Matthew Vaishnav

About

"Most people learn security by reading. I learn by building a lab that actually alerts when I'm wrong."

I'm a Computer Systems Technician student at Conestoga who learns by building things, then finding out why they're broken. My home lab isn't a checklist — it's 18 virtual machines across 5 isolated VLANs, running a full SOC stack because I wanted to understand what Security Onion actually sees when Kali attacks Metasploitable.

The log correlation engine I wrote parsed 14,822 entries on first run and flagged a brute-force chain I'd deliberately planted. The DevSecOps pipeline failed Trivy on my own container image. That's the point: I build until it's real enough to actually fail, then I fix it.

I'm pursuing work in SOC analysis or IT infrastructure — somewhere I can take rote knowledge from a classroom and apply it to something that matters.

Certification Progress

CompTIA Security+

62% IN PROGRESS

TryHackMe SOC Level 2

78% IN PROGRESS

Cisco Packet Tracer

100% COMPLETE

CompTIA A+ (planned)

15% PLANNED

Education & Progression

Sept 2024 — Present

Computer Systems Technician (CST)

Conestoga College / Kitchener-Waterloo, ON

Networking fundamentals, server administration, security principles, and applied systems. Graduating April 2027.

2024 — Ongoing

Self-Built 18-Node Home Lab

Personal Project / Proxmox + pfSense + Security Onion

Designed and operate a segmented SOC lab from scratch — VLAN architecture, IDS/IPS, full observability stack, and IaC provisioning for every node.

2024 — Ongoing

TryHackMe — SOC Level 2 Path

78% complete / Blue team focus

Working through SOC analyst scenarios, threat intel, log analysis, and SIEM operation. Every lab paired with a detection-focused writeup.

Target: Summer 2026

CompTIA Security+

62% study progress

Scheduled alongside co-op search. Validates foundational knowledge already applied in the lab environment.

Projects

Every project here runs against something real — either my own lab or a cloud environment. Output first, description second.

Python / Security

SOC Log Correlation Engine

14,822 log entries parsed / 3 high-severity alerts on first run

Multi-source correlation across auth.log and web access logs. Detects brute-force chains, scanner-to-admin-path recon, and credential stuffing — all mapped to MITRE ATT&CK. Ships a static HTML incident report.

↗

Bash / PowerShell / Python

Security Scripting Suite

CIS Benchmark hardening / AD audit with HTML report output

CIS Benchmark server hardening automation, Windows security audit with Active Directory enumeration, and a network recon tool with service fingerprinting and CVE flagging. Production-quality output — every script exits with a structured report.

↗

Terraform / Ansible / Docker / GitHub Actions

DevSecOps Pipeline

Caught 6 critical CVEs in container images before deploy

End-to-end CI/CD with SAST (Bandit, Semgrep), Trivy container scanning, Terraform-managed AWS VPC with flow logging, Ansible provisioning, and hardened images. Pipeline fails on CVSS ≥ 7 — the way it should.

↗

Docker Compose / Prometheus / Grafana / Loki

Self-Hosted SOC Monitoring Stack

7 services / persistent storage / pre-built alerting rules

Full observability stack — Prometheus, Grafana, Loki, Promtail, AlertManager, Node Exporter, cAdvisor — all on an isolated Docker network. Dashboards show CPU, memory, disk, container health, and log anomalies in one pane.

↗

Ansible / WireGuard / pfSense / GitHub Actions

Lab Infrastructure as Code

Every config change version-controlled / zero manual setup to rebuild

Full IaC coverage of the home lab — Ansible playbooks provision each VM from scratch, WireGuard peer configs auto-rotate on a schedule, pfSense firewall rules deploy from YAML, and GitHub Actions commits every lab change automatically. If the host dies, the lab rebuilds from git.

↗

Roadmap: in progress & planned before co-op

In Progress

AWS / Terraform / CloudTrail / GuardDuty / Lambda

Cloud Security Monitoring on AWS

CloudTrail → GuardDuty → SNS alert pipeline / threat detection in a live cloud environment

Provisioning a hardened AWS environment with Terraform: VPC with isolated subnets, CloudTrail enabled across all regions, GuardDuty threat detection, and a Lambda function that fires an SNS alert on any high-severity finding. S3 access logging with anomaly alerts. Demonstrates cloud-native security tooling alongside the on-prem lab.

Target: April 2026

↗

In Progress

Python / Elastic / MITRE ATT&CK / STIX/TAXII

Automated Threat Intel Enrichment Tool

Auto-tags IOCs against live MITRE ATT&CK / enriches alerts with context before they hit the analyst queue

A Python daemon that pulls IOCs from an open STIX/TAXII feed, maps them to ATT&CK techniques, and automatically annotates matching alerts in Elastic Security. Reduces manual triage by surfacing attacker context — campaign name, technique, known tools — directly in the alert. Designed to slot into the existing SOC monitoring stack.

