John Yater, Developer in San Jose, CA, United States
John is available for hire
Hire John

John Yater

Security Analyst and Developer

San Jose, CA, United States

Toptal member since July 1, 2026

Bio

John is a security detection engineer with over 13 years of experience in threat detection and adversarial research for clients including ServiceNow, Hewlett-Packard, and NASA Ames Research Center. His primary expertise is in adversarial TTP analysis, forensic investigations, and machine learning-based detection systems for enterprise and cloud environments. He reduced manual phishing triage by 40% while at ServiceNow.

Portfolio

ServiceNow
Strategy, Containers, Insider Risk, Security Program Development, Orchestration...
ServiceNow
MITRE ATT&CK, Agile, ServiceNow, Threat Intelligence, Splunk, SIEM, Leadership...
ServiceNow
Splunk, ServiceNow, Forensics, Incident Handling, Incident Response, SIEM...

Experience

  • SIEM - 12 years
  • Linux - 12 years
  • Splunk - 5 years
  • Detection Engineering - 5 years
  • MITRE ATT&CK - 5 years
  • Process Development - 4 years
  • Security Program Development - 2 years
  • Data Analytics - 2 years

Preferred Environment

Google Cloud Platform (GCP), Azure, Linux, Tableau

The most amazing...

...thing I've built isn't a detection pipeline, it's a team that was able build those solutions without me.

Work Experience

Director of Threat Operations

2023 - 2023
ServiceNow
  • Set the strategic vision for a threat detection and intelligence program.
  • Built an analytics and automation function that reduced manual phishing triage by 40%, improving signal quality for investigative analysts.
  • Collaborated with peer leadership, engineering, and development, setting requirements for the container security program.
  • Defined an insider risk program with key stakeholders.
Technologies: Strategy, Containers, Insider Risk, Security Program Development, Orchestration, Automation, MITRE ATT&CK, Splunk, ServiceNow, Threat Intelligence, Cloud Computing

Senior Manager, Detection Engineering and Threat Intelligence

2017 - 2023
ServiceNow
  • Researched and mapped adversary TTPs to MITRE ATT&CK, translating threat actor campaigns and vulnerability intelligence into 300+ production detections via a structured development pipeline.
  • Identified and closed detection coverage gaps through intelligence-informed analysis, reducing false positives by 40% via statistical baselining and iterative rule refinement.
  • Integrated external threat intelligence feeds into detection logic, continuously surfacing novel behaviors and emerging attack techniques to guide the detection roadmap.
  • Evaluated security tooling and research methodologies, aligning detection investment with evolving threat landscape and business risk priorities.
Technologies: MITRE ATT&CK, Agile, ServiceNow, Threat Intelligence, Splunk, SIEM, Leadership, Adversarial Testing, Cloud Security, AWS Cloud Security, Windows, Linux, MacOS, Incident Handling, Process Development, Key Performance Indicators (KPIs), Cloud Computing, Detection Engineering, Security Program Development, Risk Models, Automation, Forensics

Security Incident Response and Operations Engineer

2015 - 2017
ServiceNow
  • Conducted disk-level forensic investigations across Windows, macOS, and Nix systems on 1,000+ alerts, authoring IR playbooks from observed attacker behavior.
  • Founded and led the global incident response team. Managed 500+ incidents with end-to-end forensic analysis and post-incident root cause documentation.
  • Led P1 bridge calls across engineering and security teams, averaging 3 high-severity incident resolutions weekly.
Technologies: Splunk, ServiceNow, Forensics, Incident Handling, Incident Response, SIEM, AWS Cloud Security, Detection Engineering, MITRE ATT&CK, Linux, Elastic, Threat Intelligence, Windows, Process Development, Key Performance Indicators (KPIs), Cloud Computing

Advanced Threat Detection Analyst and Information Security Analyst

2014 - 2015
Hewlett-Packard
  • Researched and automated log ingestion and correlation pipelines via Python integrations with ArcSight, saving 200+ analyst hours per year and improving signal fidelity.
  • Collaborated with security architecture teams to develop detection use cases and contributed to major incident investigations.
  • Participated in 24/7 security operation center shift work and mentored junior security analysts.
  • Automated ticket creation using a terminal bash shell script. This reduced 20-minute ticket creation to 1 minute. Saved analysts several hours per day.
Technologies: Python, ArcSight, Tableau, SQL, ITSM, Security Operations Centers (SOC), Incident Response, Automation, SIEM, Linux, Threat Intelligence, Windows, Incident Handling, Forensics

