2017
Gold Prize
Korea OSS Developer Contest
National IT Industry Promotion Agency (NIPA)
National open-source award for original contribution in security tooling.
Over a decade finding evil — now building agents that find it autonomously, and structurally cannot lie about what they found.
I work in the seam between incident response and automation — building agents that read forensic artifacts, correlate them against MITRE ATT&CK, and propose response actions a human can sign off on.
Day to day — detection engineering, host & network forensics, MCP tool design, vendor evaluation, and the unglamorous infrastructure work that makes any of it possible.
Working theory — most "AI for security" demos fail because they're prompt engineering with extra steps. The interesting problem is the architecture: tool boundaries, deterministic correlation, evidence chains, audit trails. Guardrails belong in the surface, not the system prompt.
Over a decade of doing this includes a co-authored book on packet-level attack analysis (Korea, 2019), a national OSS gold prize, a security-event correlation patent, and now a SANS hackathon entry that's also doubling as the baseline for an internal Agentic DFIR PoC.
From 24/365 SOC to bank-grade incident response to LINE CSIRT — since 2012
LY Corporation (LINE) · Tokyo, JP
Computer Security Incident Response for LINE's global services — threat detection, forensic triage, and response at internet scale. The team I watched and admired from the SOC side for years — now from the inside.
Information Security · KB Kookmin Bank
Part lead for incident response at one of Korea's largest banks — threat analysis, SOC operations, and response across domestic and overseas branches. Built the bank's first BGP / scrubbing-center DDoS defense (failover 180 min → 3 min), and stood up open-source network forensics (Arkime + ELK, ~1 PB) and a Suricata IDS that replaced 13 commercial sensors.
Security Office · Netmarble
Infrastructure & cloud security (AWS / GCP / Tencent) for a major global game publisher — SIEM / WAF / IDS build-outs, web-vuln assessment, and live incident analysis. Co-inventor on a filed patent for a security-event correlation apparatus (2018).
Service Security · NIT Service (Naver affiliate)
24/365 SOC monitoring — IDS pattern development, correlation rules, and packet-level analysis for LINE services. The packet fluency built here later became a published book.
Information Security · Hankyung iNet
Security-solution delivery & maintenance and Common Criteria (CC) certification work — vulnerability assessment and the documentation discipline behind certified products. Where it started.
DoubleS1405 · independent
Founded and run a long-running Korean infosec study community & lecture channel (DoubleS1405, since 2014), and authored Network Attack Packet Analysis (Freelec, 2019).
A book, six awards, one patent
Lead-author technical book · 2019
A practitioner's manual covering DDoS, web exploitation, malicious traffic analysis, wireless intrusion, system exploitation, and large-volume packet forensics. Written for SOC analysts and DFIR beginners stepping up.
Awards & recognition
National IT Industry Promotion Agency (NIPA)
National open-source award for original contribution in security tooling.
Netmarble Corp.
Apparatus & method for correlation analysis of security events. Authored during infrastructure security tenure.
National Intelligence Service of Korea
Final round of the CCE National Cyber Defense Competition organized by the National Intelligence Service of Korea.
LINE Corp.
Vulnerability disclosure & remediation collaboration.
Financial Security Institute (FSI) · KB Kookmin Bank team
FIESTA 2020 financial-sector competition across forensics, malware, mobile, and web-hacking tracks.
Korea Internet & Security Agency · KB Kookmin Bank
Best-practice commendation (KISA Director's Award) in the national cyber crisis-response drill; covered in Korean press, 2019.
Six open-source projects, one currently shipping
evidence_root layout Agentic-DART consumes. Seeds chain-of-custody with manifest 1.2, SHA-256 index, and source-member provenance; collision-safe for flat evidence layouts.Python · stdlib · MIT
↗
2026
mac-artifact-collectorArchived
Single-file zero-dependency macOS DFIR collector. Supply-chain IOC sweeps ported into agentic-dart as cross-platform MCP functions.Bash · Zsh
↗
2026
mac-forensics-platformArchived
Flask-based macOS DFIR web platform. Paused for post-SANS repositioning as the Agentic-DART web UI — reading findings.json + audit.jsonl from an Agentic-DART run and rendering them in the browser.Python · Flask
↗
2024
gendfir-ragArchived
Unofficial replication of Loumachi, Ghanem & Ferrag (2024) — RAG + LLM pipeline for DFIR timeline analysis. Superseded by agentic-dart; kept as reference artifact.Python · LLM · RAG
↗
ongoing
GitNote
Curated long-running ledger of InfoSec & CS notes.Notes
↗
2026
Juwon1405
GitHub profile config — landing README, pinned repos.Markdown
↗
Stable release. A typed, read-only MCP toolset (native Python + SIFT adapters). Ground-truth-scored case studies including external slots for NIST CFReDS, Ali Hadi, and Digital Corpora M57. New hardening: schema-validated MCP calls, Plaso derived-storage isolation, a tiered case layout, and the run_eval.py CLI.
self-evaluation/case-01 baseline: recall 1.000, FPR 0.000, hallucination 0. External tier via python3 run_eval.py --case external-evaluation/case-01 --download.
Phase 1.3 collector-adapter shipped alongside. Final QA + Devpost form before the deadline.
Open to conversations on DFIR automation, agentic SOC, MCP tool design, and replication studies.