Professional

Conference Talks

• Bad Actors: Building Realistic Security Eval Data with Agentic AI — Graph the Planet 2026 | Slides (March 2026)
• State of Cybersecurity: Beyond the Hype in the SOC (panel) — (2024, with Daniel Kendzior, David Brauchler, Fahmida Rashid)
• Offense v Defense: Digging into GraphRunner and Microsoft Graph API Log Sources You May Not Be Looking At But Should — FIRST Technical Colloquium Amsterdam (2024, with John Stoner)
• What the Vendor Never Told You About SIEM Migration — Health-ISAC Spring Summit (2024, with Mark Ruiz)
• Collaboratively Caring and Securely Sharing — FIRST Conference (2024)
• Smooth SIEM Surgery: Practical Tips for SIEM Migration — BrightTalk (2024, with Anton Chuvakin)
• Fastest Two Minutes in SecOps: Cloud Security — Google Cloud Community | Chronicle Blog (2023)
• Enabling DevSecOps and Securing the Software Factory (SEC1108C) — Splunk .conf21 (2021, with Chris Riley)
• ATT&CK Simulator — BlackHat Arsenal USA | BlackHat Arsenal Asia (2020, with Kyle Champlin, Tim Frazier)
• Adversary Emulation and Automation — KringleCon 3 | YouTube (2020)
• Investigating with Splunk — UC Berkeley School of Information (2020, with Lily Lee)
• Using Frameworks to Level Up Your Detection Game (SEC1927) — Splunk .conf19 | Slides (2019, with Ryan Kovar, John Stoner)
• Datasciencery by the Splunk Field — DEF CON 27 AI Village | Security Boulevard (2019, with Ryan Kovar, David Veuve)
• Cloudy with Low Confidence of Threat Intel — FIRST CTI Symposium London (2019, with Ryan Kovar)
• Cloudy with Low Confidence of Threat Intel — SANS CTI Summit (2019, with Ryan Kovar)
• From Automation to Analytics: Simulating the Adversary — MITRE ATT&CKcon | Slides (2018, with Ryan Kovar)
• From Automation to Analytics — SANS Tactical Detection & Data Analytics Summit (2018, with Ryan Kovar)
• Hunting Hidden Empires with TLS-Certified Hypotheses — SANS CTI Summit | Slides (2018, with Ryan Kovar)
• Go From Dashboards to Applications With Ease (DEV1545) — Splunk .conf18 | Slides (2018, with David Veuve) — Top rated Dev talk
• Cops and Robbers: Simulating the Adversary (SEC1244) — Splunk .conf18 | Slides (2018, with Kyle Champlin, Tim Frazier)
• Apples and Oranges?: A CompariSIEM (panel) — SANS SOC Summit (2018, with Justin Henderson)
• Speaker — BSides Las Vegas (2018)
• WOULD YOU LIKE TO PLAY A (security) GAME? — SANS Blue Team Summit | Rocky Mountain Information Security Conference (2018, with Ryan Kovar)
• The Threat Intel Victory Garden — SANS CTI Summit | SlideShare (2017, with Ryan Kovar)
• SOCs for the Rest of Us — SANS Cyber Defense Summit (2017, with Ryan Kovar)
• SOCs for the Rest of Us — BSides Pittsburgh (2017)
• How to Build an Analytics Enabled SOC — SplunkLive! South Bay (2016)
• Exploring the Frameworks of Splunk Enterprise Security — Splunk .conf16 (2016, with Kyle Champlin)
• Splunk Enterprise for InfoSec (Hands-On) — Splunk .conf16 | Slides (2016, with James Brodsky)

Podcasts & Webinars

• Building SOCs with Data Lakes & Focused AI Agents — Detection at Scale, Ep. 66 | Podbean (2025)
• AI and Automation in Cybersecurity — Databricks & Barracuda Webinar (2025, with Merium Khalid)
• Canned Detections: From Educational Samples to Production-Ready Code — Google Cloud Security Podcast, Ep. 149 (2023, with John Stoner)
• SOC: The People Side and How to Do it Right — Google Cloud Security Podcast, Ep. 64 (2022)
• The SANS Holiday Hack Challenge 2021 — Interview with Ed Skoudis (2021)
• Training Yourself in a Quarantined World — SANS Blueprint Podcast | Apple Podcasts (2020, with Ryan Kovar)

Articles & Blog Posts

• Analyzing Security Data with Google SQL Pipe Syntax — Google Cloud Community (2025)
• Migrate Off That Old SIEM Already! — Medium (2024, with Anton Chuvakin)
• Announcing Data Intelligence for Cybersecurity — Databricks (2025, with Taylor Kain & Omar Khawaja)
• Securing the Future: How Databricks Powers Financial Services — Databricks (2025, with Kim Hatton & Taylor Kain)
• EO, EO, It’s Off to Work We Go (Ransomware & EO14028) — Splunk (2021)
• SURGe: Blue Collar for the Blue Team — Splunk (2021)
• Boss of the SOC v3 Dataset Released — Splunk (2018)
• Boss of the SOC 2.0 Dataset — Open-Sourced — Splunk
• Boss of the SOC Scoring Server & Dataset — Open-Sourced — Splunk (with Ryan Kovar)
• Staff Picks for Splunk Security Reading — Splunk (Oct 2021)
• Staff Picks for Splunk Security Reading — Splunk (Jun 2021)
• Staff Picks for Splunk Security Reading — Splunk (Apr 2021)
• Staff Picks for Splunk Security Reading — Splunk (Dec 2020)
• Data Filtering Techniques — Splunk (2017)

CTF

• splunk/botsv1 — Boss of the SOC v1 dataset
• splunk/botsv2 — Boss of the SOC v2 dataset
• splunk/botsv3 — Boss of the SOC v3 dataset
• daveherrald/botsv1 — Boss of the SOC v1 dataset
• splunk/SA-ctf_scoreboard — BOTS CTF Scoring Server
• splunk/securitydatasets — Splunk security datasets
• BOTS AMER Closing — (with Ryan Kovar)
• BOTS APAC Closing — (with Ryan Kovar)
• Boss of the SOC (BOTS) — Co-creator (2016+) | CyberDefenders v1 | CyberDefenders v2 | CyberDefenders v3
• SANS Holiday Hack / KringleCon — Challenge developer (2019, 2020) + speaker (2020)

Code

• daveherrald/badactors — Open-source framework for generating forensically authentic Windows security telemetry using autonomous, persona-driven AI agents operating inside instrumented VMs — because the agents perform real actions, the resulting process trees, network connections, and registry changes are indistinguishable from production
• daveherrald/echolake — Replay and time-shift security datasets into any detection pipeline
• daveherrald/echolake-datasets — Curated security datasets for detection engineering, threat hunting, and security research
• splunk/attack_range — Contributor
• SA-attck_nav — MITRE ATT&CK Navigator for Splunk
• scansio-sonar-splunk — Scans.io data parser for Splunk
• SA_plaso-app-for-splunk — Forensic timeline analysis with Plaso
• noisy-sysmon — Verbose Sysmon config for labs
• Splunk Dev For All — .conf18 companion app (with David Veuve)

Community

• Google Cybersecurity Professional Certificate — Module 6 author, on-screen presenter, and content reviewer (Coursera)
• SANS Mentor — 2012 to 2015
• CyberPatriot — Technical mentor