SELECTED WORK

Signals surfaced, queues quieted

These anonymised case studies describe past detection engineering and SOC automation work for Canadian client organizations. Names and identifying details are withheld. Metrics reflect completed engagements — they are not promises of future performance. Every project included human-in-the-loop review and honest documentation of what AI threat detection could and could not achieve in each environment.

CASE 01 · CANADIAN FINTECH · ML ANOMALY DETECTION

When ten thousand benign logins hid one real wave

A Toronto-based fintech scale-up processed millions of authentication events daily. Their SIEM fired thousands of login-anomaly alerts weekly; analysts had stopped reading them. During a credential-stuffing campaign, the real intrusion sat in the noise for eleven days before a customer complaint surfaced it.

Cyber Synth AI ran a discovery phase mapping auth telemetry, then built a machine-learning detection pipeline trained on six months of labelled events. Behavioural analytics features captured velocity, geo-impossibility, and device-fingerprint drift. False-positive reduction tuning ran alongside three night-shift analysts who validated every proposed threshold.

After eight weeks, alert volume dropped by roughly 47% while detection coverage for confirmed stuffing patterns improved. SOAR automation enriched tier-one tickets with user context and risk scores. Human analysts retained approval authority on any account lockout. The client engaged us on a retainer for ongoing model retraining and SIEM content review.

Scope: ML threat detection, anomaly analytics, SOC automation, alert triage workflow design.
Outcome note: Results specific to this client's data quality and analyst participation — not a guarantee for other environments.

Detection engineering workshop with client security team in Toronto
Threat review session analysing detection coverage gaps on monitoring screens

CASE 02 · NATIONAL RETAILER · PHISHING DETECTION

The Friday campaign that slipped the filter

A national retailer with stores across Canada relied on a legacy email filter that had not kept pace with HTML-obfuscation techniques. A targeted phishing wave reached finance staff at 4:55 p.m. on a Friday — classic timing. Two employees clicked before the Monday incident review.

Our detection engineering sprint deployed a phishing detection classifier combining email metadata features, URL reputation signals, and a user-reporting feedback channel. Fraud detection logic flagged payment-redirect patterns specific to retail procurement workflows. Every auto-quarantine action required human analyst confirmation during a two-week calibration window.

Over the following quarter, reported phish detection time dropped from hours to minutes for campaigns matching trained patterns. The security team gained a documented alert triage flow and threat intelligence feeds integrated into their SIEM. We did not promise zero phish delivery — we gave analysts better signal and faster context.

Scope: Phishing detection model, fraud detection rules, SIEM integration, incident response enablement.
Duration: 10-week project + 6-month advisory retainer.

CASE 03 · HEALTHCARE SaaS · LLM SECURITY

Internal chatbot, external attack surface

A Canadian healthcare SaaS provider shipped an internal LLM assistant to help support staff query documentation. No guardrails, no monitoring, and a system prompt that would answer almost anything if asked nicely. Their CISO called us before external launch, not after a breach.

We conducted an AI/LLM model security review covering prompt-injection defence, output filtering, training-data exposure risks, and API authentication hardening. Adversarial testing included jailbreak attempts, data-exfiltration prompts, and role-confusion scenarios. MLSecOps deliverables included monitoring integration for anomalous query patterns and an incident response playbook for model-related events.

The assistant launched with layered guardrails and human review on any response touching patient-data categories. Vulnerability triage identified three configuration issues in the inference pipeline before production. The platform team received documentation for ongoing model security maintenance — not a one-time stamp of approval.

Scope: LLM security, prompt-injection defence, adversarial testing, guardrails, MLSecOps.
Outcome note: Model security reduces risk; it does not eliminate it. Human oversight remains mandatory.

CASE 04 · LOGISTICS ENTERPRISE · SOC AUTOMATION

SOAR playbooks that analysts actually used

An enterprise logistics company had purchased SOAR tooling eighteen months earlier. Playbook adoption sat below 20% because automation actions were too aggressive and alerts lacked context. Analysts bypassed the platform entirely.

Our SOC automation engineers rebuilt playbooks with explicit human-in-the-loop gates: enrichment ran automatically, containment required analyst approval, and every action logged to their SIEM for audit. We retired 34 noisy correlation rules and rebuilt 12 high-fidelity detections with documented false-positive rates. Threat intelligence feeds enriched alerts with campaign context.

Mean time to triage for tier-one alerts improved by an illustrative 38% over four months. Analyst satisfaction surveys — yes, we actually ran them — showed meaningful improvement in tool trust. The engagement continues on retainer for detection QA and quarterly adversarial testing of critical playbooks.

Scope: SIEM and SOAR tuning, SOC automation, detection engineering, threat intelligence integration.
Indicative investment: C$72,000 initial + C$9,500/month retainer.

Your alert queue has a story too

Share your detection challenges. We will tell you honestly what AI-assisted analysis can improve — and what requires organisational change beyond any model.

Book a detection review