curriculum vitae

Ryan Monaghan

Lead, Security Operations & Incident Response

Cork, Ireland

contact
verifying
Reveal contact details
Protected by Cloudflare Turnstile — confirming you're not a bot.
experience
2K logo

2K

One Park Place, Dublin

Lead, Security Operations & Incident Response

June 2025 – Present
  • Led technical investigation and containment of high-severity security incidents across cloud, on-prem, and hybrid environments.
  • Performed advanced incident analysis including malware reverse analysis, packet-level network analysis, and host-based forensic investigations to reconstruct attack timelines.
  • Acted as incident commander for high-profile incidents, coordinating response efforts and directing analysts through containment, eradication, and recovery phases.
  • Conducted post-incident reviews and root cause analyses, driving corrective actions to prevent recurrence and improve security resilience.
  • Contributed to the continuous improvement of the Incident Response Plan, playbooks, and operational procedures.
  • Worked closely with SOC and Security Engineering teams to design, tune, and deploy new detection rules based on real-world incident findings.
  • Developed and refined SIEM detections and correlation logic to increase visibility into attacker behavior across environments.
  • Designed and implemented bespoke AWS Lambda functions to ingest, normalize, and forward security telemetry from disparate log sources into SIEM platforms.

Senior, Security Operations & Incident Response

Oct 2022 – Jun 2025 · 2 yrs 9 mos
  • Lead technical analysis and resolution of security related incidents, including malware analysis, packet level analysis, and system level forensic analysis.
  • Respond to incidents in cloud, on-prem, and hybrid environments.
  • Coordinate incident response efforts and provide timely updates on incident status with internal partners, including IT teams, business units, and senior management.
  • Conduct post-incident reviews and root cause analyses to identify areas of opportunity and ensure that similar incidents are prevented in the future.
  • Work closely with the Security Operations Center (SOC), and Security Engineering teams to build new tailored security detections.
  • Act as a critical issue point for level I and II Analysts.
  • Assess and enhance incident response plans, log monitoring, mitigation, and recovery strategies.
  • Provide recommendations to automated Security Orchestration and Response workflows to upgrade our organization's security posture.

Security Operations & Incident Response

Nov 2021 – Oct 2022 · 1 yr
  • Monitor and respond to security incidents across cloud, on-prem, and hybrid environments.
  • Perform technical analysis of security events including malware analysis, packet level analysis, and system level forensic analysis.
  • Coordinate incident response efforts and provide timely updates on incident status with internal partners.
  • Conduct post-incident reviews and root cause analyses to identify areas of opportunity.
  • Work closely with the Security Operations Center (SOC) and Security Engineering teams to build new tailored security detections.
Blizzard Entertainment logo

Blizzard Entertainment

Blackpool, Co. Cork · 1 yr 4 mos

Security Operations & Incident Response

Apr 2020 – Jul 2021 · 1 yr 4 mos
  • Monitor Blizzard's networks for potential security risks or anomalies.
  • Act as a scribe during security incidents; document incident response activities, coordinate internal communication, and assist with escalation procedures.
  • Provide customer support for security related customer issues; route security requests throughout the global security team or to other departments, as appropriate.
  • Create and tune security alerts in Blizzard's SIEM.
  • Create and update SOC documentation, including runbooks and standard operating procedures.
  • Generate periodic and ad hoc reports on security metrics.
  • Support local security awareness activities (e.g. new hire training, security bulletin distribution).
  • Mentor junior SOC analysts; assist with workload balancing, issue resolution, and review their work.
  • Tines SOAR Automation and Playbooks creation.
eSentire logo

eSentire

Ballincollig, Co. Cork · 2 yrs 3 mos

SOC Analyst II

Nov 2019 – Mar 2020 · 5 mos
  • SOC Auditing & Quality Assurance — monitor security incidents to ensure accuracy, and identify potential missed events.
  • Facilitating quality improvement projects pertaining to SOC Optimization, identifying and reducing noisy rules, and implementing auto notifications. Aid in developing SOC tools to automate portions of analysts common workload.
  • Aid in the research and creation of runbooks and dashboards for esLOG+ and Sumo Logic investigations for log feeds such as AWS, Azure, O365, etc.
  • Perform Shift Lead duties when required, acting as main point of contact for SOC Analysts.
  • Participate in internal User Acceptance Testing (UAT), and provide feedback on internal tools prior to pushing to production.

