Thomas Haggath

Bournemouth, UK · Interdisciplinary programme combining technical IT security with forensic investigation, spanning ethical hacking and digital evidence handling - with collaborative study across the Law department. Modules included: Digital Forensics, Ethical Hacking & Countermeasures, Networking, Systems Design, Software Programming (Java, Python)

Currently studying:

Exploring malware analysis certification options, course TBD.

Security Incident Response SME: Awarded to engineers who demonstrated expertise in handling security events reported by customers within AWS Managed Services. Recognised for improving incident response consistency, developing proactive detection practices, and actively identifying potential security events in customer accounts before they escalated.

Patch Management SME: Awarded to engineers who led patch compliance efforts across AMS-managed customer fleets. In AMS, patch management involves OS and software patching across customer EC2 environments with full OS-level access, enabling deep kernel troubleshooting, root cause analysis, and hands-on remediation on behalf of customers. Recognised for identifying failure patterns across the fleet and building automation to apply fixes proactively at scale.

Monitoring Bar Raiser: Awarded to engineers who consistently raise the standard for observability. Worked directly with customers to tune CloudWatch alarms to fire on real issues, reducing alert fatigue and improving signal fidelity across managed environments.

AMS Builder Award: Awarded for building something above the bar within AWS Managed Services. Led the introduction of Landing Zone Accelerator support, a first for AMS, from initial technical deep-dive through to production-ready processes and runbooks.

Static personal resume site built with plain HTML, CSS, and vanilla JavaScript -- no frameworks, no build step, no npm. Features a mobile-responsive layout with dark/light theme toggle, scroll reveal animations, and a Formspree-backed contact form. Plausible Analytics provides privacy-respecting visitor insight without cookie consent requirements.

Security is enforced at the server level: Content Security Policy, HSTS, and X-Frame-Options headers are set in .htaccess, with SRI integrity hashes on all external scripts. Deployed via GitHub Actions CI/CD -- HTML is validated with vnu.jar on every push, then transferred to OVH shared hosting via FTP, with automatic Cloudflare cache purge and IndexNow search engine ping to complete each release.

A TypeScript CLI tool that automates the full recon pipeline for HackTheBox machines, running on Windows via a WSL bridge. A single command triggers four sequential phases: fast port discovery, full 65535-port nmap scan, service/script scan on discovered ports, and parallel service enumeration with nikto and gobuster for web targets and enum4linux for SMB -- producing a structured output directory per session.

Also includes full VPN lifecycle management: auto-detect and connect to .ovpn configs, download configs directly via the HTB API, and disconnect/status commands -- so the entire setup-to-recon workflow runs from one tool. Built as a proper npm-linked CLI with a commander entry point, modular tool wrappers, and a WSL shim to bridge Windows and Linux tooling.

A self-built security operations platform designed to address a real gap: meaningful, correlated visibility across AWS security services without a commercial SIEM licence. The platform aggregates findings from 12+ AWS services including GuardDuty, CloudTrail, Security Hub, Inspector, Macie, and AWS Config into a unified Flask dashboard with an AI-powered threat detection engine that applies pattern-based anomaly recognition across structured log sources.

Built to reflect the detection engineering workflow I use professionally: ingest from CloudTrail, correlate across services, surface high-confidence signals. Features an interactive CloudTrail event viewer and configurable detection rules. Deployed entirely via AWS-native CI/CD (CodePipeline, CodeBuild, CodeDeploy) with blue/green deployments, multi-AZ auto-scaling, and automated quality gates including Bandit static security analysis, the same pipeline hygiene I enforce in production environments.

Real-time network traffic capture and analysis tool with interactive topology graph visualisation. Displays live connections between hosts with IP-to-hostname resolution, protocol filtering (TCP, UDP, ICMP), and Berkeley Packet Filter support, similar to Wireshark with Armitage-style visualisation.

Python tooling to automate cross-compilation of Linux kernel modules and memory extraction tools, with Android Debug Bridge (ADB) integration for testing on rooted devices.

A standalone browser-based tool for analyzing email headers and body links for phishing indicators -- no server, no API keys, no install required. Drop a .eml file or paste raw headers to get a color-coded verdict with per-check breakdown covering SPF, DKIM, DMARC, Reply-To and Return-Path mismatches, display name spoofing, Message-ID validity, unusual hop counts, and suspicious URLs including IP hostnames, URL shorteners, punycode/IDN, and brand lookalikes.

Built as a single-page application running entirely in the browser with no external dependencies. Analysis logic is isolated in a standalone JavaScript module that also runs under Node.js, backed by 63 unit tests covering all detection functions. The scoring model -- calibrated across fail/warn signals -- surfaces Likely Legitimate, Suspicious, or Likely Phishing verdicts, mirroring the triage workflow used when assessing inbound mail in a SOC environment.

How Inspector decides what to scan, when findings open and close, and why its severity scores differ from raw CVSS.

How to use Amazon EventBridge rules to capture GuardDuty, Macie, and Security Hub events and automatically invoke Lambda, Step Functions, or SSM remediation workflows.

How AWS Security Hub normalises findings from GuardDuty, Macie, and 30+ integrations into ASFF — and what the severity normalisation scores actually mean for triage.

How to cut GuardDuty alert noise using suppression rules, trusted IP lists, and threat intel lists — with real-world finding type examples for AWS security teams.

How to reduce Amazon Macie alert noise using suppression rules, allow lists, and finding filters — practical examples for AWS security engineers managing S3 data findings.

Writing about AWS security, threat detection, and cloud defence. Topics include GuardDuty, CloudTrail analysis, detection engineering workflows, and CTF writeups.