About

About Joshua Berkoh

Cybersecurity professional and PhD researcher building a CTI-focused body of work through investigations, dark-web research, and technical writing.

Joshua Berkoh

Joshua Berkoh is a cybersecurity professional and PhD researcher focused on cyber threat intelligence, threat investigations, dark-web intelligence research, and security analysis.

His work combines security operations experience, hands-on investigation practice, application security, technical writing, and doctoral research into hidden-service ecosystems. Through this Cyber Threat Intelligence Lab, Joshua documents his development as an investigator and researcher by publishing structured investigation reports, research notes, lab artifacts, and technical writing.

Current Focus

What I'm focused on

  • Threat Investigations — building a public portfolio of scenario-based cyber threat investigations using KC7 Cyber materials.
  • Dark-Web Intelligence Research — conducting PhD research on the I2P hidden-service ecosystem, infrastructure structure, and application-layer connectivity.
  • Security Analysis & Threat Hunting — strengthening investigation workflows using KQL, IOC pivoting, OSINT, and MITRE ATT&CK mapping.
  • Detection Engineering Study — studying Practical Detection Engineering as an in-progress capability that will later support defensible detection artifacts.

Investigation Portfolio

Investigation portfolio

The investigation portfolio contains structured cyber threat investigations completed using realistic enterprise scenarios from the KC7 Cyber Security Analyst program.

These reports are not presented as real-world client incidents. They are scenario-based investigations that document Joshua's analytical workflow, evidence collection, KQL analysis, IOC pivoting, MITRE ATT&CK mapping, and findings.

The goal is to show the investigative process clearly and honestly: what evidence was reviewed, how conclusions were reached, and how the analysis developed over time.

View the investigation portfolio →

Research Focus

Research focus

Joshua's doctoral research focuses on the I2P anonymity network and hidden-service ecosystem analysis.

The research examines how application-layer and network-layer observations can be collected, structured, and analyzed to better understand hidden-service connectivity, infrastructure relationships, and ecosystem behavior.

This work is framed as dark-web intelligence research and security measurement. It does not claim real-world adversary attribution or active threat actor tracking.

Explore the research →

Technical Areas

Technical areas

Cyber Threat Intelligence Threat Investigations Threat Hunting Practice OSINT KQL Log Analysis IOC Pivoting MITRE ATT&CK Mapping Security Operations Incident Response Support Dark-Web Intelligence Research Hidden-Service Ecosystem Analysis Application Security Vulnerability Assessment Security Research Technical Writing

Tools & Methods

Tools and methods

KQL Azure Data Explorer OSINT MITRE ATT&CK Cyber Kill Chain Python SQL MariaDB Splunk Wireshark Burp Suite Nmap Metasploit Nessus Kali Linux Docker I2P research environment Graph-based analysis

Detection Engineering tools such as Sigma, YARA, and detection-validation workflows are intentionally not listed as completed capabilities yet — that area is still in development.

Experience

Experience highlights

Security Operations Center Analyst

Joshua worked as a Security Operations Center Analyst at Virtual Infosec Africa, where he monitored and analyzed security activity, supported incident response, and contributed to SOC operations.

Security Engineer Intern

As a Security Engineer Intern at Intuit, Joshua supported security engineering work involving red team tooling, compliance automation, and remediation of security-related issues before deployment.

Cyber Threat Investigation Practice

Joshua is building a public investigation portfolio through KC7 Cyber scenario-based investigations. These reports document his use of KQL, IOC pivoting, OSINT, ATT&CK mapping, and evidence-driven analysis.

Dark-Web Intelligence Research

Joshua's PhD research focuses on I2P hidden-service ecosystem analysis, hidden-service discovery, infrastructure characterization, and graph-based relationship analysis.

Application Security and Bug Bounty

Joshua has participated in bug bounty and application security work, including responsible disclosure across multiple programs and Hall of Fame recognition from organizations including Centrify, Arlo, and Humble Bundle.

OSINT and Community Work

Joshua has participated in TraceLabs OSINT work and has contributed to cybersecurity community efforts through OWASP and ISC2.

Education

Education

  • PhD, Information Technology — University of Cincinnati, expected April 2028.
  • Master of Science, Information Technology — University of Cincinnati, August 2024.

Community

Community involvement

  • OWASP Cincinnati Chapter — Bugbash Mentor
  • ISC2 — Examination Developer
  • TraceLabs — OSINT CTF Player and Coach
  • AWS Community Builder — Security Division

The Lab

Why this lab exists

This Cyber Threat Intelligence Lab is built on one conviction: the clearest way to show how an analyst thinks is to show the work — not to describe it.

It exists for more than a job search. A résumé can list skills; it cannot show the reasoning behind them. Every investigation here documents how evidence was gathered, how conclusions were reached, and where the analysis could be challenged — the actual tradecraft, made reviewable.

It is also a long-term, evolving body of work. As the portfolio grows — more investigations, deeper dark-web research, and detection engineering once that capability is genuinely earned — the lab becomes a transparent, honest record of an investigator's development: something that can be read, questioned, and improved over time.

The goal is simple: don't take the claims on faith. Read the work, and judge the thinking for yourself.

Read the investigations Explore the research