Cybersecurity • Blue Team • Detection

Ethan Bailey

Information Systems student at CSU San Bernardino focused on enterprise-style security labs, detection engineering, and documenting repeatable incident response workflows.

Approach

How I build and evaluate security projects in a way that mirrors practical blue-team workflows.

I build controlled lab environments to practice detection engineering, monitoring, system hardening, and segmentation in a way that reflects real enterprise operations. My focus is not just on making tools work, but on understanding how telemetry moves through an environment, how visibility is created, and how defenders can use that data to investigate suspicious activity with repeatable workflows.

Core mindset

—Build segmented environments that reflect enterprise design.
—Prioritize high-signal telemetry over raw event volume.
—Document repeatable workflows for investigation and response.

Skills & Tools

Technologies and concepts I use across my lab and detection projects.

Security Operations

—Splunk Enterprise
—Google SecOps (Chronicle)
—Sysmon
—Zeek
—Zabbix
—MITRE ATT&CK mapping

Infrastructure & Administration

—Proxmox VE
—OPNsense
—Tailscale
—Active Directory
—Windows Server
—Linux and Windows VM administration

Engineering & Analysis

—Detection engineering
—SPL query development
—Log pipeline tuning
—Dashboard development
—Threat hunting
—System hardening through GPO

Languages & Scripting

—PowerShell
—Python
—SQL
—Bash
—Basic automation and configuration scripting

Selected work

Technical deep-dives into defensive architecture, telemetry, and monitoring.

Architecture • Networking • Access Control

Proxmox • OPNsense • Tailscale

Segmented Security Lab Architecture

A multi-layered environment engineered for Blue Team operations. Features strict network segmentation and Zero Trust remote access across isolated management, internal, and attacker networks.

—Built isolated lab networks using Proxmox and OPNsense with explicit firewall rules.
—Integrated Splunk Enterprise for centralized log ingestion and investigation workflows.
—Enabled secure remote administration through Tailscale and RDP without public-facing exposure.

View Project→

Detection Engineering • Telemetry • SIEM

Splunk • Sysmon • PowerShell

Detection Engineering Pipeline

Developed custom detections using endpoint and network telemetry to identify suspicious behavior while improving signal quality for triage and investigation.

—Ingested high-fidelity Sysmon telemetry from Windows endpoints into Splunk.
—Authored SPL queries to detect MITRE ATT&CK-aligned behavior.
—Improved visibility into authentication anomalies while reducing noise through telemetry tuning.

View Project→

Monitoring • Observability • Infrastructure

Zabbix • Proxmox • CPU • Memory

Infrastructure Monitoring with Zabbix

Deployed Zabbix across the lab to centralize health monitoring and create a single dashboard for host and virtual machine performance.

—Connected each VM to Zabbix for centralized monitoring.
—Built a dashboard to review CPU and memory usage across the environment.
—Added Proxmox host graphs to quickly spot infrastructure-wide resource spikes.

View Project→

Active Directory • Hardening • GPO

Windows Server • CIS Benchmarks

Enterprise AD Hardening & Automation

Implemented a hardened baseline for a Windows Domain environment using Group Policy and Tiered Administrative models.

—Deployed GPOs to automate security configurations and disable legacy protocols.
—Configured LAPS for local administrator password management.
—Validated security posture improvements using automated auditing tools like PingCastle.

View Project→

Featured visuals

Operational screenshots from the lab environment, including topology, telemetry, and monitoring views.

Splunk dashboard with security telemetry and detections

Splunk Detection View

Security telemetry dashboard used to investigate suspicious activity, review authentication patterns, and support detection engineering workflows.

Dashboard view showing infrastructure and resource usage

Infrastructure Monitoring View

Dashboard perspective used to review host and virtual machine performance, including CPU and memory usage across the environment.

Lab topology

A defense-in-depth virtual environment engineered on Proxmox VE, utilizing OPNsense for granular network segmentation and Tailscale for Zero Trust administration.

Infrastructure & Services

—Proxmox VE: Type-1 Hypervisor managing isolated VLAN-style networks and compute resources.
—OPNsense Gateway: Enforces strict inter-VLAN routing, NAT, and egress filtering to prevent unauthorized C2 communication.
—Tailscale ZTNA: Provides an encrypted Management Plane for RDP/SSH access without public-facing ports.
—Windows Server AD: Centralized identity provider for testing GPO-based hardening and authentication anomalies.
—Splunk Enterprise: Centralized 'Brain' for log ingestion, indexing, and detection engineering.
—Zeek NSM: Conducting deep packet inspection (DPI) to surface network-level behavioral indicators.

Logical Segmentation

Management (VLAN 10)Restricted to Proxmox, OPNsense, and Tailscale endpoints.
Internal / Victim (VLAN 20)Active Directory and Windows endpoints; heavily monitored for telemetry.
DMZ / Attacker (VLAN 30)Isolated Kali Linux node with no lateral access to Management.

Telemetry Pipeline

Endpoints → Sysmon → Universal Forwarder → OPNsense (TCP 9997) → Splunk Indexer.

Proxmox Defense-in-Depth Lab Topology Diagram

Operational Focus

This environment simulates real-world enterprise segmentation, enabling detection engineering against lateral movement, privilege escalation, and command-and-control behavior within a controlled Blue Team setting.

Credentials

Professional certifications earned in the field.

CompTIA Network+

Earned Jan 2026

CompTIA Security+

Earned July 2025

Google Cybersecurity Professional

Earned Jan 2025