I’m a working SOC Analyst (~4-5 nights/week) applying for my next role with a focus on detection engineering and cloud SIEM work. Home lab is Proxmox on a ThinkCentre M920q, Microsoft Sentinel as the SIEM, Prelude Operator for adversary emulation, and KQL detections mapped to MITRE ATT&CK. SC-200 in progress.
Daily work covers alert triage, incident response, and the Microsoft security stack — Defender XDR, Azure Arc, Sentinel integration. I’m building a GitHub portfolio to show real executed work, not just architecture diagrams.
The question I’m trying to answer: At what point does portfolio work actually signal “detection engineer” vs. “analyst who’s read about detection engineering”?
Specifically trying to get input on:
• Is a library of custom KQL analytics rules with documented hypothesis → ATT&CK mapping → tuning notes enough depth, or does it need to be paired with emulation results?
• How much weight do interviewers put on purple team methodology vs. the detections themselves?
• Are Logic Apps / SOAR playbooks worth showcasing or largely ignored at the interview stage?
• What’s the project or write-up that actually changed how someone evaluated your candidacy?
I’ve got the fundamentals. Trying to figure out where to put the next 90 days of effort to make the portfolio do real work in interviews.