David Wolf · Project Use Case
AI SECURITY · PRODUCT SECURITY · DEVO
Devo
Security Research & Conference Program
A public security research program turning SIEM deployment analysis, cloud detection patterns, architecture innovation, and SOC maturity findings into...
Developed and contributed to Devo security research that converted customer deployment analysis, SIEM maturity patterns, detection taxonomy work, cloud-native security findings, and architecture innovation into conference-grade...
Client
Devo
Engagement Type
Full-Time security research and architecture innovation role
Period
2022–2023
Role
Security Research Engineer - Architecture Innovation
Focus Areas
Security Research, Conference Speaking, RSA Conference Research, Infosecurity Europe Research
The Research Narrative
Strategic Problem
The challenge was extracting public research from private operational reality. The work needed to identify patterns without exposing customers, and it needed to be useful to practitioners rather than sounding...
What David Did
David analyzed deployment patterns, detection content, taxonomy structures, architecture gaps, and cloud-native detection trends, converting those findings into research narratives and...
What Became Clearer
The program showed how architecture work, customer deployment analysis, and detection engineering can become credible public security research. It strengthened David's position as a...
Consulting Proof
This is evidence of turning messy security telemetry into explainable dashboards, alert-quality improvements, and executive-ready operating views.
The Context
Security research inside a cloud SIEM company is most useful when it reflects real deployment patterns. Devo's customer and MSSP environments provided a practical window into SOC maturity, cloud detection growth, taxonomy gaps, and architecture debt.
The Challenge
The challenge was extracting public research from private operational reality. The work needed to identify patterns without exposing customers, and it needed to be useful to practitioners rather than sounding like product marketing.
What I Did
David analyzed deployment patterns, detection content, taxonomy structures, architecture gaps, and cloud-native detection trends, converting those findings into research narratives and conference-ready material.
- •Analyzed hundreds of enterprise and MSSP SIEM deployments to identify recurring architecture, taxonomy, detection, onboarding, and maturity patterns
- •Converted deployment observations into research themes that could support conference submissions and public security narratives
- •Connected Devo architecture innovation work to broader SOC modernization questions around ingestion, normalization, detection content, cloud telemetry, and analyst workflow
- •Standardized language around SIEM maturity so customer reality could be compared across deployments without exposing customer-specific details
- •Used detection taxonomy and Exchange validation work to identify where detection content was usable, confusing, duplicative, weakly mapped, or operationally hard to adopt
- •Developed research narratives around cloud-native detections, cloud controls, attacker motives, SOC maturity, and evolving detection-engineering requirements
- •Translated technical findings into conference-ready talks, abstracts, speaker narratives, and public thought leadership
- •Balanced product relevance with research credibility by grounding claims in deployment patterns rather than unsupported marketing language
The Outcome
The program showed how architecture work, customer deployment analysis, and detection engineering can become credible public security research. It strengthened David's position as a security researcher who can convert messy SOC reality into useful market-facing insight.
Research Outcomes
Alert Trust
Reduced noise and improved signal quality for IAM and access-control alerts
Operational Clarity
Translated complex security data into clearer operating views
Stakeholder Visibility
Made technical risk and status easier to explain
Operational Impact
Turned raw telemetry into actionable security intelligence
Capabilities Demonstrated
Security Analytics
Signal investigation and event analysis
SIEM Alert Debugging
Noise reduction and signal validation
Executive Reporting
Security data translated for leadership
IAM / Access Control
Identity telemetry and access insights
Dashboard Development
Operational and executive views
Telemetry Normalization
Consistent and trusted data
Operational Reporting
Actionable views for security operations
Public-Safe Evidence
Shareable insights without sensitive data
Key Deliverables
- •Security research program contributions
- •Conference research narratives
- •RSA-oriented research support
- •Infosecurity Europe-oriented research support
- •CloudNativeSecurityCon research support
- •SIEM maturity findings
- •Cloud detection research narratives
- •Detection taxonomy and architecture research framing
Tools & Technologies
Consulting Translation
The reusable pattern is not Disney-specific: normalize fragmented security telemetry, debug low-signal alert behavior, build trusted operating views, and give leadership evidence they can act on without exposing sensitive systems.