SNADER.INFO
--:-- HOU / TX
Brian Snader / Practitioner

Security operations
and digital intelligence.
Hands on the keyboard.

I work in security operations day to day. The work involves OSINT investigations, alert tuning, playbook authoring, and ticket resolution across detection, identity, and email. I take consulting engagements in the same areas.

Book a session About me
SOC · OSINT · Privacy posture · Houston, TX
[ 01 ] About

Practitioner first.
Not a firm.

I'm a security operations analyst. My day runs on alerts, endpoints, and identity inside a managed services environment. Before security I led a team of 30 in consumer technology. Different setting, same triage instincts.

My approach is direct and hands-on. I'd rather walk you through how a phishing header parses or why an alert fired than hand you a slide deck. Consulting sessions are working sessions, not presentations.

I work primarily with small and mid-sized organizations that want a practitioner's view without the overhead of a big-firm engagement. If you need to figure out whether your SOC tuning is reasonable or what a phishing payload is actually doing, that's the conversation.

[ 02 ] Experience
CURRENT
SOC / Tier 1–2
Managed Security Services

Security Operations Center Analyst

The work spans detection, response, identity, and email. My role supports small and mid-sized organizations through a managed services model.

Detection & Triage

A typical month brings 100+ events across endpoint, identity, network, and email queues. The hard part isn't the volume. It's deciding quickly whether each alert is a true positive worth chasing or a tuning problem worth fixing. After working with the IT teams I support to retune the noisy rules, false-positive volume on those rules dropped about 40%.

Phishing & Email Security

Phishing analysis follows the same path each time. Pull the headers, walk the SPF, DKIM, and DMARC chain, then evaluate the link or payload in a clean environment to determine what was delivered and to whom. The last step is writing a response that closes the ticket for the user and gives the IT team an artifact they can use later.

OSINT & Threat-Actor Research

When an investigation outgrows the SIEM, I move into a dedicated Linux VM and work the open-source angle. That includes infrastructure analysis, indicator collection, and attribution leads. The clean environment isn't about paranoia. It keeps me from contaminating evidence or burning sources by browsing from a logged-in workstation.

Endpoint & Identity

Endpoint protection is where most incidents start and most resolutions land. The work involves isolation, investigation, and remediation. Identity sits on the other side of the same conversation, covering access, conditional access posture, MFA enforcement, and the audit trail. I work both sides daily.

Knowledge & Playbooks

The SOCs that run well operate from playbooks the analysts actually use. I write the docs as I go, including investigation walkthroughs, tuning rationale, and customer-facing language for common incident types. Tier 1 and 2 customer satisfaction holds at A+ partly because the team isn't reinventing the wheel on every ticket.

PRIOR
Team Lead
Consumer Technology Retail

Team Lead

Four years leading a team of 30 in a high-volume consumer technology environment. The triage instincts I bring to security operations started in this role.

Floor Leadership

I led associates across daily operations, staffing, and customer flow. The job was less about top-down direction and more about giving the team the context, authority, and a clear escalation path to resolve issues on their own. People closest to a problem solve it fastest when they have what they need.

Customer Resolution

Most issues don't need to escalate. They need someone with patience and the right reference. I earned nearly 50 consecutive 5-star reviews in a single quarter using that approach. Closing the loop on every interaction matters more than being the strongest technician on the floor.

Training & Onboarding

I rebuilt onboarding to shorten ramp time and ran ongoing training as new tools and processes came in. The instinct I bring to security operations work started here. You solve a problem once, document it well, and make the next person's job easier.

[ 03 ] Tools & Stack
.01 SIEM / XDR
  • Stellar Cyber XDR
  • Splunk
  • Zoho Tickets
.02 Endpoint
  • SentinelOne
  • Microsoft Defender
  • Webroot
  • ThreatLocker
.03 Identity & Access
  • Microsoft Entra ID
  • Active Directory
  • VPNs
.04 Cloud & Productivity
  • Microsoft Azure
  • Microsoft 365
  • Google Workspace
.05 Email Security
  • INKY
  • MxToolbox
.06 Network & Monitoring
  • Meraki
  • Auvik
  • ScoutDNS
  • Datto RMM
  • CyberCNS
.07 OSINT & Investigation
  • Linux / Ubuntu VMs
  • Anti-Scam
  • Header & header-pair analysis
  • Threat-actor profiling
.08 Operating Systems
  • Linux
  • Windows
  • macOS
.09 AI Augmentation
  • ChatGPT
  • Claude
  • Microsoft Copilot
[ 04 ] Library / Field Notes

A working library of practitioner notes, walkthroughs, and reference material drawn from day-to-day work. Sections are scaffolded and long-form content is being added over time.

L.01

Dark Web

How the surface, deep, and dark web actually differ. The frameworks used for monitoring exposure, the kinds of findings that show up in scans, and how to read those findings honestly.

In progress L.02

OSINT

Open-source collection workflows, virtual machine discipline, and source vetting. Where corporate due diligence ends and licensed investigative work begins.

In progress L.03

Privacy

Personal and corporate digital exposure, the data-broker landscape, and a practical posture you can actually maintain over time.

In progress L.04

SOC

Triage logic, alert tuning, playbook anatomy, and what a healthy Tier 1 to 2 workflow looks like inside a managed services environment.

In progress L.05

Email Security

SPF, DKIM, and DMARC in plain language. Header forensics. The trade-offs between gateway and API-based protection.

In progress L.06

Phishing Analysis

How to walk a user-reported message end to end. Header inspection, link defanging, payload triage, and writing a response that closes the ticket.

In progress
[ 05 ] Contact

Open a session.

Consulting sessions are scoped working calls. Most run 60 to 90 minutes, sometimes a short engagement. Tell me what you're trying to figure out and I'll come back with a fit, a price, and a calendar slot. If we're not the right match, I'll tell you that too.

linkedin · /in/brian-snader
base · houston, tx

NEW_SESSION_REQUEST.txt ● live
Replies come from me, not an autoresponder.