MAHADEV PRASAD NANDA

• Incident Response Leadership: Directed complex cyber incident investigations, ensuring rapid containment, eradication, and recovery while minimizing business disruption. Led root cause analysis (RCA) and post-incident reporting.
• Advanced Threat Detection & Hunting: Designed and optimized SIEM use cases, automated alerts, and MITRE ATT&CK-based detection frameworks to enhance threat visibility. Led proactive threat hunting initiatives using behavioral analytics.
• Forensic & Malware Analysis: Conducted host and network forensics, including Windows log analysis, memory forensics, and network traffic inspection. Investigated attack vectors and adversary TTPs for malware analysis.
• Security Operations & SIEM Engineering: Managed and fine-tuned EDR, XDR, IDS/IPS, and SOAR solutions to improve real-time threat detection and response. Developed automated playbooks to enrich intelligence, streamline triage, and reduce false positives.
• Cloud Security Incident Response: Led response efforts for security incidents in AWS, Azure, and Google Cloud. Strengthened API security posture and implemented DDoS mitigation strategies for cloud applications.
• Threat Intelligence & Risk Assessment: Monitored threat intelligence feeds, OSINT sources, and dark web activity to identify emerging threats. Mapped and assessed risks using MITRE ATT&CK, aiding in strategic defense initiatives.
• Security Tools & Infrastructure Protection: Managed a diverse security stack, including WAFs, DDoS protection, IAM, email security, firewalls, EDR, antivirus, SOAR, and bot mitigation solutions. Led real-time Layer 7 attack detection and mitigation.
• Process Development & Optimization: Developed and enhanced operational workflows for security incident tracking, escalation, and remediation, improving response efficiency and effectiveness.
• Leadership & Mentorship: Trained and guided junior analysts, fostering a high-performance incident response team with continuous skill development.
• Executive Communication & Reporting: Authored detailed technical reports and executive briefings on cyber incidents, vulnerabilities, and remediation strategies, enabling data-driven security decisions.

DFIR & Incident Response

• Led Cyber Security Defense Center’s incident response operations, ensuring rapid containment and recovery.
• Managed end-to-end IR processes, including RCA, security log analysis, and forensic investigations.
• Expertise in SIEM, memory/network forensics, and forensic artifacts (Event Logs, Prefetch, Amcache, etc.).
• Hands-on experience with IAM, data security, application security, and network security threats.
• Maintained incident tracking systems, generated reports, and collaborated with internal stakeholders.
• Managed enterprise security tools: WAF, DDoS protection, EDR, firewalls, SOAR, and rate limiters.
• Conducted vulnerability validation (HackerOne) and real-time Layer 7 DDoS mitigation.
• Architected API security controls, DDoS defense strategies, and edge security solutions.

Threat Intelligence

• Conducted threat intelligence, hunting, and profiling to detect adversary TTPs and attack patterns.
• Mapped threats using MITRE ATT&CK, analyzing IOCs to strengthen security defenses.
• Monitored OSINT sources, threat feeds, and dark web activity to identify emerging risks.
• Developed cyber threat models and risk assessments to inform defensive strategies.

Threat Detection

• Developed SIEM use cases, detection rules, and automated alerts to identify advanced threats.
• Fine-tuned EDR, XDR, IDS/IPS, and SOAR to enhance real-time detection and response.
• Designed MITRE ATT&CK-based detection frameworks and proactive threat-hunting strategies.
• Automated SOAR workflows for rapid incident response, reducing false positives.
• Conducted malware analysis and investigated adversary TTPs for enhanced threat visibility.
• Led detection engineering, optimizing security tools, alerts, and correlation rules in Splunk.

• Cyber security consultant for Banking, Transport, Enterprise, Retail, Trading, Food chain organizations
• SIRT - Plan and execute containment, eradication actions and mitigation, Cyber Security Incident Investigations
• Investigating network intrusions and cyber security breaches to determine the cause and extent of the breach, network & host forensics analysis (DFIR)
• Investigate and analyze security threats at customers' premises, using established cyber security assessment methodologies
• Assisting L1 and L2 Teams in monitoring information security alerts through SIEM (Arcsight) to respond, triage, and escalate as needed
• Analyze and Investigate on Intrusion Detection System events and intelligence reports from External Vendors
• Analyzing malware samples and extract C&C and assess the depth of impact in the environment
• Submitting the malware samples to AV vendor for immediate coverage
• Performing malware analysis (static reverse engineering) by recreating the incident on the lab machine (Hands on in Ransomware, Phishing)
• Correlate findings with SOC Analysts and propose follow-ups to eliminate or mitigate the threats
• Fraudulent activity detection and Credential validation attacks
• Analyzing phishing emails and attachments and taking appropriate remediation steps as required and also submit the samples to E-mail monitoring vendors for their signature update
• Register the findings comprehensively in proper client reports and SOC systems
• Enhancing ASOC Threat Detection Capabilities
• Risk assessment, audit of customer environment and remedy
• Vulnerability Assessment report review, scan assessment on customer environment
• Threat intelligence service along with security advisories on cyber threats
• Technical reviews on customer environment to provide solution
• Threat hunting using available logs
• Pre and post assessment of security products for customers
• Playbook Development and Enhancement, Managed Endpoint Threat Response
• Enhancing SOC Security Monitoring Triage Quality
• Familiar with Cyber kill chain process
• Defining SOP, enhancing use cases for customers, building new cases and enhancing existing detection patterns

