Papa Corpnet
Faster Answers, Stronger systems
Outcomes over noise. We tune detections + automate triage + explain root cause.
Cut busywork with safe automation
Auto-evidence and guardrails reduce manual steps during triage so analysts can focus on decisions , not copy/paste.
- • Phishing triage with approvals + audit
- • Mailbox rule snapshots and resets
- • Ticket evidence packaging and updates
Sharper signals, faster answers
Tune noisy rules without hiding real attacks and design escalation that gets you to action quickly.
- • Noise-shaping on Defender & Cortex XDR analytics
- • Clear escalation paths with next steps
- • Weekly SOC metrics (SLA, MTTR/MTTD)
Find root cause , explain it clearly
Hypothesis-driven hunts reconstruct the timeline so you know exactly how it happened and what to fix.
- • Identity hygiene and risky sign-ins
- • Mailbox rules & OAuth app abuse
- • Initial access → persistence → lateral risk
Quick wins in days, not weeks.
Sharper signals, fewer tickets.
Faster decisions with context.
Automation removes busywork.
Recent outcomes
QR code phishing , stopped
Computer vision on QR images, mailbox rule snapshot & revert, clean resets and comms.
XDR fatigue , tuned
Targeted BIOC tuning and escalation logic cut noise without losing signal.
Identity hygiene , hardened
Conditional Access templates, recovery hardening, risky sessions revoked.
Individuals , secured
Account recovery, phishing cleanup, device & OS hardening, home network lockdown.
How we work
Scope the problem & show baseline metrics
Tune detections & ship safe automations
Hunt for root cause; document timeline
Measure outcomes; plan next fixes
Before → After
Hundreds of phishing tickets; false positives everywhere.
Automated enrichment + approvals; clear resets; repeat incidents drop.
Analysts triage LOLBAS and admin-tool alerts manually.
Noise shaping + guardrails; analysts spend time on real risk.
Legacy auth and weak recovery made persistence easy.
CA policies tightened; recovery paths hardened; less lateral risk.
What teams say
“Noise dropped without hiding real attacks.”
, SOC Manager, Tech
“We stopped arguing about tickets and started fixing problems.”
, Security Lead, Financial Services
“The RCA told us what happened and what to change. No fluff.”
, IT Director, Healthcare
Nicholas • Papa Corpnet
Six years building detections, automation, and clear RCAs teams can ship.
Focus
- • Detection engineering
- • Security automation
- • Threat hunting & root cause
Platforms
Microsoft (Defender, M365), Palo Alto (Cortex XDR), Proofpoint, Okta, AWS/Azure.
Approach
Assess fast → ship fixes → measure outcomes → hand off cleanly with docs and playbooks.
Engagement modes
- • Sprint: 1, 2 weeks focused on a specific outcome.
- • Retainer: monthly detection & hygiene improvements.
- • Emergency: 24/7 incident support & RCA.
For individuals
- • Account recovery and phishing cleanup.
- • Device & OS hardening; passkeys/MFA setup.
- • Home network lockdown and privacy hygiene.
Principles
Safety first , automation with guardrails and approvals.
Fast fixes , show value in days, not weeks.
Explain root cause , timelines, what to change, why it matters.