William Roberts
PORTRAIT drop assets/portrait.jpg
ID · WR-13 // BIRMINGHAM, AL

SECURE · SEGMENT · MONITOR

William
Roberts

Cybersecurity Analyst / Network Engineer

I defend a network I designed end to end — triaging alerts, hunting threats, and mapping activity to MITRE ATT&CK across a fully segmented environment with centralized SIEM, inline IDS/IPS, and encrypted remote access.

CORE
STACK

Who I Am

I'm a Data Support Technician at CSpire moving deliberately toward Security Operations. My edge is that I don't just read about defense — I build the network, break it, watch it fail in the logs, and rebuild it stronger. Every control on my resume is running in production on my own infrastructure.

FOCUS Threat detection, network defense & incident response
EDUCATION B.S. Cybersecurity & Information Assurance — WGU (in progress)
FRAMEWORKS MITRE ATT&CK · SOC workflows · OSI-model troubleshooting

Service Record

Download résumé
2026Present

Data Support Technician

CSpire · Birmingham, AL

  • Monitored network connectivity, routing devices, and traffic flows to keep service delivery stable and secure.
  • Verified public IP handoffs and analyzed traffic to troubleshoot connectivity and routing issues.
  • Documented, tracked, and resolved network incidents in ServiceNow using structured ticket workflows.
  • Partnered with internal teams to diagnose infrastructure problems and support escalated network requests.
InProgress

B.S. Cybersecurity & Information Assurance

Western Governors University

Coursework aligned to SOC operations, network defense, and information assurance.

What I Run

SIEM & Detection

WazuhElastic StackKibana Log CorrelationAlert TriageThreat Hunting MITRE ATT&CKFIM

Firewalls & IDS/IPS

pfSenseSuricataStateful Inspection NATVLAN SegmentationNACiptables

Networking

TCP/IPStatic & Inter-VLAN RoutingDHCP tcpdumpPacket Capturesyslog (RFC 5424)

VPN & DNS Security

WireGuardPiVPNFull-Tunnel Routing Pi-holeUnboundDNSSECC2 Detection

Infrastructure

Proxmox VETrueNAS SCALEDocker ZFSUbuntu ServerDebian / DietPi

Systems & Tools

Windows ServerActive DirectoryGroup Policy ServiceNowLinux CLI / bashNGINX

NervHQ

FEATURED BUILD

NervHQ

Enterprise-grade home network & security infrastructure

A multi-host homelab that simulates enterprise network architecture with layered security controls: VLAN segmentation, centralized SIEM monitoring, IDS/IPS enforcement at the perimeter, and encrypted remote access. It's my proving ground — every alert, tuning decision, and incident writeup on my resume originates here on the 10.6.7.0/24 network.

  • Centralized Wazuh SIEM (v4.7.5) + Elastic Stack across all hosts
  • pfSense perimeter with Suricata IDS/IPS & VLAN isolation
  • Pi-hole + Unbound DNS sinkhole with DNSSEC validation
  • WireGuard full-tunnel VPN via PiVPN for remote access

Network Topology

Data path Log / telemetry → SIEM
INTERNET WAN / ISP pfSense FIREWALL Suricata IDS/IPS · NAT stateful inspection WireGuard VPN PiVPN · full-tunnel remote peers CORE SWITCH VLAN segmentation 10.6.7.0/24 · inter-VLAN routing DNS SECURITY Pi-hole v6 · Unbound DNSSEC · sinkhole PROXMOX VE VMs · containers Docker Compose TrueNAS SCALE ZFS storage media & app stack WAZUH SIEM Elastic Stack log correlation MITRE ATT&CK mapping ◂ all hosts forward syslog
01

Perimeter — pfSense + Suricata

All WAN traffic terminates at a pfSense firewall enforcing stateful inspection, custom rule sets, and NAT policies. Suricata runs inline as an IDS/IPS, doing signature-based detection and auto-alerting on malicious traffic before it reaches internal segments.

02

Segmentation — VLANs & Routing

A segmented core carves the 10.6.7.0/24 network into isolated VLANs with interface-level ACLs and inter-VLAN routing policies. Security boundaries are explicit — each segment only talks to what it's allowed to.

03

DNS Defense — Pi-hole + Unbound

Pi-hole v6 acts as a network-wide DNS sinkhole for malware-domain filtering and full query logging, while Unbound provides DNSSEC-validated recursive resolution. Query logs are mined for anomalies and potential C2 callbacks.

04

Compute — Proxmox & TrueNAS

Proxmox VE hosts the VMs and Docker workloads; TrueNAS SCALE handles ZFS storage and the media/app stack. Both forward syslog to the SIEM and run Wazuh agents for endpoint visibility and file integrity monitoring.

05

Remote Access — WireGuard

Encrypted remote access rides a WireGuard tunnel deployed via PiVPN with full-tunnel routing, persistent keepalive, and preshared-key auth. pfSense static routes and firewall rules handle VPN return traffic under policy.

06

Visibility — Wazuh SIEM

Every host forwards logs to a central Wazuh SIEM on the Elastic Stack. Firewall, auth, and system events are correlated, mapped to MITRE ATT&CK tactics, and triaged — with detection rules tuned continuously to cut false positives and sharpen signal.

NervHQ Roadmap

  1. DEPLOYED

    Network design & VLAN segmentation

    Carved the 10.6.7.0/24 network into isolated segments with inter-VLAN routing and interface ACLs.

  2. DEPLOYED

    pfSense + Suricata perimeter

    Stateful firewall, NAT policies, and inline IDS/IPS with signature-based detection and firewall log forwarding.

  3. LIVE

    Wazuh SIEM & MITRE mapping

    Centralized log aggregation on Elastic Stack; alerts correlated and mapped to ATT&CK tactics, rules tuned for signal.

  4. LIVE

    DNS security & encrypted access

    Pi-hole + Unbound sinkhole with DNSSEC, and WireGuard full-tunnel remote access via PiVPN.

  5. NEXT

    Automated response (SOAR)

    Active-response playbooks and Suricata-triggered blocking to move from detection toward containment.

  6. PLANNED

    Detection-as-code & dashboards

    Version-controlled detection rules and purpose-built Kibana dashboards for triage and threat-hunting.