David Wolf · Project Use Case
AI SECURITY · PRODUCT SECURITY · DEVO
Devo
Mapping Motives: Analysis of 2,000 Enterprise Cloud Detections
Linux Foundation / Cloud Native SecurityCon research on enterprise cloud detections, cloud SOC maturity, ATT&CK-aligned motives, and the growing...
Presented Cloud Native SecurityCon North America 2023 research with Joshua Smith at Devo, analyzing 2,000 enterprise cloud detections to explain how cloud detections, controls, motives, ATT&CK mapping, and SIEM maturity patterns...
Client
Devo
Engagement Type
Full-Time role and conference research
Period
2022–2023
Role
Security Research Engineer - Architecture Innovation / Conference Speaker
Focus Areas
Cloud Native Security, Detection Engineering, Cloud SIEM, Enterprise Cloud Detections
The Research Narrative
Strategic Problem
The challenge was to turn a large body of enterprise detection content into a meaningful security story. Raw detection counts alone do not explain maturity. The research needed to connect cloud detection...
What David Did
Analyzed approximately 2,000 enterprise cloud detections to identify patterns in cloud-native security coverage, detection intent, and SOC maturity.
What Became Clearer
The project created a public research artifact connecting enterprise cloud detection data to cloud SOC maturity, detection taxonomy, and cloud-native security operations. It also...
Consulting Proof
This is evidence of turning messy security telemetry into explainable dashboards, alert-quality improvements, and executive-ready operating views.
The Context
By early 2023, cloud-native security had moved beyond Kubernetes alone. SOCs were increasingly responsible for cloud infrastructure, SaaS workspaces, multi-cloud identity, cloud controls, and telemetry sources that did not fit older SIEM assumptions.
The Challenge
The challenge was to turn a large body of enterprise detection content into a meaningful security story. Raw detection counts alone do not explain maturity. The research needed to connect cloud detection coverage, motive mapping, ATT&CK-style reasoning, SIEM taxonomy, cloud providers, workspaces, and SOC operating patterns into a narrative that practitioners could use.
What I Did
- •Analyzed approximately 2,000 enterprise cloud detections to identify patterns in cloud-native security coverage, detection intent, and SOC maturity
- •Mapped detection content against attacker motives, behavior patterns, cloud infrastructure risks, workspace risks, and ATT&CK-style analytic categories
- •Used Devo cloud-native SIEM research context to understand how enterprise and MSSP deployments were incorporating cloud detections into modern detection stacks
- •Compared cloud detections across infrastructure and workspace domains to understand where coverage was growing and where taxonomy remained fragmented
- •Connected detection-engineering research to practical cloud SOC needs: onboarding, normalization, taxonomy, triage, and analytic prioritization
- •Helped frame cloud detections as increasingly central to SOC strategy rather than an edge case beside endpoint or network monitoring
- •Translated large-scale detection analysis into conference-ready security research for a cloud-native security audience
- •Connected the work to broader Devo architecture innovation efforts around reference architectures, taxonomy standardization, Exchange-content validation, and migration patterns from legacy SIEM logic
The Outcome
The project created a public research artifact connecting enterprise cloud detection data to cloud SOC maturity, detection taxonomy, and cloud-native security operations. It also established a clear bridge from classic SIEM modernization to David's later AI-augmented detection engineering and multi-agent SOC workflow work.
Research Outcomes
Alert Trust
Reduced noise and improved signal quality for IAM and access-control alerts
Operational Clarity
Translated complex security data into clearer operating views
Stakeholder Visibility
Made technical risk and status easier to explain
Operational Impact
Turned raw telemetry into actionable security intelligence
Capabilities Demonstrated
Security Analytics
Signal investigation and event analysis
SIEM Alert Debugging
Noise reduction and signal validation
Executive Reporting
Security data translated for leadership
Telemetry Normalization
Consistent and trusted data
IAM / Access Control
Identity telemetry and access insights
Dashboard Development
Operational and executive views
Operational Reporting
Actionable views for security operations
Public-Safe Evidence
Shareable insights without sensitive data
Key Deliverables
- •CloudNativeSecurityCon North America 2023 conference presentation
- •Mapping Motives Tells a Story research narrative
- •Analysis of approximately 2,000 enterprise cloud detections
- •Cloud detection motive-mapping framework
- •Cloud SOC maturity interpretation
- •Cloud infrastructure and workspace detection framing
- •ATT&CK-style detection reasoning and taxonomy narrative
- •Devo cloud-native SIEM thought-leadership support
Tools & Technologies
Consulting Translation
The reusable pattern is not Disney-specific: normalize fragmented security telemetry, debug low-signal alert behavior, build trusted operating views, and give leadership evidence they can act on without exposing sensitive systems.