Andrey Pautov — CV | Threat Intelligence Research Engineer

Professional Summary

Strong offensive security background grounded in real operational environments — 7 years in a special reconnaissance unit (Israel Ministry of Public Security, 2016–2023) and 2 years leading red-team operations against national law-enforcement infrastructure. Offensive experience directly informs detection engineering depth: adversary behavior understood from the inside out.

Published 150+ articles and 8 Docusaurus field guides on CTI tradecraft, detection engineering, malware analysis, and cloud security — all collected at 1200km.com.

Professional Experience

Threat Intelligence Research Engineer

May 2025 – Present

XPLG — Enterprise Security Data Platform · Tel Aviv, Israel

Maps adversary TTPs (Iran-nexus campaigns, hacktivist clusters, cloud-native threats) to XPLG platform telemetry fields; produces log-based detection use cases covering endpoint, network, and cloud audit log sources.
Translates CTI assessments into Sigma-compatible detection content, hunting hypotheses, and analyst-ready investigation guides scoped to enterprise SIEM and XDR deployment contexts.
Builds and documents CTI enrichment workflows covering parser field mapping, anomaly detection logic, and structured threat reporting pipelines for security operations teams.

Head of Red Team — Cyber Defence Unit

Jul 2023 – May 2025

Israel Police — יחידת הגנת הסייבר · Jerusalem, On-site

Directed red-team assessments against national law-enforcement infrastructure: reconnaissance, vulnerability chaining, privilege escalation, lateral movement, and attack-path validation in sensitive operational environments.
Converted offensive findings into structured defensive intelligence: detection hypotheses mapped to observed attacker behavior, telemetry coverage gap analysis, hardening recommendations, and incident response runbooks.
Produced adversary behavior research and hands-on lab environments used by blue team and SOC personnel for detection development and threat hunting training.

Operator — Special Reconnaissance and AntiTerror Unit

2016 – 2023

Israel Ministry of Public Security · Israel

Served 7 years as operator and fighter-paramedic in a special reconnaissance unit conducting field operations in high-threat environments.
Developed deep understanding of adversary tactics, operational security, and mission planning under real-world conditions — experience that directly shapes current threat actor profiling and red-team methodology.

Independent Cybersecurity Researcher & Technical Author

Oct 2024 – Present

Self-employed · Israel, Remote

Published 150+ articles on CTI tradecraft, detection engineering, malware analysis, cloud security, and security tooling — covering actor-level threat research, detection methodology, and operational tool walkthroughs.
Shipped 10+ open-source tools on GitHub including AIDebug, stratus-ai, cvss_4.0, Static Malware Orchestrator, Android Malware Analysis, and PE-Import-Analyzer.
Maintains 8 Docusaurus knowledge bases: CTI Analyst Field Manual, Israel Gov Threat Actors CTI, Customer-Driven AI CTI Project, OpenCTI Intelligent Shield, and CVSS v4.0 Field Guide.

Skills

CTI Tradecraft ATT&CK Navigator · passive DNS · OSINT pivoting · confidence tiering · PIR/SIR frameworks · kill chain reconstruction · attribution methodology · Shodan · Censys · crt.sh · MITRE D3FEND

Detection Engineering Sigma · YARA · hunting hypothesis development · telemetry field mapping · detection backlog construction · log-based use case design · SIEM / XDR rule logic

Malware Analysis Capstone · FLIRT · Frida · INetSim · LIEF · static PE/ELF analysis · APK analysis · CFG extraction · behavioral pattern detection · import table triage

Cloud Security AWS CloudTrail · GCP Audit Log · Kubernetes threat modeling · ECS Fargate · Cloud Run · Terraform · attack simulation · container attack paths

Offensive Security Deep knowledge — red-team operations · reconnaissance · vulnerability chaining · privilege escalation · lateral movement · adversary simulation · attack-path validation

CTI Platforms & Tooling OpenCTI · STIX 2.1 · MISP · connector engineering · NVD API · CISA KEV · EPSS · Python · Bash · C/C++ · PowerShell · Linux

