Marin Gheorghe | Cyber Security Response Engineer

ABOUT ME

From clippers to KQL

It all started with a casual chat in my barber's chair. One of my regular clients mentioned he worked in cybersecurity. Between trimming fades and lining edges, I asked: "How do I get into what you do?"

His advice was simple: "Learn a bit about the field, try some hands-on labs, and see if it sticks. Check out Hack The Box and INE." That moment in March 2022 lit the fuse that launched my journey.

Two years later, in January 2024, I landed my first role as a Junior Cyber Security Responder. The path included Google IT Support, AWS Cloud Practitioner, and the CAPSLOCK bootcamp, all while working as a Domino's delivery driver.

Today, I'm a Cyber Security Response Engineer at JUMPSEC, part of the Detection and Response Team (DART). I spend more time writing KQL than I ever cut hair. Hairlines to timelines, it tracks.

22

Months to Transition

5

Certifications

2+

Years in Security

EXPERTISE

What I Do

Threat Hunting

Proactively searching for threats that evade automated detection. I develop hypotheses, write custom KQL queries, and dig through logs to find what others miss.

Incident Response

When alerts fire, I investigate. From initial triage to containment and remediation, I handle security incidents across diverse customer environments.

Detection Engineering

Building and tuning analytic rules in Microsoft Sentinel. I create detection logic that catches real threats while minimizing alert fatigue.

Technical Skills

Microsoft Sentinel KQL Azure Security Microsoft Defender XDR Azure Lighthouse Entra ID MITRE ATT&CK Splunk Elastic Wireshark DFIR FTK Imager

CREDENTIALS

Certifications

eCTHP

INE Security

Threat Hunting Professional

Security+

CompTIA

Security Fundamentals

SC-200

Microsoft

Security Operations

SC-300

Microsoft

Identity & Access

AZ-500

Microsoft

Azure Security

DETECTION LOGIC

KQL Arsenal

A collection of threat hunting queries and detection rules.

Lateral Movement

T1021

Detects suspicious PSExec usage patterns.

SecurityEvent
| where EventID == 4688
| where ProcessName has "psexec"
| project TimeGenerated, Account

#LateralMovement

C2 Beaconing

T1071

Identifies regular interval C2 connections.

CommonSecurityLog
| where DeviceAction == "allowed"
| summarize Count=count() 
    by SourceIP, DestinationIP
| where Count > 50

#C2

Privilege Escalation

T1078

Monitors admin group modifications.

AuditLogs
| where OperationName has "Add member"
| where TargetResources has "Admin"
| project TimeGenerated, Actor

#PrivEsc

OAuth App Consent

T1550

Detects suspicious OAuth consent grants.

AuditLogs
| where OperationName == "Consent to application"
| extend AppName = TargetResources[0]
| project TimeGenerated, AppName

#InitialAccess

Suspicious Mail Rules

T1114

Identifies BEC-style mailbox rules.

OfficeActivity
| where Operation has "InboxRule"
| where Parameters has "ForwardTo"
| project TimeGenerated, UserId

#Collection

MFA Gap Detection

T1556

Finds sign-ins without MFA challenge.

SigninLogs
| where ResultType == 0
| where AuthenticationRequirement 
    == "singleFactorAuthentication"
| summarize Count=count() by UPN

#CredentialAccess

View on GitHub

INSIGHTS

Writing & Research

JUMPSEC • Nov 2025

From Clippers to KQL: My Jump into Cybersecurity

Barber to cyber in 22 months. How a casual conversation changed my career trajectory.

Investigating a Malicious USB Device (Part 1)

Building forensic expertise through hands-on DFIR investigation.

Investigating a Malicious USB Device (Part 2)

VM configuration for forensic isolation and USB passthrough with write blockers.

Let's Connect

Whether you want to discuss threat hunting, have a security challenge, or just want to chat about the industry.

Connect on LinkedIn