David Sarkisyan

Cybersecurity Analyst + Defensive Tool Builder

New York City

Top 1% TryHackMe · Published on PyPI · Upstream fixes to Elastic, SigmaHQ, Splunk

I came up through healthcare IT and the embryology lab, where a small mistake has real consequences. Now I build defensive tools, ship fixes upstream, and document identity, endpoint, detection, and network work in a way another analyst can act on.

Contact View work Resume

STIGPilot turns dense releases into assigned work.

published tool, built from a real workflow problem

install locally compare releases write the ticket

Why dense XML hides the real change Output brief, backlog, checklist Use Jira and ServiceNow handoff

A small CLI for one real problem: compare the release, keep the reason beside the action, and make the next step easier to assign.

TryHackMe Top 1%, 121 rooms Hands-on rooms, practice notes, and steady repetition. Published tool STIGPilot on PyPI Open source Elastic, SigmaHQ, LLMForge, Splunk PRs

Track record

Proof over adjectives.

Tools you can install. Fixes merged into repos teams rely on. Hands-on practice, all public.

01 Build defensive tools
02 Contribute upstream fixes
03 Detect tuned and tested
04 Document others can trust

TryHackMe Top 1%

121 hands-on rooms across SOC, SIEM, EDR, and blue-team practice.

View TryHackMe

Upstream PRs 4

Merged and open fixes to Elastic, SigmaHQ, Splunk, and LLMForge.

View PRs

Shipped 15

Public tools, labs, and case studies on GitHub, including STIGPilot on PyPI.

View work

Identity cleanup Do not remove access from one stale timestamp.

STIGPilot Turn dense compliance changes into work people can assign.

Detection handoff Make the next analyst’s question easier to answer.

Featured build

STIGPilot

STIG change triage - published to PyPI

Local Python CLI that compares DISA STIG releases and turns the output into change briefs, remediation backlogs, review checklists, manager summaries, and Jira/ServiceNow exports.

Published install path: pip install stigpilot.
PowerShell-only fallback for restricted Windows environments.
No external dependencies needed for fallback mode.

Tool PyPI Documented

STIG GRC Python PowerShell

Open STIGPilot repository → View on PyPI →

STIGPilot output path pip install stigpilot

01 Compare DISA release files
02 Explain changed controls
03 Export backlog and tickets

severity shift medium to high

Flagged for review before remediation work is assigned.

check text new validation step

Change brief keeps the reason beside the action.

fix text scriptable path

Backlog item stays readable for technical and nontechnical review.

manager summary review checklist Jira ServiceNow

Review method

One timestamp can lie.

lapse dry run, Entra ID stale-device review. Local only.

lapse checks device age against sign-in history before marking anything stale — one old timestamp shouldn't be the whole case.

Decision rule Device age is a lead, not a verdict. Recent person activity turns a cleanup candidate into a review item.

Problem: One directory timestamp can make active access look abandoned.
Check: Compare device activity, ownership scope, and human sign-in context.
Safe path: Report first, review outliers, then decide what should change.

Mock data.
No tracking.
No storage.
No network request.
No Microsoft Graph connection.

--days 90 --company-only --skip-vdi --dry-run

Read case study → Open repository →

dry-run excerpt compare before action

NYC-WIN-014 recent device recent person healthy

BK-MAC-022 old device recent person review

LAB-WIN-007 old device no person stale candidate

decision

No access change from device age alone. Human context changes the review path.

Open full stale-device test

Open source review

Open source work.

Small upstream fixes — detection logic, scope corrections, and maintainer review. All public.

Selected work

A few pieces worth starting with, plus the full archive when you want the rest.

primary case Network

Home Network Security Control Plane

Production-style HomeNet operations

Firewall policy, DNS control, logs, canary checks, and recovery state separated by function and tracked in a private control plane. Daily-use home network run like a production environment.

OPNsenseProxmoxControl viewRecovery

question: can daily network operations stay visible without adding an inline bottleneck?

checked: OPNsense, CrowdSec, NetBox, Uptime Kuma, Victoria, NetAlertX, OpenCanary, Trivy/Syft

control view: Homepage Mission Status, Security Snapshot, and Recovery Snapshot

decision: keep enforcement on OPNsense; stage remote access, endpoint agents, and VLANs

Read sanitized case study → Open network lab repository →

Identity

IdentityRiskGraph

CloudTrail IAM risk review

Open →

Detection

Splunk Detection Content

Detection library

Open →

Full archive 15 projects, labs, and contribution notes Open all work →

Open all work

Local lab

Browser Surface Check

A quiet browser self-check. It shows what ordinary JavaScript can see from any page you visit — the same signals used in fingerprinting, session tracking, and fraud detection. The result stays on your machine.

Local only.
No tracking.
No storage.
No network request.

Browser surface Rendering checks Review note

Surface: screen, browser, timezone, language
Rendering: canvas, audio, WebGL
Use: compare privacy settings and browser profiles

Open the check

Method

Before I trust the result.

A finding is only useful after it holds up under scrutiny. My approach is simple: read the system, compare what changed, avoid early conclusions, and leave a cleaner note behind.

01 Identity cleanup
Do not remove access from one stale timestamp.

Seen

Old device activity in Entra ID.

Check

Interactive sign-ins, owner context, join type, management status, and dry-run output.

Avoid

Disabling access before person and device context agree.

Leave

Dry-run list with review, owner, and approval notes.

Read the lapse case
02 Detection triage
Persistence needs a maintenance check.

Seen

A scheduled task is created or changed.

Check

Task action, author, run context, binary path, parent process, recent logons, and maintenance windows.

Avoid

Calling normal endpoint management activity malicious too early.

Leave

Triage note with host, user, command line, and tuning detail.

Open detection notes
03 Browser review
Exposure is not the same as compromise.

Seen

A browser or LMS workflow reveals more surface than expected.

Check

What JavaScript can observe, what leaves the page, account context, screenshots, and permission boundaries.

Avoid

Turning a privacy concern into a security claim without evidence.

Leave

Local-only surface note with plain-language risk boundaries.

Open the local lab
04 Network controls
Convenience changes the attack path.

Seen

A home or lab service needs easier access.

Check

Ingress rules, DNS, firewall policy, admin surface exposure, backups, and recovery path.

Avoid

Publishing management panels just to make monitoring easier.

Leave

Control note with exposed surface, recovery path, and deferred work.

Read the network case

Contact

Open to defensive security work.

If you're building a defensive security team and want someone who ships real tools and leaves useful notes — reach out.

Start with STIGPilot, lapse, the open source PRs, or the home network case.

contact [at] srkyn.com

GitHub LinkedIn TryHackMe Resume