Esteban Castorena
Detection & Response Engineer building production AI agent systems
Senior D&R Engineer at Expel, building AI systems that automate security operations at scale. Creator of VividScripts.ai - a 16-step multi-agent pipeline deployed on AWS.
Professional Impact
Key contributions across detection engineering, AI automation, and security operations.
Dev Time Reduction
AI orchestration system automating end-to-end security integration development from data source analysis to detection logic and SOC enablement
AI Tools Shipped
Multi-agent consensus system, GenAI alert enrichment engine, and AI-powered rule review - all adopted org-wide
Incidents Triaged
24/7 SOC across Fortune 1000 clients with 45-min average MTTR
Rule Review Speedup
AI-powered analysis reduced vendor rule review from 8+ hours to under 5 minutes per set
Built a multi-agent Consensus Model where AI agents with distinct analytical biases independently evaluate detection rules, then debate and converge on MITRE ATT&CK classifications - more accurate than single-model approaches across 2,000+ rules
Delivered 4 major integrations across endpoint, network, email, and SIEM technology classes
Featured Projects
Production-grade AI systems built from the ground up.
VividScripts.ai
16-step AI agent pipeline coordinating specialized agents through typed dataclass contracts and a blueprint cascade architecture. LLM orchestration layer with unified dispatcher and 5-layer output sanitization for production reliability. Deployed to AWS with Terraform (48 resources), OIDC-based CI/CD with zero stored credentials.
AI-Driven Email Security Analyzer
Automated phishing detection and incident response system using open-source LLMs. Performs deep attachment analysis including VBA macros and QR trap detection, with automated incident response via custom runbooks. Cross-platform support for Gmail and Outlook.
Technical Writing
Writing about multi-agent systems, detection engineering, and AI safety.
What Detection Engineering Taught Me About AI Safety
The same instincts that help detect threats and build resilient security systems are what AI needs as it scales - monitoring, red teaming, understanding failure modes, and building defenses before they're needed.
The Consensus Model - Multi-Agent Debate
How multiple AI agents with distinct analytical biases independently evaluate detection rules, then debate and converge on MITRE ATT&CK classifications.
Building a Multi-Agent Pipeline
How I architected a 16-step AI agent pipeline with blueprint cascade architecture, typed dataclass contracts, and production-grade error recovery.
About Me
I've spent five years defending systems against intelligent adversaries - triaging thousands of incidents, building detection pipelines, and designing AI-powered automation that replaced months of manual work with minutes of orchestrated intelligence.
On my own time, I built VividScripts.ai, a 16-step multi-agent pipeline that coordinates LLMs, image generators, TTS engines, and sound design tools - prototyped in n8n, rebuilt in Python, and deployed on AWS with Terraform and CI/CD. It's not a demo. It's a shipped product.
I see AI safety through the lens of an adversarial thinker. The same instincts that help me detect threats and build resilient security systems are what AI needs as it scales - monitoring, red teaming, understanding failure modes, and building defenses before they're needed.
Certifications
Education
BBA in Cyber Security
The University of Texas at San Antonio - 2021
Experience
Expel
2024 - PresentSenior Detection & Response Engineer
- •Designed AI orchestration system using Claude agents automating end-to-end integration development from data source analysis to detection logic and SOC enablement, reducing development time from months to minutes
- •Built AI-powered rule review framework automating vendor rule analysis across all SIEM platforms, reducing review time from 8+ hours to under 5 minutes while improving quality - adopted org-wide
- •Developed multi-agent Consensus Model for MITRE ATT&CK classification - agents with distinct analytical biases independently evaluate detection rules, debate, and converge on mappings across 2,000+ rules
- •Built GenAI context engine for automated alerts - enriches escalations with investigation context and plain-language explanations, enabling faster customer action and eliminating SOC rework cycles
- •Led delivery of 4 major integrations across network, endpoint/XDR, and email
- •Technical lead during critical incidents: restored identity signal coverage during vendor API deprecation, managed 3-week data replay coordinating with SOC
VividScripts.ai
Built with Claude CodeMulti-Agent Story-to-Video Pipeline
- •Architected a 16-step AI agent pipeline coordinating specialized agents through typed dataclass contracts and a blueprint cascade architecture that compresses story-level intelligence for downstream agents
- •Built LLM orchestration layer with unified dispatcher and 5-layer output sanitization for production reliability. Deployed to AWS with Terraform (48 resources), OIDC-based CI/CD with zero stored credentials
Aquasafe Security
Founded 2023AI Email Security Inbox
- •Built an AI-driven phishing detection product integrating with Gmail and Microsoft - analyzes every inbound email in real-time, provides threat context, and ensures users review flagged messages safely
- •Engineered cloud infrastructure on AWS and GCP for real-time threat detection; developed Python automation scripts that reduced mean time to response from 30 minutes to under 1 minute
Reliaquest
2021 - 2023Senior Security Analyst - Incident Response
- •Threat detection, investigation, and response across enterprise environments serving Fortune 500 customers