Andrey Pautov

Threat Intelligence Research Engineer · XPLG

Tel Aviv, Israel

LinkedIn profile 1200km@gmail.com GitHub Portfolio

Professional Summary

Cybersecurity researcher and CTI-to-detection practitioner with institutional experience across commercial security engineering (XPLG, enterprise security data platform) and government information security (Israel Police Cyber Defence Unit). I profile adversary behavior, map TTPs to ATT&CK-aligned detection candidates, write hunting hypotheses, and produce structured detection backlog items from raw intelligence. Parallel to institutional roles, I maintain a public research portfolio of 150+ articles, eight Docusaurus field guides, and a library of Python security tools covering malware analysis, CTI engineering, cloud security, and OpenCTI platform operations. AI tooling handles throughput work — collection, enrichment, tagging — with mandatory analyst review at every judgment point.

Employment

Threat Intelligence Research Engineer

XPLG — Enterprise Security Data Platform · Turn Data Into Action™

May 2025 – Present ~1 yr · Full-time Current

Tel Aviv District, Israel

  • Developing log-based detection use cases by mapping adversary TTPs to available telemetry, parser fields, anomaly detection logic, and SOC investigation workflows.
  • Translating threat intelligence findings into actionable detection content and operational guidance for security data teams.
  • Bridging CTI research and detection engineering within a commercial security data platform context.
Log-based detection TTP mapping SIEM / security data SOC workflows CTI-to-detection

Head of Red Team — Cyber Defence Unit

Israel Police — יחידת הגנת הסייבר

Jul 2023 – May 2025 1 yr 11 mos · Full-time

Jerusalem · On-site

  • Led offensive security and red-team-oriented research, including adversary behavior analysis, attack simulation, and security validation within a national law-enforcement context.
  • Translated offensive tradecraft into defensive outputs: detection ideas, telemetry requirements, investigation paths, and security hardening guidance.
  • Produced technical research, hands-on labs, and practical security documentation for defenders and SOC-oriented teams.
Offensive security research Red team — defensive output Adversary behavior analysis Security validation Malware analysis Vulnerability research

Independent Cybersecurity Researcher & Technical Author

Self-employed · Medium portfolio

Oct 2024 – Present Ongoing · Parallel Active

Israel / Remote

  • Maintaining a public cybersecurity research portfolio of 150+ articles and eight Docusaurus field guides focused on turning threat intelligence into practical defensive outcomes.
  • Publishing evidence-labeled CTI assessments, ATT&CK mapping, attack-chain reconstruction, adversary emulation labs, detection engineering logic, and SIEM/logging guidance.
  • Research topics include CTI-led defensive strategy, APT-style kill chain analysis, Kubernetes and cloud-native threat landscapes, AI-assisted offensive security, and red-team simulations with defender-oriented logging lessons.
CTI assessments ATT&CK mapping Detection engineering Cloud / Kubernetes 150+ articles 8 field guides

Security Tools Developer

Self-employed

Sep 2022 – Present Ongoing · Parallel Active

Israel · Remote

  • Building practical tools for cybersecurity automation, investigation, detection engineering, malware and static analysis, and security lab workflows.
  • Tools cover log analysis, IOC enrichment, file inspection, threat research, detection validation, and repeatable security experiments.
  • Primary languages: Python, Bash, C/C++, JavaScript.
Python Bash C / C++ JavaScript Malware / static analysis IOC enrichment

Prior Service

Special Forces Paramedic-Fighter

Israel Ministry of Public Security · Full-time

Mar 2016 – Jul 2023
7 yr 5 mos

Paramedic

Magen David Adom · Full-time

Jul 2011 – Mar 2016
4 yr 9 mos

Skills & Tools

CTI & Threat Intelligence

  • CTI assessments and actor profiling
  • Attribution methodology & confidence language
  • Infrastructure pivoting (passive DNS, TLS, ASN, WHOIS)
  • ATT&CK mapping & gap analysis
  • PIR / SIR development
  • Kill chain analysis
  • Threat actor profiling & OSINT
  • Source reliability frameworks

Detection Engineering

  • Hunting hypothesis development
  • Sigma-compatible detection rules
  • Atomic and correlation-based detection
  • Log source and telemetry mapping
  • SIEM / XDR detection logic
  • YARA rule development
  • Detection handoff reporting
  • Detection backlog management

Platforms & Tooling

  • OpenCTI (operations, connectors, STIX workflows)
  • MITRE ATT&CK Navigator
  • VirusTotal, Shodan, passive DNS tools
  • CVSS v4.0 scoring & prioritization
  • CVSS-BTE, KEV, EPSS
  • Frida dynamic instrumentation
  • Terraform, Kubernetes

Malware Analysis

  • Static PE analysis (imports, strings, FLIRT)
  • Android APK static analysis
  • YARA rule generation from samples
  • Frida-based dynamic analysis
  • CFG analysis & unpacking detection
  • Import table & string triage
  • Candidate ATT&CK mapping from behavior

Programming & Automation

  • Python (primary — analysis, automation, tooling)
  • Bash scripting
  • C / C++ (malware analysis context)
  • JavaScript
  • AI-assisted analysis workflows
  • Multi-LLM routing and model orchestration

Cloud & Infrastructure

  • Kubernetes threat research & detection
  • AWS and GCP security posture
  • Terraform lab environments
  • Container and cloud-native attack paths
  • Audit log analysis and detection
  • Cloud misconfiguration research

Contact

Get in touch

Email is the fastest way to reach me. LinkedIn is best for professional context.

1200km@gmail.com LinkedIn GitHub Medium

Portfolio

The main portfolio page lists flagships, review paths, articles, tools, and Docusaurus documentation sites.

Portfolio home Review paths Flagship projects