About Skills Experience Work Certs Awards Contact Hire Me →
Available for Opportunities

Rutvik
Chavda

Endpoint Security Engineer  ·  SOC Analyst  ·  DFIR  ·  Threat Hunting  ·  EDR/XDR

3+ years at Sophos owning P1/P2 incident response, EDR/XDR investigations, and threat hunting across enterprise Windows, macOS, and Linux environments. Ranked Top 10 globally (FY25) and Top 2 Community Contributor globally across all of CY25. Targeting SOC, DFIR, and Security Engineering roles at MNCs worldwide.

View My Work Get In Touch LinkedIn ↗
3+
Years Sophos
500+
Cases Resolved
#10
Global FY25
5×
CY25 Awards
rutvik@soc — profile.sh
$ whoami
rutvik_chavda
$ cat role.txt
Endpoint Security Engineer
SOC · DFIR · Threat Hunting
$ cat expertise.txt
EDR/XDR · Sophos Intercept X
Splunk SIEM · Live Discover SQL
Windows Event Logs · Sysmon
MITRE ATT&CK · Malware Analysis
$ cat certs_wip.txt
▶ CEH (EC-Council) — In Progress
▶ ISC2 CC — In Progress
$ cat status.txt
OPEN TO OPPORTUNITIES
$
01 — About

I investigate threats.
Not just close tickets.

I'm Rutvik Chavda — an endpoint security engineer who spent 3+ years at Sophos handling the hardest escalations across enterprise Windows, macOS, and Linux environments. My work sits between an alert firing and a definitive root cause with a clean containment path.

I reconstruct attack timelines using Splunk SIEM correlation, trace lateral movement through Windows Event Logs and Sysmon telemetry, write Live Discover SQL queries to hunt threats across data lakes, and map every finding to MITRE ATT&CK TTPs. I own cases end to end — not just raise tickets.

Ranked Top 10 globally (FY25) at Sophos and earned five community awards in CY25 — all four quarterly recognitions plus the full-year title (Top 2 globally). Currently studying CEH and ISC2 CC. Also exploring AI Security and LLM threat landscapes.

SOC Operations Incident Response DFIR Threat Hunting EDR / XDR Splunk SIEM MITRE ATT&CK Live Discover SQL Windows Forensics Sysmon Malware Analysis AI Security CEH — In Progress ISC2 CC — In Progress
Profile
NameRutvik Chavda
LocationAhmedabad, India
EducationB.Tech Comp. Eng.
Experience3+ yrs (Sophos)
Phone+91-7226894089
FocusSOC · DFIR · IR
StatusOpen to Opportunities
Languages
EnglishProfessional
HindiNative
GujaratiNative
Links
↗ chavdarutvik1849@gmail.com ↗ LinkedIn ↗ GitHub — RIK1849 ↗ Medium Blog
02 — Skills

Built in production

Every skill from real enterprise work — 500+ escalations, ransomware incidents, lateral movement cases, and full P1/P2 lifecycle ownership. Not theory.

🛡
SOC & Incident Response
EDR / XDR Investigations97%
P1 / P2 Incident Response95%
Root Cause Analysis94%
Malware & Ransomware Analysis89%
Attack Timeline Reconstruction91%
🔍
Threat Hunting & Intelligence
MITRE ATT&CK Framework91%
IOC / IOA Identification88%
Live Discover SQL (XDR)92%
TTP Mapping & Threat Intel84%
False Positive Reduction90%
📊
SIEM & Log Analysis
Splunk SIEM / SPL Queries85%
Windows Event Log Analysis95%
Sysmon Log Analysis88%
SIEM Correlation & Alerting83%
Endpoint Telemetry Analysis94%
🔬
Endpoint Forensics
Windows Forensics (Registry, MFT)88%
Process Tree Analysis93%
Linux & macOS Endpoint Analysis81%
Diagnostic Artifact Analysis90%
Containment & Remediation93%
☁️
Cloud & OS Platforms
Windows / Windows Server96%
macOS & Linux Security81%
Microsoft Azure70%
AWS Cloud Essentials65%
TCP/IP · DNS · TLS · VPN82%
⚙️
Scripting & Automation
PowerShell (Enterprise)87%
Python (Automation & Parsing)72%
Bash / Shell Scripting76%
REST APIs / JSON / XML74%
Lab Environment Building86%
03 — Experience

3+ years at Sophos

From intern to L2/L3 endpoint security engineer — owning enterprise P1/P2 incidents, threat investigations, and earning global recognition.