Research & Publications

MuddyWater / Seedworm / Mango Sandstorm — ATT&CK-mapped kill chain, infrastructure pivot, detection candidates. Mar 2026
Infrastructure Pivoting: IOC to Actor Network — Passive DNS, reverse IP, ASN reuse, TLS cert, WHOIS field manual. Mar 2026
CTI Research: Kubernetes & Cloud-Native Threat Landscape — Kill chain analysis and detection architecture for container-native threats. Apr 2026
ATT&CK as a Working Tool — Gap analysis, Sigma mapping, adversary emulation beyond compliance. Mar 2026
Manual CTI vs. AI-Assisted CTI — Timing comparison: where AI compresses analyst work and where it fails. May 2026
CTI Research: Handala Hack Group — Persona and cluster analysis, evidence labeling, IOC handling, defensive guidance. Mar 2026

Education, Earlier Career & Languages

120+ professional certifications across cybersecurity domains: threat intelligence, detection engineering, malware analysis, cloud security, and offensive security.
ICU Paramedic — Magen David Adom (2011–2016).
Languages: Russian — native · Hebrew — bilingual · English — professional working proficiency.

Professional Summary

CTI-to-detection analyst across government cyber defence (Israel Police Cyber Defence Unit) and commercial security engineering (XPLG). Profiles adversary infrastructure, reconstructs kill chains, and maps TTPs to ATT&CK-aligned detection candidates. Strong offensive security background grounded in real operational environments — 7 years in a special reconnaissance unit (Israel Ministry of Public Security, 2016–2023) and 2 years leading red-team operations against national law-enforcement infrastructure. Adversary behavior understood from the inside out. Published 150+ articles and 8 field guides on CTI tradecraft, detection engineering, and cloud security.

Professional Experience

Threat Intelligence Research Engineer — XPLG May 2025 – Present · Tel Aviv

Maps Iran-nexus and hacktivist TTPs to XPLG telemetry fields; produces Sigma-compatible detection use cases for endpoint, network, and cloud audit log sources.
Translates CTI assessments into hunting hypotheses, detection content, and analyst investigation guides for enterprise SIEM/XDR deployment contexts.

Head of Red Team — Israel Police Cyber Defence Unit Jul 2023 – May 2025 · Jerusalem

Directed red-team assessments against national law-enforcement infrastructure; converted offensive findings into detection hypotheses, telemetry coverage gap analysis, and IR runbooks.
Produced adversary behavior research and hands-on lab environments used by blue team and SOC for detection development and threat hunting training.

Operator — Special Reconnaissance and AntiTerror Unit 2016 – 2023 · Israel

Served 7 years as operator and fighter-paramedic in a special reconnaissance unit conducting field operations in high-threat environments.
Developed deep understanding of adversary tactics, operational security, and mission planning under real-world conditions.

Independent Cybersecurity Researcher & Technical Author Oct 2024 – Present · Remote

Published 150+ articles on CTI tradecraft, detection engineering, malware analysis, and cloud security; shipped 10+ open-source security tools on GitHub.
Maintains 8 Docusaurus knowledge bases: CTI Analyst Field Manual, Israel Gov Threat Actors CTI, Customer-Driven AI CTI Project, OpenCTI Intelligent Shield.

Skills

CTI Tradecraft	ATT&CK Navigator · passive DNS · OSINT pivoting · confidence tiering · PIR/SIR · kill chain reconstruction · attribution methodology · Shodan · Censys · crt.sh · MITRE D3FEND
Detection Engineering	Sigma · YARA · hunting hypothesis development · telemetry field mapping · detection backlog · SIEM / XDR rule logic · log-based use case design
Malware Analysis	Capstone · FLIRT · Frida · INetSim · LIEF · static PE/ELF/APK analysis · CFG extraction · behavioral pattern detection · import table triage
Cloud Security	AWS CloudTrail · GCP Audit Log · Kubernetes threat modeling · ECS Fargate · Cloud Run · Terraform · attack simulation · container attack paths
Offensive Security	Deep knowledge — red-team operations · reconnaissance · vulnerability chaining · privilege escalation · lateral movement · adversary simulation · attack-path validation
Platforms & Languages	OpenCTI · STIX 2.1 · MISP · NVD API · CISA KEV · EPSS · Python · Bash · C/C++ · PowerShell · Linux

Education & Background

120+ professional certifications across threat intelligence, detection engineering, malware analysis, cloud security, and offensive security. ICU Paramedic — Magen David Adom (2011–2016). Languages: Russian — native · Hebrew — bilingual · English — professional working proficiency.