Mohamed Ghayati

It all started with an obsession: understanding how attackers think. I spent hundreds of hours on HackTheBox (Hacker rank) and TryHackMe breaking machines, exploiting Active Directory, and learning offense through practice, long before it became my profession. This curiosity led me to a cybersecurity engineering program at INPT (one of the top engineering schools in Morocco), which I will complete in 2026.

But attacking was never enough for me – what interests me is transforming that offensive knowledge into defenses that actually work. This has been the common thread throughout my professional experiences.

During my cloud security internship at SEKERA, I worked on correlating Active Directory, Azure, and Office 365 telemetry, and on automating SOC operations. Then, during my PFE at PwC, I designed detections on Microsoft Sentinel: custom KQL rules, data connector integration, and especially automated SOAR playbooks (Logic Apps) to reduce incident response time – for example, approval workflows for GPO changes or detecting connections from unauthorized countries.

What sets me apart: I know both sides of the field. Certified CRTP (Altered Security) and SC-200, I master AD attack techniques and know how to write the detections that stop them. My detection rules are not theoretical – they are designed by someone who knows how the attack really unfolds.

What I can do for you:

Detection engineering Microsoft Sentinel (KQL rules, tuning, false positive reduction)

SOAR automation / Logic Apps playbooks

Azure / Entra ID configuration audit & hardening

Purple team approach: I simulate the attack, then build the detection

Available remotely. If you're looking for someone who secures your Microsoft environment with a real offensive eye, let's talk.