David Wolf · Project Use Case
AI SECURITY · PRODUCT SECURITY · DEVO
Devo
SIEM Reference Architecture, Taxonomy & Detection Validation
Architecture innovation work redesigning SIEM reference architectures, standardizing detection taxonomy, validating Exchange content, and turning...
Led and contributed to Devo architecture innovation work focused on SIEM reference architectures, detection taxonomy, Exchange-content validation, enterprise and MSSP deployment analysis, cloud-native detection strategy,...
Client
Devo
Engagement Type
Full-Time research and architecture innovation role
Period
2022–2023
Role
Security Research Engineer - Architecture Innovation
Focus Areas
SIEM Reference Architecture, Detection Taxonomy, Devo Exchange Validation, Enterprise SIEM Deployment Analysis
The Research Narrative
Strategic Problem
Every enterprise and MSSP deployment carries different telemetry, naming, coverage, maturity, and legacy-SIEM baggage. The challenge was to identify repeatable patterns and turn them into architecture...
What David Did
At Devo, David worked in architecture innovation, analyzing hundreds of deployments, redesigning reference architectures, standardizing detection taxonomy, validating Exchange detections,...
What Became Clearer
The project created a bridge between customer deployment reality, product architecture, detection validation, and public security research. It remains one of the clearest examples of...
Consulting Proof
This is evidence of turning messy security telemetry into explainable dashboards, alert-quality improvements, and executive-ready operating views.
The Context
SIEM modernization is not just a storage or query problem. Customers need ingestion patterns, normalization, detection taxonomy, validated content, triage workflows, cloud telemetry, and migration guidance that reflect how SOC teams actually operate.
The Challenge
Every enterprise and MSSP deployment carries different telemetry, naming, coverage, maturity, and legacy-SIEM baggage. The challenge was to identify repeatable patterns and turn them into architecture guidance without hiding the complexity that customers face.
What I Did
At Devo, David worked in architecture innovation, analyzing hundreds of deployments, redesigning reference architectures, standardizing detection taxonomy, validating Exchange detections, and identifying SOC maturity patterns that could inform customers and product teams.
- •Analyzed hundreds of enterprise and MSSP SIEM deployments to identify maturity patterns, architecture gaps, onboarding challenges, and detection-engineering practices
- •Redesigned or contributed to SIEM reference architectures that clarified how customers should structure ingestion, parsing, normalization, detection content, enrichment, triage, and reporting
- •Standardized detection taxonomy so analytics, detections, Exchange content, and customer workflows could be organized and compared more consistently
- •Validated Devo Exchange detections against practical customer and SOC requirements, looking for usability, alignment, coverage, and operational value
- •Mapped cloud-native detection needs across infrastructure, SaaS workspace, identity, and provider-specific telemetry sources
- •Connected architecture guidance to migration patterns from legacy SIEM environments into Devo
- •Used security research, deployment analysis, and customer-pattern mining to identify what mature SIEM programs actually did differently
- •Supported creation of reusable narratives for customer-facing architecture guidance, analyst education, and conference research
The Outcome
The project created a bridge between customer deployment reality, product architecture, detection validation, and public security research. It remains one of the clearest examples of David's ability to turn messy operational security data into reusable architecture and market-facing insight.
Research Outcomes
Alert Trust
Reduced noise and improved signal quality for IAM and access-control alerts
Operational Clarity
Translated complex security data into clearer operating views
Stakeholder Visibility
Made technical risk and status easier to explain
Operational Impact
Turned raw telemetry into actionable security intelligence
Capabilities Demonstrated
Security Analytics
Signal investigation and event analysis
SIEM Alert Debugging
Noise reduction and signal validation
Telemetry Normalization
Consistent and trusted data
IAM / Access Control
Identity telemetry and access insights
Dashboard Development
Operational and executive views
Executive Reporting
Security data translated for leadership
Operational Reporting
Actionable views for security operations
Public-Safe Evidence
Shareable insights without sensitive data
Key Deliverables
- •SIEM reference architecture guidance
- •Detection taxonomy standardization
- •Devo Exchange detection validation support
- •Enterprise and MSSP deployment maturity analysis
- •Legacy SIEM migration pattern analysis
- •Cloud-native detection architecture guidance
- •Customer deployment research findings
- •SOC maturity pattern narrative
Tools & Technologies
Consulting Translation
The reusable pattern is not Disney-specific: normalize fragmented security telemetry, debug low-signal alert behavior, build trusted operating views, and give leadership evidence they can act on without exposing sensitive systems.