The Context

Security research inside a cloud SIEM company is most useful when it reflects real deployment patterns. Devo's customer and MSSP environments provided a practical window into SOC maturity, cloud detection growth, taxonomy gaps, and architecture debt.

The Challenge

The challenge was extracting public research from private operational reality. The work needed to identify patterns without exposing customers, and it needed to be useful to practitioners rather than sounding like product marketing.

What I Did

• •Analyzed hundreds of enterprise and MSSP SIEM deployments to identify recurring architecture, taxonomy, detection, onboarding, and maturity patterns
• •Converted deployment observations into research themes that could support conference submissions and public security narratives
• •Connected Devo architecture innovation work to broader SOC modernization questions around ingestion, normalization, detection content, cloud telemetry, and analyst workflow
• •Standardized language around SIEM maturity so customer reality could be compared across deployments without exposing customer-specific details
• •Used detection taxonomy and Exchange validation work to identify where detection content was usable, confusing, duplicative, weakly mapped, or operationally hard to adopt
• •Developed research narratives around cloud-native detections, cloud controls, attacker motives, SOC maturity, and evolving detection-engineering requirements
• •Translated technical findings into conference-ready talks, abstracts, speaker narratives, and public thought leadership
• •Balanced product relevance with research credibility by grounding claims in deployment patterns rather than unsupported marketing language
• •Worked across security research, architecture, product, customer-facing, and conference contexts to align findings with practical value
• •Built reusable research concepts that connected SIEM architecture, cloud security, detection engineering, and AI-augmented threat response
• •Used public-facing research to strengthen Devo's credibility while also creating useful guidance for SOC teams and security leaders

The Outcome

The program showed how architecture work, customer deployment analysis, and detection engineering can become credible public security research. It strengthened David's position as a security researcher who can convert messy SOC reality into useful market-facing insight.

Key Deliverables

• •Security research program contributions
• •Conference research narratives
• •RSA-oriented research support
• •Infosecurity Europe-oriented research support
• •CloudNativeSecurityCon research support
• •SIEM maturity findings
• •Cloud detection research narratives
• •Detection taxonomy and architecture research framing
• •Customer deployment pattern analysis
• •Public speaker and thought-leadership material
• •Architecture innovation to research translation model
• •Public-safe portfolio case-study JSON