Wiston Lestin

Detection engineering × AI security

Wiston Lestin

Senior Detection & Response Specialist

Detection & response specialist focused on Detection-as-Code, threat detection & response, and AI-driven security automation across enterprise and cloud environments. Strong with the Microsoft Security stack (Sentinel, Defender XDR) and automation that accelerates detection and response.

Québec, Canada · Bilingual (FR/EN)

wiston@ai-core — detection-lab
$ whoami
senior detection & response · detection-as-code
$ sigma-backtest --dataset otrf/empire
[✓] precision 1.00 · recall 0.50 → 1.00 normalized
$ jailbreak-bench --corpus garak --families 4
[✓] ensemble recall 70.4% · false alarms 0
$ 
7,000+
endpoints protected
75%
faster investigations
60%
MTTD improvement
50+
MITRE-mapped detections

About

I design detections as code — version-controlled, pipeline-tested and validated against real adversary behavior. My work spans the Microsoft Security stack (Sentinel, Defender XDR, Defender for Office 365, Defender for Cloud, Purview DLP & Insider Risk), cross-platform detection (KQL ↔ SPL), purple-team validation (APT29/APT41) and AI-driven security automation. Backed by 15+ years of IT infrastructure, I also design secure network architectures and review application code for vulnerabilities.

Wiston Lestin headshot

Skills

Detection-as-Code KQL (Sentinel) SPL (Splunk) Microsoft Sentinel Defender XDR Elastic / QRadar MITRE ATT&CK & D3FEND CI/CD for detection
AI-Driven Automation Agentic AI (MCP) Logic Apps / SOAR n8n Python PowerShell Bash REST / JSON APIs Docker
Defender for Office 365 Defender for Cloud Defender for Cloud Apps Microsoft Purview DLP Insider Risk Management M365 Tenant Security
Azure (Entra ID) AWS (CloudTrail, GuardDuty) GCP Infrastructure-as-Code Terraform Zero Trust Architecture Active Directory Windows / Linux
Threat Hunting Adversary Emulation (APT29 / APT41) Incident Response IOC Enrichment EASM Secure Network Architecture AppSec / Code Review

Experience

Senior Security Analyst – Detection & Response

TC Transcontinental · Jan 2023 – Present
  • Built DefenderHunter (Detection-as-Code) on 7,000+ endpoints, integrated with Defender XDR & Sentinel — 75% faster investigations, 60% MTTD improvement.
  • Authored 50+ MITRE ATT&CK-mapped detections; raised credential-theft coverage (Kerberoasting, DCSync) from 40% to 95%.
  • Pioneered cross-platform detection translation (KQL ↔ SPL) for vendor-agnostic coverage; cut false positives 50% via behavioral correlation.
  • Operate Microsoft Purview DLP & Insider Risk, Defender for Office 365, and the M365 security tenant (Defender for Cloud & Cloud Apps).
  • Design secure network architecture & segmentation, perform application-security code reviews, and run purple-team emulation (APT29/APT41).

IT Security Analyst

Desjardins · Apr 2022 – Nov 2022
  • Developed financial threat-detection rules spanning fraud, phishing, and compliance scenarios.
  • Reduced false positives by 50% through automated alert-triage workflows.
  • Delivered SIEM use cases and advanced correlation logic for enterprise clients.
  • Created automated monitoring cases to optimize alerting in a production SIEM.
  • Strengthened PCI-DSS compliance through enhanced monitoring and broader log coverage.

Information Security Specialist

Hitachi Systems Security · Oct 2021 – Apr 2022
  • Delivered cybersecurity support to enterprise clients across multiple industries.
  • Managed EDR/NDR solutions and conducted vulnerability assessments.
  • Performed threat-hunting operations and in-depth security investigations.
  • Created and optimized detection rules for emerging threat patterns.
  • Advised clients on remediation strategies and security best practices.

Network & Infrastructure Administrator

Various Organizations · 2006 – 2021
  • 15+ years building and securing enterprise networks, Active Directory, Windows/Linux and virtualization.
  • Deep system-level foundation that underpins current detection and automation work.

Selected Projects

Detection Rule Backtester

Backtests detection rules (Sigma / ATR / KQL-style) against real logs and AI-attack traces, reporting per-rule precision, recall and false-positive rate plus multi-rule ensemble confidence. Measured that keyword rules catch only ~9% of real LLM jailbreaks.

Python · Sigma · garak · MITRE ATT&CK / ATLAS · MIT

DefenderHunter

Detection-as-Code threat-hunting framework for Microsoft Defender XDR & Sentinel — 22 MITRE-mapped ransomware query packs with automated IOC enrichment.

PowerShell · KQL · Defender XDR · Sentinel · MIT

Sandbox Malware Analyzer

Disposable, automated malware-analysis lab on Windows Sandbox — multi-format detonation (EXE / doc / PDF / URL / email), behavioral capture, IOC extraction and HTML/JSON reporting.

PowerShell · Windows Sandbox · YARA · MIT

Network Share Enumeration System

Automated permissions analysis with CMDB sync and ServiceNow remediation workflows — 90% audit-time reduction.

PowerShell · Active Directory · CMDB · ServiceNow

SecureOrbit EASM

External Attack Surface Management — continuous discovery and monitoring of internet-facing assets, with correlation and confidence scoring to prioritize real exposures.

Python · Docker · REST APIs · alerting

HORUS

Agentic threat-intelligence & attack-surface engine behind SecureOrbit EASM — automated collection, correlation and confidence scoring with multi-channel alerting and reporting.

Python · Docker · agentic AI · n8n

CertWatch

TLS/SSL certificate-monitoring SaaS — expiry & misconfiguration alerts from an SSRF-hardened scanning engine, with multi-client tenancy and webhook-driven notifications. The admin console runs default-deny behind a Cloudflare Zero Trust (Access) edge, while the signature-verified payment webhook and public scan endpoint stay reachable.

FastAPI · Zero Trust / Cloudflare Access · SSRF-hardened scanner · Stripe · webhooks

AuditCloud360 (In Dev)

Automated Azure & AWS security audit with reporting and alerting.

Azure · AWS · Python · Terraform

SecureOrbit360 (In Dev)

SOC workflow automation integrating Logic Apps and n8n (isolation, enrichment, ticketing, notifications).

Logic Apps · n8n · Defender XDR · Sentinel

Certifications

CompTIA CASP+ CompTIA PenTest+ CompTIA CySA+ CompTIA Security+ Microsoft Azure Fundamentals (AZ‑900) ISC² Certified in Cybersecurity ICSI Certified Network Security Analyst

Get in touch

Always glad to connect — feel free to reach out to discuss detection & response, AI-driven security automation, or potential collaboration.