Kevin Hyun Woo Kim

Senior Threat Detection Engineer & Security Data Platform Architect

Building enterprise-scale security data platforms using data lakehouse architecture. Architecting ETL pipelines, detection analytics with PySpark and SQL, and ML-driven threat detection. Previously built detection engineering programs for multiple clients and architected complete corporate security stacks in FedRAMP environments.

Get in Touch Resume

Experience

Senior Threat Detection Engineer

Celonis · Nov 2024 - Present

Building an enterprise-scale security data platform using data lakehouse architecture to transform detection engineering capabilities. Owning the complete ETL pipeline for multi-source data ingestion and implementing detection analytics using PySpark and SQL with integrated ML capabilities for advanced threat detection.

  • Architecting scalable data lakehouse infrastructure for centralized security data processing and analytics
  • Developing high-performance ETL pipelines using PySpark for real-time and batch threat detection workloads
  • Building ML-driven detection models to enhance threat identification and reduce analyst workload
  • Creating SQL-based detection logic optimized for large-scale data processing environments

Threat Detection Engineer II

DeepSeas · Dec 2023 - Nov 2024 · Remote

Forward-deployed detection engineer embedded within client environments to mature detection engineering programs from the ground up. Established structured detection lifecycle frameworks enabling scalable content development and continuous improvement.

  • Designed and implemented detection-as-code pipelines using Sigma rules with automated validation via Atomic Red Team
  • Built Python-based tooling to streamline detection logic deployment, achieving measurable coverage improvement and reproducible, version-controlled detections
  • Conducted gap analyses and MITRE ATT&CK threat modeling to prioritize coverage areas and enhance operational readiness
  • Introduced Kanban workflows and structured communication channels across detection, threat intel, and incident response teams
  • Presented detection maturity metrics and roadmap updates to VPs and CISO, guiding strategic security decisions

Security Engineer (Founding Engineer)

Epirus · Apr 2021 - Dec 2023 · 2 yrs 9 mos · Torrance, CA (Hybrid)

First security team member at Epirus, architecting the entire corporate security program from zero to production. Built automation-driven security foundations for a fast-growing defense technology startup while supporting FedRAMP compliance efforts.

  • Architected complete corporate security stack including Microsoft Intune MDM, EDR, DLP, Conditional Access, and SIEM for 250+ employees and 400+ endpoints
  • Established Zero Trust framework unifying endpoint security, device compliance, and user access control across hybrid environments
  • Integrated multiple data sources and threat intelligence feeds into SIEM, achieving 85% true positive rate and 35% reduction in false positives through iterative tuning
  • Spearheaded R&D of security data-lake architecture using Microsoft Sentinel and Azure Data Lake Storage (ADLS) for advanced threat-hunting and Python/Jupyter analytics
  • Supported FedRAMP compliance by defining security controls, governance frameworks, and technical architecture meeting federal cloud security requirements

Objective

My focus is on building scalable security data platforms that empower organizations to detect and respond to threats more effectively. By leveraging data lakehouse architecture, advanced ETL pipelines, and machine learning capabilities, I aim to create detection engineering programs that scale with organizational growth while maintaining high fidelity and operational efficiency. I'm particularly passionate about bridging the gap between security operations and data engineering, enabling teams to harness the full potential of their security telemetry through automation, analytics, and ML-driven insights.

Projects

Sigma Rules Conversion Platform

Leveraging SigmAIQ to convert Sigma rules to any supported SIEM language, enabling detection-as-code practices across multiple platforms. Standardizing detection logic for vendor-agnostic threat detection at scale.

View Project →

VirusTotal API Intelligence Script

Automated threat intelligence enrichment using VirusTotal APIs to classify URLs and domains across 70+ security engines. Categorizing threats as undetected, harmless, or malicious for rapid IOC validation.

View Project →

Detection Engineering Lab

Built a comprehensive detection environment using DetectionLab to validate TTPs through Atomic Red Team simulations. Integrated Splunk, osquery, Windows Event Forwarder, and Sysmon for full-spectrum detection testing and tuning.

ML-Powered Malicious URL Analyzer

Developed a machine learning model using linear regression and multinomial naive bayes to predict malicious URLs. Trained on 60K samples with count vectorizer and tfidf-vectorizer, visualized analytics using seaborn and matplotlib.

View Project →