Technical Support Engineer — Endpoint Security (L2/L3)
Jul 2023 – Mar 2026 · 2 yrs 9 mos
Sophos · Ahmedabad, India
Owned complex P1/P2 endpoint security escalations for enterprise customers globally — leading alert triage, telemetry analysis, incident investigation, containment validation, remediation verification, and customer communication while meeting SLA and CSAT expectations.
Investigated malware, ransomware, and advanced threats across Windows, macOS, and Linux using EDR/XDR telemetry, Windows Event Logs, Sysmon, process tree analysis, and registry inspection — reconstructing full attack timelines and supporting containment.
Correlated endpoint telemetry with Splunk SIEM to validate alerts, confirm IOCs/IOAs, reduce false positives, perform root cause analysis, and escalate reproducible security issues with clear technical evidence to engineering teams.
Built lab environments to reproduce complex endpoint agent, policy, performance, and connectivity issues — documenting test cases and defect evidence to accelerate Engineering resolution.
Applied MITRE ATT&CK mapping and structured investigation methodologies to improve alert analysis, support threat hunting, and strengthen endpoint detection quality across the global support queue.
Designed, reviewed, and tuned endpoint security policies — web control, application control, device control, device encryption — balancing security coverage with operational stability and reducing policy-driven false positives.
Developed PowerShell and Python automation to improve diagnostic collection and reduce mean time to resolution across the support organisation.
Created investigation runbooks and knowledge base articles — ranked Top 10 globally (FY25), earned 5 CY25 community awards including all four quarterly recognitions and the full-year title (Top 2 globally), featured in the Sophos Community Staff Spotlight.
EDR/XDRIntercept XSophos CentralSophos MDRIncident ResponseThreat HuntingLive Discover SQLSplunk SIEMMITRE ATT&CKWindows Event LogsSysmonWindowsmacOSLinuxPowerShellPythonAzure
Technical Support Engineer Intern — Endpoint Security
Jan 2023 – Jun 2023 · 6 mos
Sophos · Ahmedabad, India
Provided hands-on support resolving endpoint security issues across Windows, macOS, and Linux — gaining direct exposure to Sophos Central and Intercept X from day one and contributing to case documentation and internal knowledge sharing.
Analysed security logs, alerts, and diagnostics to support incident response processes — building the foundational investigative skills that led to full-time L2/L3 conversion after 6 months.
Intercept XSophos CentralTriageDiagnostics
04 — Knowledge Areas

What I've worked on

Real domain areas from 3+ years of enterprise security work — investigations I've run, tools I've used daily, and methodologies applied on live cases.

