Andrey Pautov — CV | Threat Intelligence Research Engineer

Identity

CTI-to-detection analyst with 3+ years across government cyber defence (Israel Police Cyber Defence Unit) and commercial security engineering (XPLG). Profiles adversary infrastructure, reconstructs kill chains, and maps TTPs to ATT&CK-aligned detection candidates. Builds tooling to automate the mechanical parts of CTI triage, malware analysis, and cloud attack simulation.

Shipped 10+ open-source tools: AIDebug (Capstone + FLIRT + CFG + Frida + INetSim, 8 behavioral pattern detectors, SIEM-ready JSON output), stratus-ai (9 AWS + 7 GCP attack simulation modules, 125-test suite, ECS Fargate / Cloud Run), cvss_4.0 (CVSS-BTE + CISA KEV + EPSS, 6 asset-context profiles), and supporting malware, cloud, and CTI tooling. Published 150+ articles and 8 Docusaurus field guides on CTI tradecraft, detection engineering, malware analysis, and cloud security.

Professional Experience

Threat Intelligence Research Engineer

May 2025 – Present

XPLG — Enterprise Security Data Platform · Tel Aviv, Israel

Maps adversary TTPs (Iran-nexus campaigns, hacktivist clusters, cloud-native threats) to XPLG platform telemetry fields; produces log-based detection use cases covering endpoint, network, and cloud audit log sources.
Translates CTI assessments into Sigma-compatible detection content, hunting hypotheses, and analyst-ready investigation guides scoped to enterprise SIEM and XDR deployment contexts.
Builds and documents CTI enrichment workflows covering parser field mapping, anomaly detection logic, and structured threat reporting pipelines for security operations teams.

Head of Red Team — Cyber Defence Unit

Jul 2023 – May 2025

Israel Police — יחידת הגנת הסייבר · Jerusalem, On-site

Directed red-team assessments against national law-enforcement infrastructure: reconnaissance, vulnerability chaining, privilege escalation, lateral movement, and attack-path validation in sensitive operational environments.
Converted offensive findings into structured defensive intelligence: detection hypotheses mapped to observed attacker behavior, telemetry coverage gap analysis, hardening recommendations, and incident response runbooks.
Produced adversary behavior research and hands-on lab environments used by blue team and SOC personnel for detection development and threat hunting training.

Independent Cybersecurity Researcher & Technical Author

Oct 2024 – Present

Self-employed · Israel, Remote

Published 150+ articles on CTI tradecraft, detection engineering, malware analysis, cloud security, and security tooling — covering actor-level threat research, detection methodology, and operational tool walkthroughs.
Shipped 10+ open-source tools on GitHub including AIDebug, stratus-ai, cvss_4.0, Static Malware Orchestrator, Android Malware Analysis, and PE-Import-Analyzer.
Maintains 8 Docusaurus knowledge bases: CTI Analyst Field Manual, Israel Gov Threat Actors CTI, Customer-Driven AI CTI Project, OpenCTI Intelligent Shield, and CVSS v4.0 Field Guide.

