cyber operations, overseeing threat detection, incident response, and risk management across home lab, training, and enterprise SOC environments.
- Design and implement scalable SOC processes, transitioning from HSOC to ESOC using tools like Splunk, Wazuh, Zeek, and TheHive.
- Manage security monitoring workflows: log ingestion, SIEM rules, dashboards, and escalation procedures aligned with MITRE ATT&CK, NIST CSF, and CIS Controls.
- Own vulnerability management lifecycle: scanning, prioritizing, patching, and validating remediation across hybrid environments.
- Mentor and train junior analysts and fellows on A+, Security+, and PenTest+ content via custom labs and CTF scenarios.
- Establish SOC KPIs (alert fidelity, detection coverage, SOC maturity) and communicate progress to leadership.
- Manage department operations while integrating project management practices to improve efficiency and performance.
- Streamlined processes and implemented creative strategies, resulting in a ~15% reduction in operational waste and shrink.
- Collaborated with district staff and vendors to create engaging, theatrical customer experiences, increasing satisfaction scores by ~20%.
- Built repeatable procedures and training approaches, directly mirroring how SOC runbooks and playbooks are developed.
- Managed large-scale, cross-functional IT projects focused on improving organizational processes and systems.
- Implemented process improvements that accelerated project delivery by ~20%.
- Developed risk mitigation strategies, mapping risks to potential system vulnerabilities and controls.
- Led in-person and virtual instruction, applying data-driven strategies to improve student success by ~15%.
- Facilitated professional development for 50+ staff, improving their proficiency with digital tools and boosting virtual instruction efficiency.
- Helped create an entirely online school during COVID, building lessons, structures, and processes from the ground up.
- Developed communication and teaching skills that now support clear, calm explanations of complex security topics.
Let’s talk about security
I’m open to roles in SOC analysis, blue-team operations, incident response, and security-focused IT roles with strong growth paths. I’m happy to walk through my lab environment or specific projects live.
Get in touch
The fastest way to reach me is by email or LinkedIn. I can share my full resume, demo my virtual SOC (Wazuh + Splunk), or walk through ICS/OT and Security+ training projects.
On request, I can provide a live tour of my virtual SOC, LabShock ICS/OT environment, and Security+ escape room, and share documentation that mirrors real SOC deliverables.
Portfolio & Links
Use these links to explore my work, code, and write-ups. Some are placeholders you can update as I publish more.
- ▹ GitHub: github.com/aaronandersoncyber (to be finalized)
- ▹ Cyber Portfolio (Google Sites): (link to my Google Sites cyber portfolio)
- ▹ HSOC Project Portfolio: (detailed HSOC SOC/ESOC write-ups)
- ▹ NCL Reflections: (write-up on my top 10% NCL performance)
As I publish more public content, I’ll turn these placeholders into live links containing project docs, detection engineering notes, and SOC playbooks.