Target: March 2026

↗

Planned

Python / Syslog / pfSense / Suricata / Elastic

Firewall Rule Audit & Drift Detection

Catches unauthorized rule changes before they become incidents

A script that snapshots pfSense firewall rules on a schedule, diffs against the last known-good state, and ships an alert to Elastic if anything changed outside a maintenance window. Designed for the kind of infrastructure work where a config drift at 2am goes unnoticed until something breaks. Pairs with the existing IaC pipeline.

Target: May 2026

↗

Planned

Azure / Sentinel / KQL / Logic Apps

Azure Sentinel SIEM Lab

Hands-on with enterprise SIEM used by most Canadian SOC teams

Stand up a Microsoft Sentinel workspace in Azure, ingest Windows Security Event logs, write KQL detection rules for common attack patterns (pass-the-hash, brute force, privilege escalation), and build an automated response playbook with Logic Apps. Chosen because Sentinel dominates the Canadian mid-market — the tooling employers actually use.

Target: June 2026

↗

Why Me

What you're actually getting.

Most candidates have read the textbook. I've broken production, fixed it, and written the post-mortem.

01 🏗

Lab-proven, not just theory

Every skill on this page was earned against a running system — 18 VMs, 5 isolated VLANs, real alerts, real failures. I didn't simulate an attack; I launched one, watched Security Onion detect it, and wrote the rule.

Verifiable on GitHub

02 🔍

Thinks like a defender, operates like an attacker

Every CTF writeup ends with detection notes and a one-line fix. I don't just pop a shell — I ask "how would a SOC analyst have seen this?" and write the Sigma rule to prove it.

CTF writeups with detection coverage

03 📋

Ships documented, reviewable work

Every project exits with structured HTML reports, version-controlled configs, and reproducible builds. If the host dies, the lab rebuilds from git in minutes. That's the discipline your team needs on day one.

IaC + Git-tracked everything

Core Security

Network Security & VLANs90%

SIEM / Log Analysis (Security Onion)82%

Incident Detection & Response78%

Penetration Testing (CTF)72%

Infrastructure & Automation

Linux Administration88%

Ansible / Terraform (IaC)85%

Python / Bash Scripting80%

Docker / CI-CD Pipelines75%

Currently Working On

Three things in parallel right now: finishing the TryHackMe SOC Level 2 path, shipping the AWS cloud security project so the portfolio covers both on-prem and cloud, and pushing through the last stretch of CompTIA Security+ study. Every week something new goes on GitHub.

⬡

CompTIA Security+ / 62% complete

Professor Messer's course + Darril Gibson practice exams. Exam target: Summer 2026. Domain coverage: Threats & Vulnerabilities, Architecture, Implementation.

⬡

TryHackMe SOC Level 2 / 78% complete

Covering threat intelligence frameworks (MISP, OpenCTI), advanced log analysis with Splunk and Elastic, malware analysis fundamentals, and digital forensics.

⬡

AWS Cloud Security Lab / in progress

CloudTrail + GuardDuty + Lambda alert pipeline on a hardened VPC. Goal: demonstrate cloud-native detection alongside the on-prem SOC stack. Target: April 2026.

⬡

Threat Intel Enrichment Tool / in progress

Python daemon pulling from a STIX/TAXII feed, mapping IOCs to ATT&CK, annotating Elastic alerts automatically. Makes the SOC stack smarter without adding analyst workload.

⬡

HackTheBox writeups / 2 queued

HTB Active (GPP creds + Kerberoasting) and HTB Lame (legacy service exploitation). Both include Suricata/Sigma detection rules — offensive work that pays off defensively.

⬡

Homelab → GitHub Automated Sync

A GitHub Actions pipeline that commits config changes and new scripts from the lab automatically. Keeps the portfolio current without a manual push every time.

Home Lab Architecture

A segmented virtual lab environment running on VMware Workstation. One isolated VLAN per security zone, all traffic routing through pfSense, with Security Onion passively sniffing the SPAN port. Click any node to inspect.

