About

Mansour Jalaly

Security engineer in London, working across detection engineering, digital forensics and incident response, and cloud security. The short version: find how systems fail, build the detections and automation that catch it, and explain the risk in terms people can act on.

Profile

Detection-led security across cloud operations, investigation, and response.

Mansour works across detection engineering, incident response, and threat intelligence, with a focus on making large-scale telemetry reliable, actionable, and valuable to defenders. He builds detection content as code and validates it end-to-end in a self-hosted, cloud-integrated lab.

At Oracle, he designs and owns ML-assisted detection models for Oracle Cloud Infrastructure, leads investigations spanning cloud and endpoint environments, and engineers the automation that keeps response fast and consistent.

Before that, at S-RM, he led DFIR engagements — ransomware, business email compromise, insider threat, and cloud intrusion — for clients ranging from SMEs to large enterprises, pairing forensic rigour with clear executive communication.

Base
London, United Kingdom
Current role
Security Engineer, Oracle
Focus
Detection engineering, cloud security, incident response, and threat intelligence.
Approach
Evidence-driven, automation-first, and grounded in how systems behave in production.

Core Capabilities

Where the work concentrates.

Detection Engineering

ML-assisted detection models, Sigma rules managed as code with CI/CD testing, and MITRE ATT&CK coverage tracking across high-volume telemetry.

Cloud Security

IAM design, network segmentation, KMS, and logging architecture across OCI, AWS, and Azure — with infrastructure-as-code security review.

Incident Response & Forensics

End-to-end investigations across cloud and endpoint environments: endpoint, malware, and network forensics with full evidential integrity.

Threat Intelligence & Hunting

Threat-intel integration into SIEM and detection pipelines, IOC/IOA correlation, and ATT&CK-aligned hunts that close real coverage gaps.

Security Automation

SOAR playbooks automating triage, enrichment, and escalation; Python, Go, and Terraform tooling that reduces analyst effort and response time.

Governance & Advisory

Risk assessments and control reviews aligned with NIST and ISO 27001, plus executive reporting that turns incidents into decisions.

Experience

Enterprise security operations and client-facing response.

Security Engineer · Oracle

London · Oct 2023 — Present

Detection engineering and incident response for Oracle Cloud Infrastructure, owning ML-assisted detection development across high-volume telemetry.

Detection engineering
Designed and own ML-assisted detection models for OCI, improving true-positive accuracy by ~30% and cutting false positives by 75%, while expanding visibility through optimised log pipelines, IAM policies, and event routing.
Detection as code
Maintain Sigma rules in Git with automated testing in CI/CD, mapped to MITRE ATT&CK for coverage tracking.
Response & automation
Lead investigations across cloud and endpoint environments and engineered SOAR playbooks for triage, enrichment, and escalation — improving mean time to detect by ~60%.
Intelligence & governance
Integrated threat-intelligence feeds into detection pipelines, run ATT&CK-aligned hunts that close coverage gaps, and deliver NIST/ISO 27001-aligned risk reviews and executive incident reporting.

Cyber Security Analyst · S-RM

London · Sept 2021 — Oct 2023

DFIR and security consulting for client environments ranging from SMEs to large enterprises.

DFIR
Led ransomware, BEC, insider-threat, and cloud-intrusion investigations; conducted endpoint, malware, and network/cloud forensics with chain-of-custody, delivering containment guidance that reduced client downtime.
Threat intelligence
Produced ATT&CK-aligned threat assessments and adversary behaviour analysis that directly strengthened client detection and response posture.
Security consulting
Implemented and tuned EDR, SIEM, and IDS deployments; advised on IAM, Windows administration, virtualisation, and secure remote access.
Communication
Briefed client leadership during live incidents; post-incident documentation drove long-term remediation roadmaps.

Earlier roles at Samsung (Harrods) and King’s College London IT support built the foundations applied daily in security work: translating technical detail for non-technical audiences, troubleshooting under time pressure, and managing demanding stakeholders.

