Security operations built on 15 years of detection expertise
Founded by a cybersecurity leader with over a decade of experience delivering security operations transformations across Asia, Europe, and Africa, including leadership roles at JPMorgan Chase, Morgan Stanley, and HSBC, and consulting engagements for banking and telecommunications organisations.
- SVP · JPMorgan Chase (Singapore · Asia, 06/2024–04/2026)
- SVP · Morgan Stanley (Glasgow · Europe, 02/2021–06/2024)
- Senior Systems Engineer · HSBC (London)
- VP · JPMorgan Chase (London · Europe, 07/2016–12/2019)
- Splunk Professional Services · ECS Security / Adarma (London · Europe, 10/2014–06/2016)
- CISSP · AWS Certified · Splunk Architect
Experience delivering security operations at
Security teams are drowning in noise
Siloed teams, invisible coverage metrics, and SIEM migrations that erase years of accumulated detection work leave organisations perpetually rebuilding from scratch. Most teams know their detections but cannot see their combined gaps — or communicate the value of closing them to leadership.
Siloed detection teams
In many organisations, detection responsibility is split between CIRT and Threat Hunting teams — each managing their own rules, platforms, and coverage records. There is no consolidated view of combined coverage or gaps, meaning blind spots exist precisely where team ownership changes, with no way to report on the true combined detection posture.
Continuous gap analysis and value
New detections are built and deployed, but it is difficult to instantly show what gap they close or how coverage improved. Without a coverage map, there is no before-and-after metric, no closed-gap reporting, and no clear picture of what was gained — making it hard to justify the detection engineering investment to leadership or across teams.
Detection blind spots
Inconsistent log ingestion and missing coverage leave gaps across cloud, on-prem, and hybrid environments. You cannot detect what you cannot see — and most organisations cannot map what they are not seeing.
Coverage lost in migrations
Every SIEM migration wipes years of accumulated detection coverage — tuned analytics, suppression rules, and institutional knowledge built up over years are abandoned on the old platform. Without a platform-agnostic record, the same ground has to be rebuilt from scratch, and there is no audit trail of what existed, what decisions were made, or what was lost.
No standard deployment lifecycle
Updates to detection rules happen ad-hoc, inconsistently, and without a standard workflow — no approval process, no audit trail of what changed or when, and no way to roll back a breaking change. Without a vendor-agnostic lifecycle layer, teams cannot track which version of a detection is deployed where, or demonstrate governance to auditors and leadership.
Analytics locked to a single platform
Detection logic written for Splunk cannot be easily understood or translated to Elastic or Microsoft Sentinel without deep expertise in each platform's query language. Engineers spend significant time manually rewriting detections during migrations, and even within a single platform the intent behind a rule is often opaque — making it hard to assess, audit, or collaborate on existing content.
No rapid-deployment readiness
If a critical environment went down today and the business needed a new SIEM instance operational with full detection coverage in hours — how many organisations could do it? For most, the answer is months. Analytics are manually configured, environment-specific, and undocumented, meaning detection capability cannot be replicated at speed. True business continuity requires detection to be portable and deployable on demand.
Security Analytics & Continuous Monitoring System
SACMS is a detection engineering platform that increases security coverage by enabling gap-based analytic development — systematically identifying what you are not detecting, then building the analytics to close those gaps. It brings together SIEM, Detection Engineering, and Detection Governance into a continuously-improving security posture built by engineers who have deployed these solutions at the world's largest financial institutions.
Vendor-agnostic Detection Library
A platform-independent library of analytics that travels with your organisation — not with your SIEM. Your detections survive every migration.
AI-powered Translation
Context-aware AI translates any detection into the target platform's query language — Splunk, Elastic, Sentinel, CrowdStrike or QRadar — preserving intent, not just syntax.
Analytic Testing
Platform allows detections to be validated directly from the library against any connected instance before it is deployed to production. Logic errors and false-positive risks are caught in the pipeline, not in the SOC.
Approval Workflow
Structured promotion gates ensure every detection is reviewed and signed off before going live. No rule reaches production without explicit approval.