18live nodes

+5planned

6isolated VLANs

100%traffic monitored

IaCAnsible + Terraform

THREAT INTEL

CVE-2025-21418 / Windows AFD Driver / CVSS 9.8 / Actively Exploited CVE-2025-21391 / Windows Storage EoP / CVSS 7.1 / CISA KEV CVE-2025-0282 / Ivanti Connect Secure / CVSS 9.0 / Zero-Day CVE-2024-55591 / FortiOS Auth Bypass / CVSS 9.6 / Actively Exploited CVE-2025-23006 / SonicWall SMA RCE / CVSS 9.8 / Zero-Day CVE-2024-3400 / PAN-OS Command Injection / CVSS 10.0 / Actively Exploited CVE-2025-21418 / Windows AFD Driver / CVSS 9.8 / Actively Exploited CVE-2025-21391 / Windows Storage EoP / CVSS 7.1 / CISA KEV CVE-2025-0282 / Ivanti Connect Secure / CVSS 9.0 / Zero-Day CVE-2024-55591 / FortiOS Auth Bypass / CVSS 9.6 / Actively Exploited CVE-2025-23006 / SonicWall SMA RCE / CVSS 9.8 / Zero-Day CVE-2024-3400 / PAN-OS Command Injection / CVSS 10.0 / Actively Exploited

⌕

or click any node

⬡ INTERNET / WAN

🛡

pfSense Firewall

192.168.1.1 / VLAN TRUNK

FIREWALLNATIDS/IPSHAPROXYSPAN PORT

ONLINE

click to inspect

Management

🖥

Win Server 2019

192.168.10.10

ADDNSDHCP

⚙

Ubuntu 22.04

192.168.10.20

ANSIBLETERRAFORM

💻

Windows 10 WS

192.168.10.30

ENDPOINTRDP

Security

🔍

Security Onion

192.168.20.10

SIEMZEEKELASTIC

⚔

Kali Linux

192.168.20.20

METASPLOITBURP

📡

OpenVAS

192.168.20.30

VULN SCANNERCVE

Monitoring

📊

Docker Host

192.168.30.10

PROMETHEUSGRAFANA

🔔

AlertManager

192.168.30.20

NODE EXPORTERLOKI

💓

Uptime Kuma

192.168.30.30

HTTP CHECKNTFY

Lab / Victim

💀

Metasploitable 3

192.168.40.10

VULN TARGETSMB-CVE

🕸

DVWA

192.168.40.20

SQLiXSSCSRF

🔓

Kioptrix L1

192.168.40.30

BOOT2ROOTSAMBA

🪟

Win 11 Target

192.168.40.40

PLANNEDLOLBAS

🔌

Vuln API

192.168.40.50

PLANNEDAPI TOP 10

DMZ

↔

Nginx Proxy

192.168.50.10

REVERSE PROXYTLS

☁

Nextcloud

192.168.50.20

FILE SERVEROAUTH

🔒

WireGuard VPN

192.168.50.30

VPNSPLIT TUNNEL

Cloud / AWS

☁

AWS VPC

10.0.1.0/24 / us-east-1

TERRAFORMVPC

🛡

GuardDuty

AWS-managed

GUARDDUTYCLOUDTRAIL

📡

Azure Sentinel

Azure-managed

SENTINELKQL

pfSense Firewall192.168.1.1

ONLINE

FIREWALLVLAN TRUNKNATIDS/IPSHAPROXY

VLAN 10 — MGMT

Windows Server 2019

192.168.10.10

ADDNSDHCPGPO

Ubuntu Server 22.04

192.168.10.20

ANSIBLETERRAFORMJUMP BOX

Windows 10 Workstation

192.168.10.30

ENDPOINTDOMAIN JOINED

VLAN 20 — SECURITY

Security Onion 2.4

192.168.20.10

SIEMZEEKELASTIC

Kali Linux 2024

192.168.20.20

METASPLOITBURP

OpenVAS Scanner

192.168.20.30

VULN SCANNERCVE

VLAN 30 — MONITORING

Docker Host

192.168.30.10

PROMETHEUSGRAFANALOKI

AlertManager

192.168.30.20

NODE EXPORTERCADVISOR

Uptime Kuma

192.168.30.30

UPTIMEHTTP CHECK

VLAN 40 — LAB / VICTIM

Metasploitable 3

192.168.40.10

VULN TARGETSMB-CVE

DVWA

192.168.40.20

SQL INJECTIONXSS

Kioptrix Level 1

192.168.40.30

BOOT2ROOTSAMBA

VLAN 50 — DMZ

Nginx Reverse Proxy

192.168.50.10

REVERSE PROXYSSL/TLS

Nextcloud

192.168.50.20

FILE SERVERSELF-HOSTED

WireGuard VPN

192.168.50.30

VPNREMOTE ACCESS

VMware Workstation / Windows 11 / View on desktop for interactive diagram

Keyboard Shortcuts

Matthew Vaishnav I build labs
to learn how
things break.

Let's work
together.

Keyboard Shortcuts ✕

Matthew Vaishnav I build labsto learn howthings break.

Let's worktogether.

Keyboard Shortcuts

Matthew Vaishnav I build labs
to learn how
things break.

Let's work
together.