Hello, I'm

Javier
Morales

Staff Security Engineer | Detection Engineering | Security & Compliance Automation | AI & MCP

See my work Let's talk →

About

Staff Security Engineer with 15+ years of experience spanning infrastructure operations, detection engineering, and AI-driven security automation.

I design and operate high-signal detection platforms in large multi-account cloud environments, and build autonomous SOC systems that triage alerts with minimal human intervention — combining LLMs, behavioral analysis, and multi-tool orchestration in production workflows.

In parallel, I build AI-powered products: price intelligence platforms, data pipelines, and conversational agents for business workflow automation.

Published researcher in ML-based malware detection (MDPI Electronics, 2024). AWS Security and Machine Learning certified.

MSc Cybersecurity UNIR — ML Research
AWS Security — Specialty + ML Specialty, Solutions Architect
MDPI Publication ML Malware Detection — 98.6%
PMP + ISO 27001 Lead Auditor + CompTIA Security+
Javier Morales
Location Gran Canaria, Spain
Experience 15+ years
Focus Detection Engineering & AI Automation
Languages ES / EN / PT

Key Impact

9x faster triage

Autonomous Security Operations

Production AI-driven system integrating SIEM, identity, cloud APIs, ticketing, and vulnerability management through MCP architecture. Purpose-built agents handle tiered investigation workflows from automated triage to deep behavioral analysis.

-60% false positives

Detection-as-Code at Scale

Hundreds of SIEM detections across multi-account AWS with unit testing, contextual enrichment, dynamic suppression, and automated deployment. Led systematic noise reduction cutting false positives by 60%.

68+ automated tests

AI Agent Defensive Architecture

Multi-layered defensive framework for AI-assisted operations: integrity verification, prompt injection scanning, supply chain monitoring, and guardrails enforcement against emerging AI agent attack classes.

98.6% ML precision

Operational Resilience

Manual fallback procedures for all automated workflows across multiple failure modes. Automated watchdog systems for detection state monitoring. Published ML research with 98.6% precision.

Let's discuss your project →

What I Build

MotoRadar
Featured Project

MotoRadar — Price Intelligence for Motorcycles

Full-stack price comparison engine for second-hand enduro and trail motorcycles in Spain. Aggregates listings from 4 platforms, applies z-score deal scoring, tracks price trends, and detects outliers. Built with FastAPI, PostgreSQL, HTMX, and a custom browser extension for data collection.

PythonFastAPIPostgreSQLHTMXPlaywright
1,500+ Active Listings
4 Data Sources
6h Update Cycle
View project →
AI Security Guardrails

AI Security Guardrails

Open-source defense system for AI coding assistants. Pre/post-tool hooks, prompt injection detection with regex + ML, credential leak scanning, integrity verification with SHA256 checksums. 68+ automated tests.

PythonBashModernBERTSecurity
View project →
Detection-as-Code Framework

Detection-as-Code Framework

Production detection rules with unit testing, contextual enrichment, and dynamic suppression for multi-account AWS environments. Includes real-world examples of SIEM detections that reduced false positives by 60%.

PythonPantherAWSDetection Engineering
View project →
MCP Security Toolkit

MCP Security Toolkit

Model Context Protocol servers for security operations: SIEM querying, threat intel enrichment, and incident response automation. Connects LLMs directly to security tooling for autonomous SOC workflows.

MCPPythonClaude APISecurity
View project →
n8n Security Workflows

n8n Security Workflows

Ready-to-import n8n workflow templates for security operations: AI-powered alert triage, threat intel enrichment, certificate expiry monitoring, daily security digests, and new user auditing.

n8nAutomationClaude APISecurity
View project →
Prompt Injection Detector

Prompt Injection Detector

Lightweight Python library for detecting prompt injection attacks in AI agent outputs. 23 regex patterns, NFKC Unicode normalization, zero-width character stripping, and credential leak scanning.

