EDR-07 · EXPERIENCE

I lock down endpoints and actually close the findings.

I deploy and tune Trellix across your fleet, set a hardened baseline that holds, and work the vulnerability backlog until findings are fixed and verified. A scan that flags 400 items is easy to produce. Closing them, proving they are closed, and keeping them closed is the actual job, and that is the part I own.

Open a lineAll experience

01 · What I do

The actual work

  • Deploy and tune Trellix endpoint protection across Windows and Linux, with policies set to your environment instead of vendor defaults.
  • Set a hardened endpoint and server baseline, then document and enforce it so configuration drift becomes visible instead of silent.
  • Triage vulnerability scan output by real exploitability and exposure, not just raw CVSS, so the team fixes what actually matters first.
  • Remediate findings with tested fixes: patches, configuration changes, and compensating controls where no patch exists yet.
  • Verify every fix with a rescan and record the evidence, so a finding marked closed stays closed.
  • Map endpoint detection and coverage to MITRE ATT&CK so you can see what you catch and where the gaps are.
  • Tune alerting to cut false positives down to signal your team will act on, instead of a console nobody reads.

02 · What you get

What you are left with

  • A managed Trellix deployment tuned to your environment, with policies your team can read and change.
  • A documented endpoint baseline you can audit against, so drift gets caught early instead of accumulating.
  • A vulnerability backlog that is actually shrinking, with each closed finding backed by a rescan.
  • Alerting your team trusts, because the noise is gone and what is left is real.
  • A short written record of what changed, why, and what is still tracked, handed to your team.

03 · Tools and knowledge

What I work with here

04 · How I approach it

Planned, scoped, and owned

It starts with a 30-minute scoping call and a same-day written fit assessment, so you know where the real exposure sits before we touch anything. From there I work a documented change plan with a rollback for every production change, because hardening a live endpoint can break things and I want the path back on paper first. Policy pushes, baseline changes, and remediation waves go out inside a defined window, validate against agreed gates, and I own the rollback if a gate fails. Nothing gets marked done on my word alone. A finding is closed when a rescan confirms it and the evidence is written down.

Credentials and standardsMy CompTIA Security+ is current, and I work endpoint defense to published standards rather than a vendor deck: NIST 800-53 control families, SCAP for automated baseline and vulnerability checks, and MITRE ATT&CK to tie detection coverage to how attackers actually operate.

05 · Questions

Good questions, straight answers

Do you replace our endpoint tooling or work with what we already have?

Either. If you are already on Trellix, I tune and clean up what is there. If you are standing it up or switching, I deploy and configure it from scratch. I do not push a rip-and-replace you do not need.

How do you decide what to remediate first?

By real exposure, not raw scan score. A high-CVSS finding on an isolated box can wait behind a medium one that is internet-facing and actively targeted. I weigh exploitability, exposure, and what MITRE ATT&CK shows attackers actually use, then we fix in that order.

What about findings you cannot patch right away?

They do not get left open and forgotten. Where no patch exists yet, I put a compensating control in place, document the risk and the plan, and track it until the real fix lands.

06 · Related experience

Adjacent work I do

STIG-08DoD STIG HardeningView →SIEM-05SIEM Integration with SplunkView →WIN-02Windows Server and Active DirectoryView →

Need this handled?

Tell me what you are trying to move and where it is stuck. A few sentences is plenty to start, and it goes straight to my inbox.

Open a line