DOMAIN-01
Ransomware & Malware Incident Investigations
Led investigations into ransomware and malware infections across enterprise Windows environments. Used EDR/XDR telemetry from Sophos Intercept X to trace initial access, persistence, lateral movement, and encryption triggers. Correlated findings across Windows Event Logs, Sysmon, and process trees to build complete attack timelines. Used Live Discover SQL queries to hunt across endpoints in the Sophos Data Lake.
EDR/XDRLive Discover SQLWindows Event LogsSysmonMITRE ATT&CK
DOMAIN-02
Endpoint Policy Tuning & False Positive Reduction
Worked with enterprise customers to design, review, and tune Sophos endpoint security policies — web content control, application control, device control, and endpoint protection profiles. Identified root causes of false positives by correlating alert telemetry with policy configurations and application behaviour. Developed approaches to reduce noise without reducing detection coverage.
Sophos CentralPolicy ManagementRoot Cause AnalysisIntercept X
DOMAIN-03
Splunk SIEM Investigations & Log Correlation
Used Splunk to support security operations by correlating endpoint telemetry with log sources to validate alerts, confirm IOCs and IOAs, and perform root cause analysis. Wrote SPL queries to search SIEM data and investigate suspicious endpoint activity. Worked across Windows Event Logs, Sysmon telemetry, and Sophos XDR data as correlated sources.
Splunk SIEMSPL QueriesIOC ValidationLog Correlation
DOMAIN-04
Knowledge Base & Technical Documentation
Authored 100+ technical articles and investigation guides for the global Sophos Staff Community — covering Intercept X policy tuning, Live Discover query patterns, false-positive root causes, and MITRE ATT&CK-aligned investigation runbooks. Recognised as Top 2 Community Contributor globally across all quarters of CY25 and featured in the Sophos Community Staff Spotlight.
Technical WritingKnowledge MgmtSophos CommunityRunbooks
05 — Certifications

15 certifications

Endpoint security, SIEM operations, cloud, offensive security, and networking. Two actively in progress.

Certified Ethical Hacker (CEH)
EC-Council
In Progress
ISC2 Certified in Cybersecurity (CC)
ISC2
In Progress
Sophos Central Certified Architect
Sophos
Sophos Certified Endpoint Security Engineer
Sophos
Sophos Central Certified Engineer
Sophos
Sophos Central Support Engineer
Sophos
SIEM Splunk Hands-On Guide Specialization
Coursera
Splunk Administration & Advanced Topics
Coursera
Introduction to SIEM (Splunk)
EDUCBA
The Absolute Guide to MITRE ATT&CK
Purple Academy by Picus Security
AWS Cloud Technical Essentials
AWS / Coursera
Azure Fundamentals
Microsoft / Coursera
Ethical Hacking From Scratch
Udemy
CISSP Security Assessment
SkillUp
The Bits and Bytes of Computer Networking
Google / Coursera
06 — Recognition

5 awards in one year

Four consecutive quarterly recognitions and the full-year top contributor title — ranked globally inside a company with thousands of technical engineers worldwide.

🏆
Sophos Support Team Top 10 — FY25 (Global)
Ranked among the top 10 support engineers globally at Sophos for FY25 — evaluated across case quality, CSAT, SLA adherence, and knowledge base contributions across the entire endpoint security support organisation.
FY25 · Global
Top Sophos Staff Community Contributor — CY25 Overall (Top 2 Globally)
Ranked Top 2 community staff contributors globally for the entire CY25 year — recognised for the highest sustained volume of technically accurate, detailed support content across the Sophos global community.
CY25 Full Year
🎖
Top Sophos Staff Community Contributor — CY25 Q4
Fourth consecutive quarterly recognition — sustained technical output and community engagement through the close of the calendar year.
CY25 Q4
🎖
Top Sophos Staff Community Contributor — CY25 Q3
Third consecutive quarterly recognition — maintained exceptional contribution quality in the global Sophos community.
CY25 Q3
🎖
Top Sophos Staff Community Contributor — CY25 Q2
Beginning of the unbroken quarterly recognition streak — recognised for detailed, technically precise engagement supporting enterprise customers globally.
CY25 Q2
📣
Sophos Community Staff Spotlight
Featured in the Sophos Community Blog for sustained technical contributions and deep product expertise — public recognition by Sophos leadership.
FY25
07 — Contact

Let's talk security

Targeting SOC Analyst, DFIR, Threat Intelligence, and Security Engineering roles at MNCs worldwide. Response within 24 hours.

Emailchavdarutvik1849@gmail.com Phone+91-7226894089 LinkedInrutvik-chavda-584b37197 GitHubRIK1849 Medium@chavdarutvik1849 LocationAhmedabad, Gujarat, India