PythonSecurityLLMNLP
View project →

Technical Stack

AI & Automation

Claude APIMCPMulti-Agent Orchestrationn8nPrompt EngineeringLLM Integration

Detection & Response

Detection-as-CodeSIEM (Panther)Behavioral AnalysisAlert TuningIncident TriageForensic Readiness

Cloud & Infrastructure

AWS (Multi-Account)TerraformDockerKubernetesLambdaLinux

Security & Compliance

SOC 2ISO 27001NIST 800-53Zero TrustWAFIDS/IPS

Backend & Data

PythonFastAPIPostgreSQLBashSQLRedis

Frontend & Scraping

ReactHTMXPlaywrightBeautifulSoupTailwind CSSHugo

Experience

2023 — Present

Staff Security Engineer

Enterprise SaaS · Remote, Gran Canaria

  • Designed and operate the company's detection platform with hundreds of rules across a large multi-account AWS estate, covering cloud, identity, SaaS, and endpoint telemetry
  • Built an AI-driven investigation platform using Claude with MCP integrations across SIEM, identity, collaboration, ticketing, cloud, vulnerability scanning, and endpoint management
  • Led a systematic noise reduction program cutting false-positive alert volume by over 60% through targeted rule tuning and infrastructure baselining
  • Optimized SIEM data lake query performance by over 90%. Re-architected legacy infrastructure from EC2 to event-driven Lambda, fixing a critical data loss bug
  • Discovered and remediated a silent alert routing failure where a significant portion of detections were not reaching the security team
  • Implemented compliance-as-code pipelines supporting SOC 2, ISO 27001, and NIST 800-53 control validation in CI/CD
2021 — 2022

Platform & Security Engineer

The Workshop · Malaga, Spain

  • Led Zero Trust implementation across multi-cloud environments: IAM hardening, service control policies, WAF deployment, and centralized audit logging
  • Managed multi-site infrastructure on OpenStack/VMware with automated deployments (Puppet/Ansible AWX) and Infrastructure-as-Code
  • Operated NGFW, IDS/IPS, WAF, EDR, and IAM (Cisco, Palo Alto). Integrated SIEM with forensic tooling, reducing false positives ~30%
  • Enabled continuous compliance (SOC 2, ISO 27001, NIST) with centralized logging, reducing audit preparation time ~40%
2018 — 2021

Senior Cloud Engineer

eSentire · Cork, Ireland

  • Managed AWS infrastructure for managed detection and response (MDR) services, ensuring high availability and security posture
  • L2/L3 incident management for VMware vSphere/vROps. Designed ETL pipelines and optimized database queries for high-volume data processing
  • Technical lead on infrastructure projects, overseeing planning, execution, and SLA delivery
2016 — 2018

L2/L3 Support Engineer

VMware · Cork, Ireland

  • Expert support for VMware vSphere and vROps across enterprise environments
  • Led multi-platform troubleshooting across networking, storage, and virtualization
2010 — 2016

Earlier Career

Havas Media, Wincor Nixdorf, Roche, Vodafone · Ireland & Spain

  • IT Systems & Ops Engineer, VMware Engineer, DBA (PostgreSQL/MySQL/Oracle), Service Desk L1-L2

Education & Certifications

MSc Cybersecurity

UNIR — Universidad Internacional de La Rioja · 2019 — 2021

Dissertation: ML-based Android malware detection. Published in MDPI Electronics — 98.6% precision on 7,000+ APKs.

Higher Diploma in Cloud Computing

National College of Ireland · 2017 — 2019

Diploma Multiplatform App Development

IES El Rincon

Diploma Telecommunications Systems

IES Politecnico

Certifications

AWS Security — Specialty
AWS Machine Learning — Specialty
AWS Solutions Architect — Associate
PMP
ISO 27001 Lead Auditor
CompTIA Security+
Publication "Android Malware Detection Using Machine Learning" — MDPI Electronics, 2024

Books & Resources

Practical guides and free tools for securing AI systems.

Get the book

Securing Autonomous AI

The practitioner's guide to defending AI agents in production — threat models, defense patterns, and incident playbooks.

Get the book → Free

Detection Engineering Starter Kit

Free: 3 production-ready detection templates and AI triage prompts for security operations.

Download free →

Latest from the Blog

The IC Score: An AI-Powered Formula for SOC Alert Triage

A practical breakdown of the IC Score formula: 7 weighted signals, asset criticality multipliers, and decision thresholds that reduced our mean triage time from 15 minutes to under 2 minutes.

Read more →

PewDiePie's Odysseus: The Security Take on Running an Agent That Reads Your Email and Executes Code

Odysseus combines command execution, email reading, and web access in a single local agent. It’s a textbook case of the ’lethal trifecta’. ‘It’s local’ protects your privacy, but not from prompt injection. The security take and how to install it right.

Read more →

Designing Guardrails for AI Security Agents in Production

AI agents with access to your SIEM, identity provider, and containment actions are privileged processes. Here is how I design guardrails to keep them safe in production.

Read more →
View all posts