senior detection & response engineer

Esteban
Castorena

5+ yrs
detection & response
months → hours
integration builds, spec-driven agents
8h → 5 min
rule review, multi-model AI

professional impact

Professional Impact

Key contributions across detection engineering, AI automation, and security operations.

Spec-Driven Agents

Integration Development, Automated

I write the spec and the loop; an agent system builds the integration end to end, from data source analysis to detection logic to SOC enablement. Work that took months now lands in hours

Multi-Model Review

Vendor Detection Rules, Analyzed

An AI review framework reads vendor rule sets across every SIEM platform and flags what matters, with an auditable trail. Took an 8+ hour manual review to about 5 minutes; adopted org-wide

Agent Consensus

MITRE ATT&CK Mapping

Agents with distinct analytical biases evaluate each detection rule, debate, and converge on a mapping. Consistent, explainable coverage across the production rule set, refreshed daily

LLM Context Engine

Automated Alert Enrichment

Every automated escalation ships with investigation context and a plain-language explanation of why it fired, cutting SOC rework cycles

Led delivery of 4 major integrations across endpoint/XDR, network, and email

Technical lead during critical incidents: restored identity signal coverage through a vendor API deprecation and managed a 3-week data replay with the SOC

featured projects

Featured Projects

Production-grade AI systems built from the ground up.

VividScripts.ai

Producing a narrated video from a story idea normally takes a team: a writer, a voice, an editor, an artist. VividScripts does the whole run in one shot. Sixteen specialized agents script the story, generate the imagery, narrate, score, and cut the final video, and every handoff between them is typed and validated so one bad step can't quietly ruin the result. Live in production on AWS.

16
Agent Steps
48
Terraform Resources
Live
Status
PythonMulti-AgentProvider-Agnostic LLMTerraformAWS ECSSPOT InstancesOIDC CI/CD

Creel

Creel is an open-source AI security agent that learns your environment to catch attacks. Starting with email, Creel runs on your own machine and learns your inbox. It imports your mail history and builds a memory of who you talk to and what normal looks like for you. Checks the email contents to ensure what it says is true: is the sender who they say they are, do the links go where they pretend to, does the story fit what it knows about you. Free, open source, and your data never has to leave your machine. The approach isn't email-specific — it's built to reach past the inbox and integrate with other tools used to keep you secure. Grew out of the work started at Aquasafe Security in 2023.

Receipts
Every Verdict
Stays Local
Your Mail
Bring Your Own
LLM
PythonIMAPClaims VerificationGround-Truth AdaptersLiving MemoryEval Harness

about me

About Me

I've spent five years defending systems against intelligent adversaries - triaging thousands of incidents, building detection pipelines, and designing AI-powered automation that replaced months of manual work with minutes of orchestrated intelligence.

On my own time, I built VividScripts.ai, which turns a written story into a finished narrated video in a single run: sixteen agents handle scripting, imagery, narration, music, and the final cut, with typed, validated handoffs between every step. It runs in production on AWS.

Certifications

eCPPTv2eJPTSplunk Core Power UserCompTIA Security+

Education

BBA in Cyber Security
The University of Texas at San Antonio - 2021

Experience

Expel

2024 - Present

Senior Detection & Response Engineer

  • Designed AI orchestration system using Claude agents automating end-to-end integration development from data source analysis to detection logic and SOC enablement, reducing development time from months to minutes
  • Built AI-powered rule review framework automating vendor rule analysis across all SIEM platforms, reducing review time from 8+ hours to under 5 minutes while improving quality - adopted org-wide
  • Developed multi-agent Consensus Model for MITRE ATT&CK classification - agents with distinct analytical biases independently evaluate detection rules, debate, and converge on mappings across 2,000+ rules
  • Built GenAI context engine for automated alerts - enriches escalations with investigation context and plain-language explanations, enabling faster customer action and eliminating SOC rework cycles
  • Led delivery of 4 major integrations across network, endpoint/XDR, and email
  • Technical lead during critical incidents: restored identity signal coverage during vendor API deprecation, managed 3-week data replay coordinating with SOC

VividScripts.ai

Built with Claude Code

Multi-Agent Story-to-Video Pipeline

  • Architected a 16-step AI agent pipeline coordinating specialized agents through typed dataclass contracts and a blueprint cascade architecture that compresses story-level intelligence for downstream agents
  • Built LLM orchestration layer with unified dispatcher and 5-layer output sanitization for production reliability. Deployed to AWS with Terraform (48 resources), OIDC-based CI/CD with zero stored credentials

Aquasafe Security

Independent build · 2023 - 2024

AI Email Security Inbox

  • Built an AI-driven phishing detection product integrating with Gmail and Microsoft - analyzes every inbound email in real-time, provides threat context, and ensures users review flagged messages safely
  • Engineered cloud infrastructure on AWS and GCP for real-time threat detection; developed Python automation scripts that reduced mean time to response from 30 minutes to under 1 minute

Reliaquest

2021 - 2023

Senior Security Analyst - Incident Response

  • Threat detection, investigation, and response across enterprise environments serving Fortune 500 customers

technical skills

Technical Skills

AI / ML

Claude APIMulti-Agent OrchestrationPrompt EngineeringConsensus Model DesignProvider-Agnostic LLM AbstractionWorkflow Automation (n8n)

Languages

PythonSQL (BigQuery, KQL, SPL)

Cloud & Infrastructure

AWS (ECS, S3, CloudFront, GovCloud)GCPTerraformGitHub Actions (OIDC)Docker

Security

Detection EngineeringIncident ResponseMITRE ATT&CKThreat ModelingSIEM (Splunk, Sentinel, Datadog)DLPXDR