2017
Gold Prize
Korea OSS Developer Contest
National IT Industry Promotion Agency (NIPA)
National open-source award for original contribution in security tooling.
Over a decade finding evil — now building agents that find it autonomously, and structurally cannot lie about what they found.
I work in the seam between incident response and automation — building agents that read forensic artifacts, correlate them against MITRE ATT&CK, and propose response actions a human can sign off on.
Day to day — detection engineering, host & network forensics, MCP tool design, vendor evaluation, and the unglamorous infrastructure work that makes any of it possible.
Working theory — most "AI for security" demos fail because they're prompt engineering with extra steps. The interesting problem is the architecture: tool boundaries, deterministic correlation, evidence chains, audit trails. Guardrails belong in the surface, not the system prompt.
Over a decade of doing this includes a co-authored book on packet-level attack analysis (Korea, 2019), a national OSS gold prize, a security-event correlation patent, and now a SANS hackathon entry that's also doubling as the baseline for an internal Agentic DFIR PoC.
A book, four awards, one patent
Lead-author technical book · 2019
A practitioner's manual covering DDoS, web exploitation, malicious traffic analysis, wireless intrusion, system exploitation, and large-volume packet forensics. Written for SOC analysts and DFIR beginners stepping up.
Awards & recognition
National IT Industry Promotion Agency (NIPA)
National open-source award for original contribution in security tooling.
Netmarble Corp.
Apparatus & method for correlation analysis of security events. Authored during infrastructure security tenure.
National Intelligence Service of Korea
Final round of the CCE National Cyber Defense Competition organized by the National Intelligence Service of Korea.
LINE Corp.
Vulnerability disclosure & remediation collaboration.
Six open-source projects, one currently shipping
evidence_root layout Agentic-DART consumes. Seeds chain-of-custody (manifest.json + SHA-256 index). Full test suite passes on CI Linux+macOS × py3.10/11/12.Python · stdlib · MIT
↗
2026
mac-artifact-collectorArchived
Single-file zero-dependency macOS DFIR collector. Supply-chain IOC sweeps ported into agentic-dart as cross-platform MCP functions.Bash · Zsh
↗
2026
mac-forensics-platformArchived
Flask-based macOS DFIR web platform. Paused for post-SANS repositioning as the Agentic-DART web UI — reading findings.json + audit.jsonl from an Agentic-DART run and rendering them in the browser.Python · Flask
↗
2024
gendfir-ragArchived
Unofficial replication of Loumachi, Ghanem & Ferrag (2024) — RAG + LLM pipeline for DFIR timeline analysis. Superseded by agentic-dart; kept as reference artifact.Python · LLM · RAG
↗
ongoing
GitNote
Curated long-running ledger of InfoSec & CS notes.Notes
↗
2026
Juwon1405
GitHub profile config — landing README, pinned repos.Markdown
↗
v0.6.0 live. Typed read-only MCP surface — native pure-Python forensic functions (now including cross-platform supply-chain IOC sweeps ported from mac-artifact-collector 📦) plus SIFT Workstation tool adapters. Full test suite passing on a fresh clone, audit-chained reasoning loop.
Three evaluation tiers now in: synthetic reference, noise-injected realistic at ~1:30 IOC-to-benign,
and the NIST CFReDS Hacking Case external benchmark
(recall 0.10/0.40 → 0.50/0.80 after parse_registry_hive shipped).
Phase 1.3 deliverable collector-adapter shipped alongside (Velociraptor ZIP → evidence_root glue). Final QA, demo recording, and the Devpost form before the deadline.
Open to conversations on DFIR automation, agentic SOC, MCP tool design, and replication studies.