▸senior detection & response engineer
Esteban
Castorena
▸professional impact
Professional Impact
Key contributions across detection engineering, AI automation, and security operations.
Integration Development, Automated
I write the spec and the loop; an agent system builds the integration end to end, from data source analysis to detection logic to SOC enablement. Work that took months now lands in hours
Vendor Detection Rules, Analyzed
An AI review framework reads vendor rule sets across every SIEM platform and flags what matters, with an auditable trail. Took an 8+ hour manual review to about 5 minutes; adopted org-wide
MITRE ATT&CK Mapping
Agents with distinct analytical biases evaluate each detection rule, debate, and converge on a mapping. Consistent, explainable coverage across the production rule set, refreshed daily
Automated Alert Enrichment
Every automated escalation ships with investigation context and a plain-language explanation of why it fired, cutting SOC rework cycles
Led delivery of 4 major integrations across endpoint/XDR, network, and email
Technical lead during critical incidents: restored identity signal coverage through a vendor API deprecation and managed a 3-week data replay with the SOC
▸featured projects
Featured Projects
Production-grade AI systems built from the ground up.
VividScripts.ai
Producing a narrated video from a story idea normally takes a team: a writer, a voice, an editor, an artist. VividScripts does the whole run in one shot. Sixteen specialized agents script the story, generate the imagery, narrate, score, and cut the final video, and every handoff between them is typed and validated so one bad step can't quietly ruin the result. Live in production on AWS.
Creel
Creel is an open-source AI security agent that learns your environment to catch attacks. Starting with email, Creel runs on your own machine and learns your inbox. It imports your mail history and builds a memory of who you talk to and what normal looks like for you. Checks the email contents to ensure what it says is true: is the sender who they say they are, do the links go where they pretend to, does the story fit what it knows about you. Free, open source, and your data never has to leave your machine. The approach isn't email-specific — it's built to reach past the inbox and integrate with other tools used to keep you secure. Grew out of the work started at Aquasafe Security in 2023.
▸about me
About Me
I've spent five years defending systems against intelligent adversaries - triaging thousands of incidents, building detection pipelines, and designing AI-powered automation that replaced months of manual work with minutes of orchestrated intelligence.
On my own time, I built VividScripts.ai, which turns a written story into a finished narrated video in a single run: sixteen agents handle scripting, imagery, narration, music, and the final cut, with typed, validated handoffs between every step. It runs in production on AWS.
Certifications
Education
BBA in Cyber Security
The University of Texas at San Antonio - 2021
Experience
Expel
2024 - PresentSenior Detection & Response Engineer
- •Designed AI orchestration system using Claude agents automating end-to-end integration development from data source analysis to detection logic and SOC enablement, reducing development time from months to minutes
- •Built AI-powered rule review framework automating vendor rule analysis across all SIEM platforms, reducing review time from 8+ hours to under 5 minutes while improving quality - adopted org-wide
- •Developed multi-agent Consensus Model for MITRE ATT&CK classification - agents with distinct analytical biases independently evaluate detection rules, debate, and converge on mappings across 2,000+ rules
- •Built GenAI context engine for automated alerts - enriches escalations with investigation context and plain-language explanations, enabling faster customer action and eliminating SOC rework cycles
- •Led delivery of 4 major integrations across network, endpoint/XDR, and email
- •Technical lead during critical incidents: restored identity signal coverage during vendor API deprecation, managed 3-week data replay coordinating with SOC
VividScripts.ai
Built with Claude CodeMulti-Agent Story-to-Video Pipeline
- •Architected a 16-step AI agent pipeline coordinating specialized agents through typed dataclass contracts and a blueprint cascade architecture that compresses story-level intelligence for downstream agents
- •Built LLM orchestration layer with unified dispatcher and 5-layer output sanitization for production reliability. Deployed to AWS with Terraform (48 resources), OIDC-based CI/CD with zero stored credentials
Aquasafe Security
Independent build · 2023 - 2024AI Email Security Inbox
- •Built an AI-driven phishing detection product integrating with Gmail and Microsoft - analyzes every inbound email in real-time, provides threat context, and ensures users review flagged messages safely
- •Engineered cloud infrastructure on AWS and GCP for real-time threat detection; developed Python automation scripts that reduced mean time to response from 30 minutes to under 1 minute
Reliaquest
2021 - 2023Senior Security Analyst - Incident Response
- •Threat detection, investigation, and response across enterprise environments serving Fortune 500 customers
▸ technical skills
