[email protected] · linkedin.com/in/desi-ramirez · github.com/dram64 · (323) 423-6495

Desi Ramirez.

View projects
01 / 05 About
Profile
Location Moreno Valley, CA
Education B.S. Software EngineeringCal Poly San Luis Obispo · 2022
Contact [email protected] · linkedin.com/in/desi-ramirez · github.com/dram64 · (323) 423-6495
02 / 05 Projects

Live systems,
deployed and running.

14-DAY RUN Cloud Security · Threat Detection

SOC Detection Lab

Hybrid edge-to-cloud SSH honeypot pipeline. A Cowrie honeypot at the network edge captured real-world attacks over a 14-day run, shipped logs through a serverless AWS pipeline, and rendered attack telemetry in a React dashboard. The AWS pipeline and dashboard remain live; the edge sensor has been decommissioned after its collection run.

↗ dram-soc.org ↗ Live dashboard ↗ GitHub

Architecture

SOC Detection Lab architecture diagram EDGE VPS · INGRESS AWS PIPELINE VIEWER attacker SSH probe Pi 5 k3s worker cowrie pod SSH honeypot VPS reverse tunnel Suricata IDS network alerts events S3 Ingest λ parse + filter DynamoDB single-table Aggregator λ rollups API λ REST + WS Cloudflare edge WAF CloudFront React dashboard recruiter / user ON-PREM SIEM Dell PowerEdge R730 Wazuh + ELK Sigma rules · MITRE ATT&CK manager + indexer + dashboard parallel telemetry ingest for SIEM analysis + threat hunting cowrie + suricata telemetry stream → Wazuh decoders → ELK + Sigma
Pi 5 (k3s edge worker) → VPS with Suricata IDS → S3 → Lambda pipeline → DynamoDB → API → React dashboard. Wazuh + ELK on R730 ingest the same telemetry for SIEM analysis and threat hunting.

Highlights

  • Multi-tier detection architecture: Cowrie SSH honeypot on Raspberry Pi 5 (edge) → VPS ingress with Suricata IDS → on-prem SIEM core (Wazuh + Elastic Stack on Dell R730) → AWS-native correlation pipeline. Real attack surface, home network IP private.
  • Serverless AWS pipeline: Cowrie events → fluent-bit → S3 → ingest Lambda (parsing + ADR-005 password-boundary filtering) → single-table DynamoDB → aggregator + API Lambdas → React dashboard with bidirectional timestamp correlation.
  • Self-hosted SIEM core: Wazuh (manager + indexer + dashboard) with custom Cowrie decoders + 10+ correlation rules; Elastic Stack for parallel log aggregation and threat hunting; 10+ Sigma rules covering MITRE ATT&CK Initial Access (T1110), Lateral Movement (T1021), and Command & Control (T1071).
  • Infrastructure-as-code: Terraform — ACM, CloudFront with scoped CSP, OAC-restricted S3, scoped IAM roles per Lambda. CI/CD with GitHub Actions: 262 pytest gates, OIDC-trusted deploy role, terraform plan-on-PR. IAM permission boundary documented in ADR-011.
  • Observability layer: CloudWatch with SNS-backed alarms, pipeline-health dashboards, on-call runbook. 11 ADRs documenting architectural trade-offs.

Collection summary — 14-day run · May 6–21, 2026

Events captured
231,930
Attack sessions
36,440
SSH login attempts
36,405
Unique attacker IPs
1,322
Source countries
84
Commands executed
16,180
Malware-download attempts
1,592
Distinct commands
70
Captured live botnet activity — Mirai credential markers (345gs5662d34), SSH-key implant persistence, crypto-mining reconnaissance, and automated Go / libssh scanners. Top origins: Netherlands, Uzbekistan, United States (374 IPs), Hong Kong, Germany. Raw events archived to S3; correlated + GeoIP-enriched in DynamoDB.

Stack

AWS Lambda DynamoDB CloudFront API Gateway Terraform Kubernetes (k3s) Wazuh Elastic Stack Suricata Sigma Cowrie React TypeScript Python GitHub Actions
LIVE Cloud · Real-Time Data · AI

Diamond IQ

Analytics platform ingesting MLB and Baseball Savant Statcast data. Real-time WebSocket fanout, AI-powered comparison features via Amazon Bedrock, and sub-second response time. 18 Lambda functions, single-table DynamoDB, 779+ players, 30 teams.

↗ diamond-iq.dram-soc.org ↗ GitHub

Architecture

Diamond IQ architecture diagram UPSTREAM SOURCES AWS PLATFORM CLIENT MLB Stats API games · players Baseball Savant Statcast CSVs EventBridge daily crons Ingest Lambdas 18 functions idempotent batch per-source isolation DynamoDB single-table · 779+ players API λ REST Bedrock λ AI analysis · cached WebSocket λ real-time fanout Cloudflare edge WAF CloudFront ×2 API + frontend React SPA Lighthouse 87 / 90 browser
EventBridge → 18 Lambda ingest workers → DynamoDB → API + Bedrock + WebSocket Lambdas → CloudFront → React SPA

Highlights

  • Multi-source ingestion pipeline: MLB Stats API for game/player/team data, Baseball Savant CSV leaderboards for Statcast metrics (exit velocity, barrel %, xwOBA, bat tracking, pitcher arsenal). Daily EventBridge crons orchestrate idempotent batch updates with per-source failure isolation.
  • AI inference layer: Amazon Bedrock integration generates player and team analysis with read-through DynamoDB cache and quota-aware fallback handling.
  • 18 Lambda functions: spread across data ingestion, API serving, AI inference, and WebSocket connection management. All on a single-table DynamoDB design.
  • Edge & TLS: 2 CloudFront distributions (API + frontend), ACM certificates, Cloudflare proxied DNS for free edge WAF/DDoS, strict response-headers policy.
  • Frontend performance: React with code splitting — Lighthouse 87 desktop / 90 mobile in production. CI/CD on push to main; 305 backend + 225 frontend tests in CI.

