Cyber Threat Intelligence · Threat Hunting · Dark-Web Research

Tracking adversaries. Hunting threats. Producing actionable intelligence.

I'm Joshua Berkoh — a cybersecurity professional and PhD researcher working in threat investigations, threat hunting, and dark-web intelligence research. Through scenario-based investigations and security research, I reconstruct intrusion activity, map observed tradecraft to MITRE ATT&CK, and turn raw telemetry into clear, defensible intelligence.

View investigations Read research Download résumé
MITRE ATT&CK KQL OSINT IOC Pivoting Threat Hunting Python Graph Analysis

01 — Capabilities

What I do

Demonstrated competencies across the intelligence cycle — collection, analysis, and reporting — grounded in completed investigative and research work.

01Intel Cycle

Cyber Threat Intelligence

Collect, analyze, and report structured intelligence on threat activity, tradecraft, indicators, and investigative findings.

02KQL · ATT&CK

Threat Hunting

Hypothesis-driven hunts across endpoint and network telemetry using KQL and the ATT&CK framework.

03DFIR

Threat Investigations

End-to-end intrusion reconstruction — timelines, evidence, IOCs, and defensible assessments.

04I2P · Hidden Services

Dark-Web Intelligence

Research into anonymity networks, hidden services, and privacy-preserving infrastructure.

05Analytic Methods

Intelligence Research

Structured analytic methods, source evaluation, and confidence-based judgments.

06Method

Security Research

Tooling, measurement, and methodology that extend how threats are studied.

02 — Investigations

Featured investigations

Threat-investigation case studies: full intrusion reconstructions with timelines, IOC analysis, and MITRE ATT&CK mapping — developed from KC7 scenarios and written to professional intelligence-reporting standards.

CASE-2026-001 Insider Threat · Active Directory Ransomware

Inside Encryptodera: An Insider Threat Scenario

A dual-track insider-threat investigation at Encryptodera Financial: a contractor's 27-day FTP exfiltration of cold-storage crypto-wallet secrets running in parallel with a hijacked-identity intrusion that escalates to a domain-wide...

8Techniques
HighConfidence
Read investigation →
CASE-2026-002 Critical Infrastructure · Supply Chain

Solvi Systems: A tale of Supply Chains and ICS

Triaging a complex supply-chain intrusion targeting regional energy distribution. Tracks the complete lifecycle from perimeter XSS probing and weaponized phishing documents to lateral movement and source-code exfiltration using...

8Techniques
HighConfidence
Read investigation →
CASE-2026-003 APT Campaign · Infrastructure Tracking

Valdoria Votes: Advanced Persistent Threat Analysis

Investigating a high-stakes, state-sponsored campaign targeting election infrastructure. Reconstructing attacker persistence mechanisms, multi-hop C2 structures, and domain registrar anomalies.

In progress · Coming soon
View all investigations →

03 — Research

Current research — dark-web intelligence

Mapping the I2P anonymous network

A cross-layer framework that fuses network-layer routing data with application-layer hidden-service ("eepsite") crawls into a single graph — making it possible to study anonymity infrastructure and the services riding on it as one connected hidden-service ecosystem.

The work spans hidden-service discovery, infrastructure mapping, large-scale collection, and graph analysis.

Hidden-Service Discovery Infrastructure Mapping Graph Analysis
Explore the research →
Fig.01 — Eepsite relationship graph

04 — Lab Activity

Recent intelligence activity

Currently working on

  • I2P Hidden Service Ecosystem Analysis In Progress

    PhD research focused on hidden-service discovery, application-layer crawling, infrastructure mapping, graph-based relationship analysis, and reproducible collection workflows within the I2P anonymity network.

  • KC7 Cyber Investigation Portfolio In Progress

    Building a public portfolio of scenario-based cyber threat investigations using KC7 Cyber materials, with emphasis on evidence analysis, KQL queries, IOC pivoting, ATT&CK mapping, and structured reporting.

  • Practical Detection Engineering In Progress

    Studying detection engineering concepts and workflows. This capability is actively developing and will only be published as rules, detections, or validation reports once the work is completed and defensible.

  • Cyber Threat Intelligence Research & Writing In Progress

    Developing public-facing investigation reports, research notes, and technical articles that document analytical reasoning, evidence collection, and security research.

Timeline

Active Learning Hands-on threat-investigation training on KC7 Cyber — scenario-based KQL, IOC pivoting, and ATT&CK mapping. View KC7 profile →
Joshua Berkoh

Joshua Berkoh — Researcher & threat investigator

05 — About

Researcher & threat investigator

I'm a PhD researcher in Information Technology and a practicing security professional. My work sits where intelligence analysis meets hands-on investigation: reconstructing intrusions, hunting suspicious activity in telemetry, and researching the infrastructure that threats rely on.

I write every investigation to be defensible — evidence-first, mapped to MITRE ATT&CK, and honest about confidence. Detection engineering is an area I'm actively studying and will publish as the work matures.

SOC AnalystFinancial sector · 2021–22
Security Engineer InternIntuit · 2023
Bug-Bounty Hall of FameMultiple programs
PhD ResearcherInformation Tech · 2024–
More about me →

06 — Contact

Open to threat intelligence work

If your team works in cyber threat intelligence, threat hunting, or security research, I'd welcome a conversation.