Selected Projects

MuddyWater / Seedworm	Evidence-labeled actor assessment. 14 ATT&CK TTPs mapped (T1053.005, T1059.005, T1071.001, T1090.001, T1497.003, T1566.001, T1574.002 + 7 more). 7 malware samples analyzed (MD5: 7415d6ba…, SHA256: b154d3fd…). Detection candidates per kill chain stage. Report CTI repo
Israel Gov. Threat Actors CTI	Public-source sector CTI: 10+ actor profiles. Handala cluster: 22+ confirmed hashes (MD5: 1476f9f4…, SHA256: 3c9dc8ad…), T1003.001, T1505.003, T1567.002, T1585.001 mapped. ASN reuse → passive DNS → crt.sh → 14 additional hosts confirmed. Site Repo
CTI Analyst Field Manual	Docusaurus tradecraft reference: evidence labeling, source reliability, confidence tiering, attribution methodology, infrastructure pivoting, ATT&CK candidate mapping, hunting hypotheses. Site Repo
AIDebug	Malware RE walker: Capstone, FLIRT, CFG, Frida, INetSim, 8 behavioral pattern detectors, SIEM-ready JSON. Real sample: Authenticator.exe (DearStealer) — MD5: c6ab7265…, T1056.001, T1547.001, T1555.003, T1573.001 mapped. Repo
stratus-ai	Cloud attack simulation platform: 9 AWS + 7 GCP modules (CloudTrail evasion, privilege escalation, lateral movement, data exfil), 125-test suite, ECS Fargate / Cloud Run deployment. Repo
OpenCTI Intelligent Shield	CTI platform engineering: connector design, STIX 2.1 object workflows, enrichment source confidence management, feed integration, and analyst gate logic. Repo Article
cvss_4.0	CVSS 4.0 enrichment tool: CVSS-BTE scoring, CISA KEV lookup, EPSS probability, 6 asset-context profiles. Context delta example: base 9.8 → 6.2 after OT profile + KEV absence. Repo
PE-Import-Analyzer	LIEF-based Windows PE import triage: classifies APIs by risk class (CRITICAL / SUSPICIOUS / UNCOMMON), flags injection-pattern sequences, outputs structured JSON for analyst or LLM ingestion. Repo
Operation DragonRx Lab	APT41 pharmaceutical-sector attack simulation lab. Log4Shell initial access (CVE-2021-44228) → Sliver C2 → Active Directory lateral movement → LSASS dump. Dual-layer detection: Wazuh + Zeek + Elastic. Published lab architecture and full attack playbook. Repo Lab Architecture Attack Playbook
Vulnerable Infrastructure Labs	10+ purpose-built attack labs: GCP + AWS Terraform environments (vulnerable-cloud-lab), 25-misconfiguration Kubernetes lab, IIS/SharePoint/Fluent Bit lab, vulnerable Windows 10 + Active Directory domain, Ubuntu 24.04 lab, DVWA (Ansible-automated), deliberately vulnerable Android app (all OWASP Mobile Top 10), Vulnerable AI Lab (RAG/LLM attack surfaces). vulnerable-cloud-lab Vulnerable-APK AI-PT-Lab

Skills

CTI Tradecraft ATT&CK Navigator · passive DNS · OSINT pivoting · confidence tiering · PIR/SIR frameworks · kill chain reconstruction · attribution methodology · Shodan · Censys · crt.sh · MITRE D3FEND

Detection Engineering Sigma · YARA · hunting hypothesis development · telemetry field mapping · detection backlog construction · log-based use case design · SIEM / XDR rule logic

Malware Analysis Capstone · FLIRT · Frida · INetSim · LIEF · static PE/ELF analysis · APK analysis · CFG extraction · behavioral pattern detection · import table triage

Cloud Security AWS CloudTrail · GCP Audit Log · Kubernetes threat modeling · ECS Fargate · Cloud Run · Terraform · attack simulation · container attack paths

CTI Platforms & Tooling OpenCTI · STIX 2.1 · MISP · connector engineering · NVD API · CISA KEV · EPSS · Python · Bash · C/C++ · PowerShell · Linux

Research & Publications

MuddyWater / Seedworm / Mango Sandstorm — ATT&CK-mapped kill chain, infrastructure pivot, detection candidates. Mar 2026
Infrastructure Pivoting: IOC to Actor Network — Passive DNS, reverse IP, ASN reuse, TLS cert, WHOIS field manual. Mar 2026
CTI Research: Kubernetes & Cloud-Native Threat Landscape — Kill chain analysis and detection architecture for container-native threats. Apr 2026
ATT&CK as a Working Tool — Gap analysis, Sigma mapping, adversary emulation beyond compliance. Mar 2026
Manual CTI vs. AI-Assisted CTI — Timing comparison: where AI compresses analyst work and where it fails. May 2026
CTI Research: Handala Hack Group — Persona and cluster analysis, evidence labeling, IOC handling, defensive guidance. Mar 2026

Education, Earlier Career & Languages

120+ professional certifications across cybersecurity domains: threat intelligence, detection engineering, malware analysis, cloud security, and offensive security.
Earlier career: Special Forces Paramedic / Fighter — Israel Ministry of Public Security (2016–2023); ICU Paramedic — Magen David Adom (2011–2016).
Languages: Russian — native · Hebrew — bilingual · English — professional working proficiency.