John Medina

Navy veteran and defense contractor transitioning into cybersecurity through the SANS ACS program. GIAC-certified (GFACT, GSEC, GCIH) with a roadmap through GPCS (cloud security) plus AWS, Azure, and AI/ML credentials — building toward cloud-native SOC operations and AI/ML-informed detection and response. Near-term target: SOC or MDR Analyst. Longer term: cloud detection and response. Four years in the Navy as an ROV operator and sonar technician, leading 150+ personnel in CIC operations across a full deployment. Two years at Harris Corporation running unmanned surface vehicles in multinational operations — 190+ missions, 500+ hours of remote ops, building SOPs from scratch where no documentation existed. Every role came down to the same loop: ingest sensor data, identify what's wrong, escalate or resolve, leave a record the next person can trust. I built a homelab to bridge coursework and real operations: segmented VLANs behind OPNsense with Suricata IDS, feeding telemetry into Wazuh and Splunk. That environment produced MDR-style triage runbooks, Sigma and YARA detection rules mapped to MITRE ATT&CK, simulated intrusion investigations using Volatility and mactime, and a full purple-team exercise with executive reporting. Everything is documented and published. Lab 1 — ELK SIEM: Single-node ELK 8.x ingesting Windows, Linux, and OPNsense telemetry. 29,000+ events indexed, 10 KQL detection rules mapped to ATT&CK, three Kibana dashboards, full evidence index. Lab 2 — Active Directory Attack & Defense: Windows Server 2022 domain built from scratch. Full AD attack chain from Kali — BloodHound, Kerberoasting, AS-REP Roasting, LSASS dumping (blocked by Defender PPL), DCSync. Six validated Elastic detection rules, a real telemetry gap identified and remediated mid-lab, and full domain hardening: Protected Users, AES-only Kerberos, PreAuth enforcement, DS auditing.