Stack

AWS Lambda DynamoDB EventBridge Bedrock WebSocket APIs CloudFront Terraform React TypeScript Recharts Tailwind Vite
03 / 05 Homelab

Personal security
operations lab.

Self-hosted security operations environment, services platform, and continuous-deployment target. Real workloads on real hardware — used to deepen hands-on networking, security, and infrastructure skills beyond what cloud-only environments offer.

Network Topology

Homelab network topology INTERNET Palo Alto PA-440 NGFW · zone policies · L7 inspection Cisco CBS350-28T VLANs · trunking · L2 vlan 10 · mgmt vlan 20 · servers vlan 30 · lab Raspberry Pi 5 edge SOC honeypot k3s cowrie pod → AWS pipeline Dell PowerEdge R730 hypervisor host · iDRAC7 · RAID 1 SIEM stack detection rules k3s CD target Self-hosted services passwords · git · sync · DNS Lab Segment isolated security testing Alfa AWUS036ACS monitor mode dedicated lab SSID CyberPower CP1500PFCLCD UPS · graceful-shutdown power
Internet → PA-440 firewall → CBS350 switch (VLAN-segmented) → Pi 5 edge / R730 hypervisor / lab segment

Hardware

Hypervisor Host
Dell PowerEdge R730 (iDRAC7 Enterprise)
Storage
Samsung 870 EVO / Crucial MX500 (RAID 1)
Edge Honeypot
Raspberry Pi 5
L2 Switching
Cisco CBS350-28T
Firewall
Palo Alto PA-440
Wireless
Alfa AWUS036ACS
Power
CyberPower CP1500PFCLCD UPS

What it does

  • SIEM core: Wazuh (manager + indexer + dashboard) + Elastic Stack (Elasticsearch + Logstash + Kibana) on the R730 Proxmox hypervisor — ingesting Cowrie honeypot telemetry from the Pi 5 sensor and Suricata IDS alerts from the VPS ingress. Custom decoders, 10+ Sigma detection rules tuned against live attacker telemetry, MITRE ATT&CK coverage.
  • Multi-node Kubernetes (k3s): R730 as control plane + Pi 5 as worker node. Cowrie deployed as a pod with persistent volumes. Multi-environment GitOps target alongside AWS production.
  • Self-hosted services on Proxmox VMs: Pi-hole DNS sinkhole, internal Git, password manager, file sync, media platform — with monitoring and scheduled backups to RAID 1 storage.
  • Segmented network architecture: VLANs and trunking on the Cisco CBS350-28T; inter-zone security policies and Layer 7 inspection on the Palo Alto PA-440 between management, server, lab, and edge segments. Studied advanced PAN-OS features (App-ID, Threat Prevention, URL Filtering) via the Palo Alto NGFW Academy lab environment.
  • Wireless security testing on a dedicated lab SSID using the Alfa AWUS036ACS in monitor mode; manage the R730 remotely via iDRAC (remote console, power cycling, OS-down recovery).
04 / 05 Skills

Stack & capabilities.

Cloud 13

AWS Lambda DynamoDB API Gateway CloudFront S3 IAM ACM CloudWatch EventBridge Bedrock VPC Cloudflare

Security 8

Wazuh SIEM Elastic Stack (ELK) Suricata IDS/IPS Log analysis Packet capture Network security Firewall policy TLS/SSL

DevOps 9

GitHub Actions CI/CD pipelines GitOps Kubernetes k3s Multi-node clusters Container orchestration IaC Terraform

Networking 5

VLANs ACLs Managed switching Next-gen firewalls (Palo Alto) Routing

Infrastructure 7

Dell PowerEdge R730 iDRAC out-of-band mgmt Proxmox VE hypervisor VM workloads RAID 1 (PERC H730) UPS-backed power (CyberPower) Self-hosted services

Backend & Data 8

Python Lambda pytest Serverless event-driven Single-table design REST WebSocket APIs Real-time fanout

Frontend 7

React TypeScript Vite TanStack Query Tailwind CSS Recharts Responsive SPA

Methodology 5

Agile/Scrum Git ADRs Code review Technical writing
Certifications
AWS Certified Solutions Architect — Associate
SAA-C03 · Amazon Web Services
CompTIA Security+
SY0-701 · CompTIA
In Progress
Cisco Certified Network Associate
CCNA · Cisco
05 / 05 Find me
Email [email protected] LinkedIn linkedin.com/in/desi-ramirez GitHub github.com/dram64 Phone (323) 423-6495