Full Audit Trail at Every Step
Every change, draft import, content translation, content promotion, reviewer sign-off, testing, deployment and deletion event is recorded — across every platform generation.
MITRE ATT&CK Coverage Mapping
Coverage mapped against MITRE ATT&CK per security boundary — with gap prioritisation that turns blind spots into a targeted development backlog.
Know your gaps. Know your coverage.
The real question isn't how many detections do I have? — it's how much coverage do I have? The Coverage Lattice answers it. Every security boundary gets a coverage percentage, calculated from what you detect, what is out of scope, and where the gaps are. Know your gaps — detect the enemy. Each gap node becomes the starting point for targeted analytic development, turning coverage from a snapshot into a continuously improving programme.
How coverage is calculated
Each node's coverage percentage is a composite of three metrics across the MITRE ATT&CK techniques relevant to that security boundary:
Coverage % = Detected × 100 ÷ (Detected + Out of Scope + Gaps)
-
Detected Techniques with active, tested detection rules in the SIEM
-
Out of scope Techniques not applicable to this boundary — excluded from the denominator
-
Gaps Applicable techniques with no detection in place — the backlog for analytic development
Most organisations discover significant coverage gaps when they map their environment for the first time.
Map your coverage →From draft analytic to deployment — in one platform
Detection Gap Analysis
Review existing projects and identify gaps in detection coverage. Select which techniques to create a new detection for, generate an analytic for a SIEM platform, or directly create and import the analytic to the library. Test the analytic directly from the library.
Detection Deployment
SACMS enables deployment of any content to any SIEM. Select a destination platform instance, a namespace, and a corresponding workflow. Initiate the deployment. If approval is required, only managers can approve the deployment of content to production namespaces.
Detection Govern
SACMS tracks every detection from initial gap identification through to active use and retirement — with full coverage continuity across SIEM migrations. Coverage maps are platform-independent, so when you migrate, nothing is lost. Executives get coverage percentages, not just detection counts.
Built by someone who has lived the problem
I spent 15 years inside some of the world's largest financial institutions, deploying and operating the very systems SACMS is built around. I have led global teams across North America, EMEA, and APAC, driven SOX and SEBI audit compliance, and supported security automation and developing and tuning analytics for specific usecases.
Before joining Tier 1 banks, I delivered Splunk professional services on behalf of Splunk across financial and telecoms clients through ECS Security Ltd (now Adarma) — gaining deep consulting experience designing and deploying SIEM environments from scratch across the UK.
Having worked across three continents — Asia (Singapore), Europe (UK and France), and Africa (Nigeria) — I bring a genuinely global perspective to security operations challenges that span jurisdictions, time zones, and regulatory frameworks.
SACMS is the platform I wished had existed throughout that journey: one that combines detection engineering, SIEM operations, and detection governance with enterprise-level rigour — without the enterprise-level complexity and cost.
Returned to Morgan Stanley in a senior leadership capacity, continuing to drive security operations and detection engineering strategy at global scale
CI/CD pipeline for comprehensive testing of SIEM deployments; Terraform infrastructure automation; Splunk add-on development (Python, JS); global team leadership across the APAC region
Led global cross-functional team across NA/EMEA/APAC; XSOAR design and implementation; 30% false-positive reduction with security automation; Respond to SOX/SEBI compliance audits; agile delivery leadership
SIEM platform cloud migration; Splunk ES correlation searches; SOAR (Phantom) playbook development; Windows Event Forwarding design
AWS, GCP, O365 and private cloud log onboarding; Kafka-based central logging strategy; Terraform/Ansible infrastructure automation; SIEM engineering standards
Splunk professional services delivered on behalf of Splunk across financial and telecoms clients; SIEM deployments from design to production; custom Splunk add-on development (SA-geodistance, TA-connectivity, TA-mailclient); Splunk Train-the-Trainer modules up to Architect level
SIEM deployments, WAF/IPS tuning, penetration testing, incident response, network engineering across financial, telecoms and public sector clients across multiple continents