Independent, defensive security help for small and mid-sized teams - detection engineering, Microsoft 365 and cloud hardening, threat-informed advisory, and incident-response support. You're not hiring a faceless firm; you're hiring the person behind the research on this site, which you can read and check before you ever send an email.
Straight about where this is. UMBRASEC is a new, independent practice run by one practitioner with years in defensive security. There's no inflated client list or team-of-fifty pitch here, because that would be a lie. What there is: published, sourced work you can evaluate today, a strictly defensive scope, and engagements scoped honestly to what one experienced person can do well.
Build and tune detections that actually fire on real techniques - Sigma, KQL (Sentinel / Defender), and Splunk - mapped to MITRE ATT&CK, with documented false-positive profiles so they survive contact with your environment.
A focused review of your Microsoft 365 / Entra ID and cloud posture - the high-leverage settings that quietly decide whether an attacker walks in. Concrete, prioritized findings, not a 200-page PDF nobody reads.
For teams with no in-house security lead: ongoing, plain-English advisory. What's actually relevant to your stack, what to prioritize next, and a sane detection roadmap - available as a light retainer.
Suspected compromise and need a calm, experienced second pair of eyes? Triage, scoping, log analysis, and guided containment/recovery for cloud and identity incidents.
Note: solo practice - for guaranteed 24/7 retained IR, a larger firm is the right call. Honest about that.
A short call to understand the problem and whether I'm genuinely the right fit. If I'm not, I'll say so.
A written, fixed scope with clear deliverables and a price for that work. No surprise hourly creep.
Work delivered with artifacts you keep - rules, findings, runbooks - and a walkthrough so your team can own it.
Scoped per engagement - every problem is a different size, so pricing follows the agreed scope rather than a sticker on the wall. You'll always have the number in writing before any work starts.
Defensive only - detection, hardening, analysis, and response. No offensive engagements, no red-team or exploit work. That boundary is deliberate and it doesn't move.
Tell me what you're dealing with - a noisy SIEM, an M365 tenant nobody's reviewed, a roadmap you need a second opinion on, or an incident in progress. Click the address below to copy it and drop me a line.