Cybersecurity SOC Operations Lead specializing in threat hunting, detection engineering, DFIR, malware analysis, and reverse engineering — with experience leading large analyst teams and optimizing SOC operations across automation and intelligence workflows. I drive the full intelligence lifecycle from proactive threat development and CTI collaboration to executive-ready reporting, while building AI-driven capabilities including LLM agents, MCP servers, and automation platforms to scale security outcomes.

From this research I contribute directly to detection engineering — developing custom signatures and detection logic for client environments built from original malware analysis. My DFIR background runs alongside that, covering end-to-end incident response investigations, forensic artifact analysis, scope and impact determination for large enterprise clients. Both disciplines feed into the reports on this site.

The Hunter's Ledger is where I publish the original research I conduct outside of client work — hands-on analysis turned into structured, actionable intelligence for the defender community.

Leading threat detection and response operations across large enterprise managed security accounts. Responsibilities span threat hunting, detection engineering, DFIR investigations, CTI collaboration, and AI/automation across a large multi-client practice. Detection engineering work includes building custom SIEM and EDR detection logic and signatures tailored to client environments, and directing end-to-end IR investigations to determine scope and impact. Original research and detection content from The Hunter's Ledger feeds directly into hunting operations and client-facing intelligence work.

Security modernization, system hardening, and compliance across IT and OT environments prior to moving into full-time cybersecurity operations.

Unit cybersecurity liaison responsible for triaging and escalating security incidents, administering access controls for classified operational systems, and enforcing least-privilege principles across a 100-person unit.

GIAC Certified Forensic Analyst (GCFA)
GIAC Certified Enterprise Incident Responder (GEIR) — In Progress

SANS FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
SANS FOR608: Enterprise-Class Incident Response & Threat Hunting

M.S. Cybersecurity — American Public University System
B.S. Information Technology (Cybersecurity Concentration) — American Public University System

From Munitions to Malware: Interview with Joseph Harrison About His Path to Threat Intelligence — Hunt.io

Rebooting Splunk UEBA: Leveraging the New UEBA's AI/ML Models — Splunk .conf25

linkedin.com/in/josephrharrison

intel@the-hunters-ledger.com

Every report on this site starts with a self-hosted collection platform that scans adversary infrastructure every night — discovering malware on open directories across 65 known bulletproof hosting networks. What it finds is then processed through a purpose-built AI agent workflow: ten specialized agents, structured skill frameworks, automated quality gates, and human checkpoints — turning raw analysis into intelligence that is timely, evidence-based, and worth acting on.

Behind the Reports: How the Intelligence Is Produced →