Selected Work

Research and engineering, validated end-to-end.

Problem
Detection content is only ever as good as the last attacker who tested it, and human red teams are expensive and episodic — leaving the lab idle and coverage gaps unmeasured between engagements.
Contribution
Built a local, air-gapped experiment running two AI agent crews against each other: a red crew that plans and executes scoped attack behaviour, and a blue crew that triages the resulting telemetry and proposes detections. Runs entirely on local hardware (CrewAI orchestration, Ollama-served models, ChromaDB for RAG) as a glass box — every plan, tool call, and decision logged and human-reviewed.
Outcome
A continuously refreshed gap list of techniques the detection stack failed to see, generated at a cadence no human red team could sustain — with every proposed rule landing in a human review queue, never straight to production.

CrewAI · Ollama · ChromaDB · Docker · Python · MITRE ATT&CK

Read the write-up
Problem
Validating detection logic against realistic attack traffic is difficult without a representative environment — production telemetry is noisy and tightly controlled.
Contribution
Built a Terraform-provisioned hybrid lab simulating enterprise infrastructure, with Zeek and Suricata telemetry feeding ML models (Random Forest, Isolation Forest) trained on PCAP datasets, MISP for threat-intel correlation, and OCI for compute-heavy analytics. Fully containerised for reproducibility.
Outcome
An end-to-end testbed for validating detections before they ship — now expanding into unsupervised anomaly detection and cloud-native SIEM pipelines.

Python · Terraform · OCI · Zeek · Suricata · Scikit-learn · MISP · Docker

Read the write-up
Problem
Home and small-office networks rarely have any detection capability, and commercial NIDS options are over-specified for the footprint.
Contribution
Designed and deployed a Raspberry Pi-based NIDS for real-time network monitoring, shipping Snort alerts via Filebeat to a self-hosted Elastic SIEM with Kibana dashboards — covering hardware selection, configuration, and detection tuning end-to-end.
Outcome
Continuous, low-cost network visibility with tuned signatures and dashboards — and a working reference for SME-scale detection architecture.

Snort3 · Elasticsearch · Kibana · Filebeat · Python · C/C++

Read the write-up

Anomalous System Call Detection via Static Analysis

2019 — 2020 · Secure Systems Lab, King’s College London

Problem
Signature-based host IDS misses novel exploitation; anomaly detection on system-call behaviour offers a path to catching unknown attacks.
Contribution
Built an anomaly-based IDS for UNIX systems, parsing system calls captured via strace/ptrace into training datasets and applying a probabilistic detection model. Supervised by Prof. Lorenzo Cavallaro, Chair of Cybersecurity at KCL.
Outcome
Successfully identified a stack-based buffer overflow on an Ubuntu i386 target from system-call behaviour alone.

C · Python · strace · ptrace · NumPy

Read the write-up

Credentials

Certifications and technical stack.

CISSP

ISC2 · Nov 2025

Security architecture, risk management, IAM, and security operations across the eight CISSP domains.

OCI Security Professional

Oracle · Aug 2025

Cloud security architecture, IAM, KMS, logging, and threat detection on OCI.

GIAC Security Essentials (GSEC)

SANS Institute · Feb 2022 · renewed Feb 2026

Hands-on defensive security fundamentals (SEC401).

BSc Computer Science

King’s College London, 2020

Programming & Automation

Python · Go · Bash · PowerShell · SQL · Terraform · CloudFormation · CI/CD · SOAR playbooks

Cloud & Platform Security

AWS · Azure · OCI · IAM design · Network segmentation · KMS · Logging & telemetry pipelines · IaC security review

Detection & IR Tooling

Splunk · Elastic Stack · Sigma · YARA · Snort / Suricata · Zeek · Velociraptor · KAPE · Axiom · SentinelOne · OSQuery · Sysmon

Frameworks & Standards

MITRE ATT&CK · NIST CSF · NIST 800-53 · ISO/IEC 27001 · CIS Controls · OWASP Top 10