Information Security Analyst and Control Room Analyst (Contractor)

2010 - 2014
NASA Ames Research Center
  • Analyzed 300+ daily SIEM/IDS alerts in 24/7 SOC operations, performing triage and investigation across NASA’s high-complexity network environment including supercomputing systems.
  • Processed 70-100 mitigation tasks weekly, and authored inter-agency communication protocols for incident coordination.
  • Escalated significant emergency events to leadership during multi-system failure.
  • Performed daily sinkhole DNS review for agency-wide security domain blocking.
Technologies: SIEM, Security Operations Centers (SOC), Linux, Supercomputers, Advanced Computing, SQL, ArcSight, Threat Intelligence, Forensics

Experience

LLM Abuse Detection via GPU Power Telemetry

https://dataglancer.com/llm_abuse_detection.html
I researched GPU power telemetry as a side-channel signal for classifying benign vs. adversarial LLM inference sessions. I achieved AUC above 0.999 across 4 classifiers (Random Forest, XGBoost, LightGBM, MLP) on 3,931
labeled sessions spanning 3 LLM architectures (Llama, Phi, Qwen). I also identified a +65W mean GPU power differential between session types, and surfaced generalization limits due to feature instability, providing concrete deployment guidance for telemetry-based AI detection systems.

IR Assessment Project

I designed, executed, and reported on a year-long systematic investigation of an incident response program, identifying and remediating gaps in access control, misconfiguration, and documentation. I organized 4 teams of 4 per quarter for distributed work, and structured findings using an Agile-like cadence with cross-functional stakeholders.

EigenFlow Profiler

https://dataglancer.com/netflowprofiling.html
I applied an eigenface-style PCA technique to NetFlow data to create per-attack behavioral fingerprints on the CIC-IDS-2018 benchmark. I achieved 100% classification accuracy across 4 attack categories (credential-based, DoS/DDoS, exploit/malware, application-layer), with clear L2 error separation between benign and attack sessions on a 30-sample test set.

Education

2024 - 2026

Master's Degree in Analytics

Georgia Institute of Technology - Atlanta, GA, USA

2004 - 2008

Bachelor's Degree in Kinesiology and Exercise Science

San Jose State University - San Jose, CA, USA

Certifications

APRIL 2016 - APRIL 2020

FOR572 (Network Forensics)

SANS

DECEMBER 2015 - DECEMBER 2017

FOR610 (Malware Analysis)

SANS

OCTOBER 2015 - OCTOBER 2019

FOR508 (Memory Forensics and Threat Hunting)

SANS

APRIL 2015 - APRIL 2019

CISSP

ISC2

Skills

Libraries/APIs

PyTorch, XGBoost, PySpark, Pandas, NumPy, Scikit-learn, vLLM

Tools

Tableau, Splunk, ArcSight, Elastic, Git, Microsoft Power BI, Logging

Platforms

Linux, Google Cloud Platform (GCP), Azure, Databricks, Windows, MacOS, Jupyter Notebook

Languages

Python, R, SQL

Frameworks

LightGBM, Apache Spark

Paradigms

Automation, Agile

Other

SIEM, Detection Engineering, MITRE ATT&CK, ServiceNow, Threat Intelligence, Leadership, Security Program Development, Security Operations Centers (SOC), Data Analytics, BERT, Transformers, Hugging Face, Adversarial Testing, Cloud Security, AWS Cloud Security, Incident Handling, Process Development, Key Performance Indicators (KPIs), Cloud Computing, Biology, Machine Learning, Statistical Methods, Statistical Learning, Statistics, Clustering, Regression, Principal Component Analysis (PCA), Model Evaluation, Supervised Learning, Unsupervised Learning, Forensics, Incident Response, Strategy, Containers, Insider Risk, Orchestration, Risk Models, ITSM, Supercomputers, Advanced Computing, Open-source LLMs, Program Management, IT Project Management, NetFlow, Malware Analysis, Memory Forensics, Security Management, Security Architecture

Collaboration That Works

How to Work with Toptal

Toptal matches you directly with global industry experts from our network in hours—not weeks or months.

1

Share your needs

Discuss your requirements and refine your scope in a call with a Toptal domain expert.
2

Choose your talent

Get a short list of expertly matched talent within 24 hours to review, interview, and choose from.
3

Start your risk-free talent trial

Work with your chosen talent on a trial basis for up to two weeks. Pay only if you decide to hire them.

Top talent is in high demand.

Start hiring