Cyber Threat Intelligence · Threat Hunting · Dark-Web Research

Tracking adversaries.
Hunting threats.
Producing actionable intelligence.

I'm Joshua Berkoh — a cybersecurity professional and PhD researcher working in threat investigations, threat hunting, and dark-web intelligence research. Through scenario-based investigations and security research, I reconstruct intrusion activity, map observed tradecraft to MITRE ATT&CK, and turn raw telemetry into clear, defensible intelligence.

View Investigations Read Research Download Résumé

MITRE ATT&CK · KQL · OSINT · IOC Pivoting · Threat Hunting · Python · Graph Analysis

Capabilities

What I do

Demonstrated competencies across the intelligence cycle — collection, analysis, and reporting — grounded in completed investigative and research work.

Cyber Threat Intelligence

Collect, analyze, and report structured intelligence on threat activity, tradecraft, indicators, and investigative findings.

Threat Hunting

Hypothesis-driven hunts across endpoint and network telemetry using KQL and ATT&CK.

Threat Investigations

End-to-end intrusion reconstruction — timelines, evidence, IOCs, and assessments.

Dark-Web Intelligence

Research into anonymity networks, hidden services, and underground infrastructure.

Intelligence Research

Structured analytic methods, source evaluation, and confidence-based judgments.

Security Research

Tooling, measurement, and methodology that extend how threats are studied.

Investigations

Featured investigations

Threat-investigation case studies: full intrusion reconstructions with timelines, IOC analysis, and MITRE ATT&CK mapping. Developed from KC7 threat scenarios and written to professional intelligence-reporting standards.

APT CampaignInfrastructure Tracking In Progress

Valdoria Votes: Advanced Persistent Threat Analysis

Investigating a high-stakes, state-sponsored campaign targeting election infrastructure. Reconstructing attacker persistence mechanisms, multi-hop C2 structures, and domain registrar anomalies.

Coming soon
View all investigations →

Research

Current research — dark-web intelligence

An intelligence-collection lens on anonymity infrastructure: discovering hidden services, mapping the relationships between them, and measuring how the ecosystem behaves at scale.

Mapping the I2P anonymous network

I'm building a cross-layer framework that fuses network-layer routing data with application-layer hidden-service ("eepsite") crawls into a single graph — making it possible to study anonymity infrastructure and the services riding on it as one connected hidden-service ecosystem. The work spans hidden-service discovery, infrastructure mapping, large-scale collection, and graph analysis.

Dark-Web Intelligence Hidden-Service Discovery Infrastructure Mapping Graph Analysis
Explore the research →

Lab activity

Recent intelligence activity

A working record of what I'm building now and how the lab is growing over time.

Currently working on

  • I2P Hidden Service Ecosystem Analysis In Progress — PhD research focused on hidden-service discovery, application-layer crawling, infrastructure mapping, graph-based relationship analysis, and reproducible collection workflows within the I2P anonymity network.
  • KC7 Cyber Investigation Portfolio In Progress — Building a public portfolio of scenario-based cyber threat investigations using KC7 Cyber materials, with emphasis on evidence analysis, KQL queries, IOC pivoting, ATT&CK mapping, and structured reporting.
  • Practical Detection Engineering In Progress — Studying detection engineering concepts and workflows. This capability is actively developing and will only be published as rules, detections, or validation reports once the work is completed and defensible.
  • Cyber Threat Intelligence Research & Writing In Progress — Developing public-facing investigation reports, research notes, and technical articles that document analytical reasoning, evidence collection, and security research.
  • Cyber Threat Intelligence Lab In Progress — Rebuilding the website as a long-term CTI Lab that connects investigations, research, publications, lab artifacts, and future detection engineering work into a single evidence-based professional identity.

Timeline

Publications

Reports & papers

Finished intelligence products and research output — investigation reports, research papers, and technical articles.

Published investigation reports are listed under Investigations; academic and research output is collected on the Publications page.

View publications →

About

Researcher & threat investigator

Joshua Berkoh

I'm a PhD researcher in Information Technology and a practicing security professional. My work sits where intelligence analysis meets hands-on investigation: reconstructing intrusions, hunting for adversary activity in telemetry, and researching the infrastructure that threats rely on. I've served as a SOC analyst defending financial institutions and as a security engineering intern, and I hold hall-of-fame recognition from multiple bug-bounty programs.

I write every investigation to be defensible — evidence-first, mapped to MITRE ATT&CK, and honest about confidence. Detection engineering is an area I'm actively studying and will publish as the work matures.

More about me →

Contact

Open to threat intelligence work

If your team works in cyber threat intelligence, threat hunting, or security research, I'd welcome a conversation.