SOC Analyst

Jan 2018 – Nov 2019 · 1 yr 11 mos
  • Monitor client networks for security incidents using packet level analysis tools. Identify exploit tool/kit, phishing, brute force, scan and social engineering attempts.
  • Communicate security incidents to clients through accurate and informative email alerts.
  • Escalate security incidents pertaining to malware, phishing, network intrusions and service issues per client escalation procedures.
  • Constructed IP filters via Regular Expressions.
  • Participated in training, mentoring and shadowing of new analysts.
  • Utilise the Linux command line to generate customised reports for clients based on specific criteria.
  • Perform network forensics using URL/URI logs, Active Directory logs, Argus, pSQL, raw packet captures, etc.
  • Contributed malicious domains and IP addresses to internal global blacklist.
  • Analyse malware sample behaviour using internal sandbox environments.
  • Developed threat report documents on emerging threats to educate fellow analysts in best practice, remediation and investigative procedures.
  • Monitor client endpoints for suspicious or malicious activity on a process level using Carbon Black.
  • Investigate and action on SPLUNK security incidents in tandem with Palo Alto Network Logs, Bit9 and Symantec Endpoint Protection.
  • Created security incident cases through RSA Archer. Actively participate in the development and improvement of SOC processes and procedures.
education

Bachelor of Science, Information Technology

Munster Technological University

Rossa Avenue, Bishopstown, Cork

2018
certifications
security
GIAC Defending Advanced Threats (GDAT)
SANS Institute · 2024
SEC599: Defeating Advanced Adversaries — Purple Team Tactics
SANS Institute · 2024
Certified Information Systems Security Professional (CISSP)
ISC2 · 2023
GIAC Certified Forensic Examiner (GCFE)
SANS Institute · 2021
SANS FOR500: Windows Forensic Analysis
SANS Institute · 2021
platform & tools
Google Cloud Platform: Core Infrastructure
Google · 2020
Splunk Certified User
Splunk · 2020
Carbon Black Response Advanced Analyst
Carbon Black Inc. · 2019
Sumo Logic Security Analytics Certified
Sumo Logic · 2019
projects

2K Projects

Oct 2021 – Present
  • Designed and implemented a Leak Monitoring Program to detect, track, and respond to unauthorized disclosure of pre-release game assets, trailers, early builds, and confidential projects. Built a centralized monitoring and response framework leveraging threat intelligence, real-time detection, and automated workflows to rapidly identify leaks, reduce impact, and improve response times. Integrated the solution with existing Security and IT logging infrastructure to enable analytics, reporting, and continuous improvement.

Blizzard Entertainment Projects

Apr 2020 – Sep 2021
  • Embraced Blizzard's goal of migrating to the Google Cloud Platform by deploying various projects into GCP including Cyberchef, Malware sandbox labs, Magnet Axiom, etc. Reviewed terraform infrastructure as code pull requests prior to merging into production GCP environments.
  • Participated in the Proof of Concept and scorecard phases for various NSM solutions such as Bricata, Cortex, Corelight, etc.
  • Proactively contributed towards Blizzard's automation goals through the creation of Tines story runs and playbooks.
  • Supported Blizzard's sister company, King, while they expanded their Security team, triaging and responding to King's security alerts, contributing towards detection engineering, documentation and alert enrichment.

eSentire Projects

Jan 2018 – Mar 2020
  • Created and authored several threat reports based off emerging threats with the aim of educating fellow analysts regarding best practice, event remediation and indicators of compromise.
  • Created internal documents to aid analysts in the decoding of several obfuscation techniques employed by Powershell commands spawned by Emotet related weaponized documents. Also created a script to aid in the automation of blacklisting IP addresses associated with the hosting of Emotet payloads.
  • Represented eSentire at Cork Institute of Technology's career's day, delivering a presentation focused on Ransomware.
  • Implemented a Virus Total lookup tool that provided analysts with a full VT report, whilst also mitigating the possibility of uploading sensitive client information.
  • Designed and implemented a tool capable of scraping Payload Domains, IOC's & C2 IPs from various feeds, for easy blacklisting.