DFIR & Detection Engineering · Tokyo, Japan

Building autonomous detection systems and architectural security guarantees. Currently exploring agentic DFIR — MCP-based forensic agents that encode the reasoning pattern of a senior analyst as architecture, not as a prompt.

• Digital Forensics & Incident Response  ·  Windows / macOS / Linux
• Detection Engineering  ·  MITRE ATT&CK coverage modeling, Sigma
• DevSecOps & Security Automation
• Agentic AI for Security  ·  MCP, audit-chained reasoning loops

Autonomous DFIR agent that thinks like a senior analyst. Architecture-first, not prompt-first. The agent is given a typed, read-only MCP surface — native pure-Python forensic functions plus SIFT Workstation tool adapters (Volatility 3, MFTECmd, EvtxECmd, PECmd, RECmd, AmcacheParser, YARA, Plaso) — spanning broad MITRE ATT&CK enterprise coverage. The full test suite passes on a fresh clone (CI green on Python 3.10/3.11/3.12/3.13). The senior-analyst playbook synthesizes Mandiant + Bianco + Diamond + Palantir ADS + MaGMa UCF + TaHiTI hunt cycle, with every framework block citing its source. Read-only MCP boundary makes destructive ops impossible by construction. Three evaluation tiers: synthetic reference (recall=1.0), noise-injected realistic at ~1:30 IOC:benign (recall=1.0), and NIST CFReDS Hacking Case (community-trusted external benchmark) — v0.6.0 scores 0.50/0.80 strict/lenient on 10 sampled NIST findings, up from v0.5.3's 0.10/0.40 (supply-chain sweeps + collector adapter added in v0.6.0), after parse_registry_hive (issue #52) shipped. Remaining CFReDS gaps (#53/#54/#55) are explicit Phase 2 deliverables. Starts as agentic DFIR; designed to expand toward agentic SOC and beyond.

_{→ github.com/Juwon1405/agentic-dart  ·  Submission to SANS FIND EVIL! 2026  ·  MIT}

🔌 agentic-dart-collector-adapter  new — Phase 1.3 Velociraptor → evidence_root adapter — stdlib-only Python layer that converts Velociraptor offline-collector ZIPs into the evidence_root layout Agentic-DART consumes. Seeds chain-of-custody (manifest.json + SHA-256 index). Full test suite passes on CI Linux+macOS × py3.10/11/12.

📓 GitNote GitNote — curated personal knowledge base in InfoSec & computer science. A long-running collection of notes, references, and code snippets from years of DFIR / detection engineering work.

• Network Attack Packet Analysis for Security Practitioners  ·  보안 실무자를 위한 네트워크 공격 패킷 분석  _{(co-author, lead)}
  Freelec, 2019.11  ·  ISBN 9788965402589  ·  ~370 pp.
  A practitioner's reference covering DDoS, web exploitation, malicious traffic, wireless intrusion, system exploitation, and large-volume packet analysis.
  _{→ Yes24  ·  Aladin  ·  Kyobo  ·  Google Books}

• 🥇 Gold Prize, 2017 Korea Open-Source Software Developer Contest  _{(NIPA, national OSS award)}
• 📜 Patent (filed): Security Event Correlation Analysis Apparatus  _{(2018, Netmarble Corp.)}
• 🎯 4th place, 2017 CCE National Cyber Defense Competition  _{(National Intelligence Service of Korea)}
• 🐛 Special Prize, 2015 LINE Bug Bounty Program  _{(LINE Corp.)}

• YouTube: DoubleS1405 — long-running Korean-language information-security lecture channel (2014–present)

• Awesome Stars (GitNote) ⭐ — Starred repos categorized into curated buckets (DFIR / Blue Team / AI / Red Team / Malware / OSINT / etc.), regenerated periodically after curation passes.
• DFIR — Digital Forensics & Incident Response
• BlueTeam — Defensive operations & SOC
• Tools & Tips — Analysis utilities
• DevSecOps — Security automation & AI
• Gist — Code snippets

Research collaboration · CTF · CSIRT exchange · Open-source security tooling