About Me
A brief introduction to who I am and what drives my work.
I'm a Senior Threat Researcher at Trend Micro, working with the Philippines Threat Hunting Team. My work sits at the intersection of three areas: deep-dive threat research, operational automation, and knowledge transfer.
On the research side, I track ransomware families and APT groups, analyze their evolving tradecraft, and publish findings that help defenders worldwide. I've documented everything from novel EDR evasion techniques to cross-platform ransomware targeting critical infrastructure.
Beyond research and building, I train defenders internationally — from government agencies in Japan and Oman to online sessions with INTERPOL. Sharing knowledge is how we collectively raise the bar against adversaries.
What I'm Doing
Threat Research
Deep-dive analysis of ransomware families, APT campaigns, and adversary tooling. Published findings on Trend Micro research blog.
Security Automation
Building AI-powered tools that multiply team capability — inquiry pipelines, threat intel platforms, report generators.
International Training
Training government agencies and law enforcement across Asia, the Middle East, and online for INTERPOL.
Tool Development
10+ production tools used daily — from MCP servers and AI pipelines to desktop applications and Confluence integrations.
Experience
Senior Threat Researcher
Trend Micro
Leading ransomware research, publishing threat intelligence, building automation, training international defenders
Threat Analyst
Trend Micro
Threat hunting, inquiry processing, IOC enrichment, SPOT reporting
Published Research
Threat research published on Trend Micro's research blog. Much of my work is internal threat intelligence under TLP:AMBER.
Unmasking The Gentlemen Ransomware
Analysis of a new ransomware group with adaptive defense evasion — custom-patching anti-AV tools mid-attack based on target recon.
New LockBit 5.0 Targets Windows, Linux, ESXi
Technical analysis of LockBit 5.0 — cross-platform ransomware with heavy obfuscation, anti-analysis, and geopolitical safeguards.
New Ransomware Charon Uses Earth Baxia APT Techniques
Discovered Charon ransomware using APT-grade techniques — DLL sideloading via Edge.exe, hybrid Curve25519/ChaCha20 encryption.
Revisiting UNC3886 Tactics
Revisiting the tactics of UNC3886, a China-nexus threat actor targeting network edge devices and virtualization infrastructure.
CrazyHunter Targets Taiwanese Critical Sectors
Identified CrazyHunter targeting Taiwanese healthcare and education using 80% open-source tooling and BYOVD attacks.
PureRAT via Foxit PDF DLL Side-loading
Uncovered PureRAT targeting job seekers using renamed Foxit PDF Reader for DLL side-loading and Python-based shellcode loaders.
EDRSilencer Disrupting Endpoint Security
First to document EDRSilencer weaponized in the wild — a red team tool using Windows Filtering Platform to blind EDR solutions.
Multistage RA World Ransomware
Analyzed RA World using GPO-distributed payloads, Safe Mode abuse for defense evasion, and Babuk-derived encryption.
Tools & Automation
Production systems used daily by our threat hunting team — not side projects, operational infrastructure.
TITAs
Threat Inquiries Triage & Automation
AI-powered 9-phase pipeline automating the entire threat inquiry lifecycle: intake, OSINT, IOC enrichment, response generation, visual creation, and documentation publishing.
Skadi
Threat Intelligence Platform
Full-featured Streamlit platform for threat analysis, URL reputation lookups, AI-powered intelligence assessment, and automated Confluence documentation.
SPOT Report Engine
Automated Report Generation
AI agent system that transforms raw threat intelligence into structured SPOT reports and publication-ready blog articles with auto-redaction.
Confluence Tools Suite
13+ Automation Tools
Collection of 13+ tools for RAG-powered report generation, malware-as-a-service analysis, PowerPoint analysis, AI chatbot, BEC investigation, and log analysis.
OpenCTI MCP Server
Threat Intelligence Integration
Model Context Protocol server connecting AI assistants directly to OpenCTI threat intelligence platform for natural language queries against indicators and campaigns.
Claude Code Desktop
AI Development Environment
Desktop GUI wrapping Claude CLI with autonomous pipeline orchestration, multi-model routing across 70+ models from 5 providers, and SQLite-backed sessions.
Every tool here was born from a real workflow pain point. Together they save our team hundreds of hours per month on inquiry processing, report generation, and threat enrichment.
Speaking & Training
International cybersecurity trainer for government agencies and law enforcement. I don't just find threats — I teach others how to defend against them.
Advanced Threat Defense & Malware Analysis
TrainingGovernment Agency — Japan
Multi-day hands-on training covering advanced persistent threats, malware analysis techniques, and enterprise defense strategies.
Cybersecurity Training for Government
TrainingGovernment Agency — Oman
Cybersecurity training program covering threat detection, incident response, and security operations for government personnel.
Cybersecurity Training Program
TrainingINTERPOL — Online
Online training sessions with INTERPOL on cybersecurity techniques, threat intelligence sharing, and cross-border cyber investigation.
Cybersecurity Conference Presentations
SpeakerVarious Conferences — Multiple
Speaking engagements at cybersecurity conferences covering ransomware trends, threat hunting methodologies, and adversary tradecraft.
Training delivered across Asia, Middle East, and online for international law enforcement