• Acted as the Single Point of Contact (SPOC) for vendor relationships and client engagement in security projects
• Managed and configured perimeter security operations for devices like CheckPoint, Juniper, Palo Alto, Cisco firewalls, Bluecoat proxies, and Juniper SSL VPNs
• Coordinated with security vendors for Return Material Authorizations (RMA) and ensured smooth operations
• Conducted log analysis using security monitoring tools such as Arbor PeakFlow, SourceFire, Palo Alto Networks, Arcsight Logger, and Proofpoint in Unix and Windows environments
• Led global security projects, overseeing security standards across regions and collaborating with engineering teams to improve security infrastructure
• Handled daily change management and client requests related to firewalls and proxies, including configuring access lists, NAT, rules, and VPN setups
• Led incident response, risk management discussions with clients, and approved critical security changes
• Conducted security event reviews, risk assessments, and MAS audits
• Managed a global security team, addressing day-to-day operations and critical incidents
• Performed global SOC monitoring, research, and analysis on IDS/IPS events, firewall, proxy, VPN, and McAfee logs
• Detected anomalies and analyzed packet-level data, firewall, and proxy logs to identify potential threats
• Reviewed logs from security tools like Arbor PeakFlow, Palo Alto Networks, ForeScout, Arcsight Logger, McAfee, and Damballa in Unix and Windows environments
• Identified system vulnerabilities and implemented countermeasures based on industry standards
• Provided evidence of corporate policy violations and worked with the Incident Management Team on escalation processes
• Experienced in security incident response, escalation, and mitigation, including DDoS attacks, virus outbreaks, phishing incidents, and illegitimate email distribution
• Detected fraudulent activities, suspicious behavior, and proxy log anomalies, using threat correlation techniques
• Monitored violations, recommending SIRT actions for authentication failures and system changes across various platforms (Wintel, UNIX, SQL, Oracle, network/VPN devices)
• Tracked security violations and breaches through daily audit logs in Arcsight, ensuring timely resolution with business teams

• Monitor and analyze security events from various sources (SIEM tools, IDS/IPS, firewalls, etc.) to detect threats and vulnerabilities
• Investigate, analyze, and respond to security incidents, such as malware infections, unauthorized access, phishing attacks, DDoS, and data breaches
• Escalate critical security incidents to higher management and relevant teams when necessary
• Provide detailed incident reports and root cause analysis to ensure timely remediation and future prevention
• Collaborate with IT and DevOps teams to prioritize and implement remediation strategies
• Configure, tune, and maintain SIEM platforms (QRadar, Arcsight) to enhance threat detection capabilities
• Develop custom correlation rules, filters, and dashboards to improve real-time security event monitoring
• Ensure that SIEM tools are properly integrated with other security tools and data sources for full visibility
• Configure, monitor, and troubleshoot firewalls, intrusion detection/prevention systems (IDS/IPS), and VPNs
• Implement and audit firewall policies, access control lists (ACLs), and network segmentation strategies to enforce least privilege and reduce attack surfaces
• Generate daily, weekly, and monthly security reports, highlighting key security incidents, trends, and metrics for management and stakeholders
• Maintain comprehensive documentation for security incident response procedures, policies, and post-incident analysis
• Work closely with IT, DevOps, network engineering, and risk management teams to ensure security measures are effectively implemented
• Support internal and external security audits by providing relevant documentation and evidence of SOC activities
• Ensure that SOC operations are in compliance with relevant security policies, industry standards, and regulatory requirements

• Monitored and analyzed security events across networks and systems using SIEM tools (e.g., Arcsight, Splunk, QRadar) to detect potential threats and incidents
• Conducted real-time security monitoring for Firewalls, IDS/IPS, Windows/Unix servers, and VPNs, responding promptly to alarms and alerts
• Investigated and mitigated security incidents such as malware infections, unauthorized access, and DDoS attacks to minimize operational impacts
• Performed log analysis to identify suspicious activity, leading to the timely resolution of security vulnerabilities and incidents
• Developed and maintained security dashboards in SIEM tools, providing real-time visibility into network traffic and security event trends
• Created detailed security reports and advisories, including daily, weekly, and monthly incident summaries for stakeholders
• Administered and configured security devices, including firewalls, intrusion detection/prevention systems (IDS/IPS), and VPNs
• Conducted vulnerability assessments and penetration testing on critical systems, providing remediation strategies for identified risks
• Collaborated with cross-functional teams to implement firewall policies, access control lists (ACLs), and network segmentation to enhance security posture
• Managed phishing detection, investigation, and takedown efforts, coordinating with ISPs and external stakeholders
• Responded to security incidents using established incident response protocols and escalated critical issues to relevant teams
• Performed threat hunting and advanced malware analysis to detect sophisticated cyberattacks and minimize dwell time
• Provided training and support to junior SOC analysts on incident detection and response best practices
• Implemented and optimized SIEM tools, fine-tuning correlation rules, filters, and thresholds for enhanced detection capabilities