
John Yater
Verified Expert in Engineering
Security Analyst and Developer
San Jose, CA, United States
Toptal member since July 1, 2026
John is a security detection engineer with over 13 years of experience in threat detection and adversarial research for clients including ServiceNow, Hewlett-Packard, and NASA Ames Research Center. His primary expertise is in adversarial TTP analysis, forensic investigations, and machine learning-based detection systems for enterprise and cloud environments. He reduced manual phishing triage by 40% while at ServiceNow.
Portfolio
Experience
- SIEM - 12 years
- Linux - 12 years
- Splunk - 5 years
- Detection Engineering - 5 years
- MITRE ATT&CK - 5 years
- Process Development - 4 years
- Security Program Development - 2 years
- Data Analytics - 2 years
Preferred Environment
Google Cloud Platform (GCP), Azure, Linux, Tableau
The most amazing...
...thing I've built isn't a detection pipeline, it's a team that was able build those solutions without me.
Work Experience
Director of Threat Operations
ServiceNow
- Set the strategic vision for a threat detection and intelligence program.
- Built an analytics and automation function that reduced manual phishing triage by 40%, improving signal quality for investigative analysts.
- Collaborated with peer leadership, engineering, and development, setting requirements for the container security program.
- Defined an insider risk program with key stakeholders.
Senior Manager, Detection Engineering and Threat Intelligence
ServiceNow
- Researched and mapped adversary TTPs to MITRE ATT&CK, translating threat actor campaigns and vulnerability intelligence into 300+ production detections via a structured development pipeline.
- Identified and closed detection coverage gaps through intelligence-informed analysis, reducing false positives by 40% via statistical baselining and iterative rule refinement.
- Integrated external threat intelligence feeds into detection logic, continuously surfacing novel behaviors and emerging attack techniques to guide the detection roadmap.
- Evaluated security tooling and research methodologies, aligning detection investment with evolving threat landscape and business risk priorities.
Security Incident Response and Operations Engineer
ServiceNow
- Conducted disk-level forensic investigations across Windows, macOS, and Nix systems on 1,000+ alerts, authoring IR playbooks from observed attacker behavior.
- Founded and led the global incident response team. Managed 500+ incidents with end-to-end forensic analysis and post-incident root cause documentation.
- Led P1 bridge calls across engineering and security teams, averaging 3 high-severity incident resolutions weekly.
Advanced Threat Detection Analyst and Information Security Analyst
Hewlett-Packard
- Researched and automated log ingestion and correlation pipelines via Python integrations with ArcSight, saving 200+ analyst hours per year and improving signal fidelity.
- Collaborated with security architecture teams to develop detection use cases and contributed to major incident investigations.
- Participated in 24/7 security operation center shift work and mentored junior security analysts.
- Automated ticket creation using a terminal bash shell script. This reduced 20-minute ticket creation to 1 minute. Saved analysts several hours per day.
Information Security Analyst and Control Room Analyst (Contractor)
NASA Ames Research Center
- Analyzed 300+ daily SIEM/IDS alerts in 24/7 SOC operations, performing triage and investigation across NASA’s high-complexity network environment including supercomputing systems.
- Processed 70-100 mitigation tasks weekly, and authored inter-agency communication protocols for incident coordination.
- Escalated significant emergency events to leadership during multi-system failure.
- Performed daily sinkhole DNS review for agency-wide security domain blocking.
Experience
LLM Abuse Detection via GPU Power Telemetry
https://dataglancer.com/llm_abuse_detection.htmllabeled sessions spanning 3 LLM architectures (Llama, Phi, Qwen). I also identified a +65W mean GPU power differential between session types, and surfaced generalization limits due to feature instability, providing concrete deployment guidance for telemetry-based AI detection systems.
IR Assessment Project
EigenFlow Profiler
https://dataglancer.com/netflowprofiling.htmlEducation
Master's Degree in Analytics
Georgia Institute of Technology - Atlanta, GA, USA
Bachelor's Degree in Kinesiology and Exercise Science
San Jose State University - San Jose, CA, USA
Certifications
FOR572 (Network Forensics)
SANS
FOR610 (Malware Analysis)
SANS
FOR508 (Memory Forensics and Threat Hunting)
SANS
CISSP
ISC2
Skills
Libraries/APIs
PyTorch, XGBoost, PySpark, Pandas, NumPy, Scikit-learn, vLLM
Tools
Tableau, Splunk, ArcSight, Elastic, Git, Microsoft Power BI, Logging
Platforms
Linux, Google Cloud Platform (GCP), Azure, Databricks, Windows, MacOS, Jupyter Notebook
Languages
Python, R, SQL
Frameworks
LightGBM, Apache Spark
Paradigms
Automation, Agile
Other
SIEM, Detection Engineering, MITRE ATT&CK, ServiceNow, Threat Intelligence, Leadership, Security Program Development, Security Operations Centers (SOC), Data Analytics, BERT, Transformers, Hugging Face, Adversarial Testing, Cloud Security, AWS Cloud Security, Incident Handling, Process Development, Key Performance Indicators (KPIs), Cloud Computing, Biology, Machine Learning, Statistical Methods, Statistical Learning, Statistics, Clustering, Regression, Principal Component Analysis (PCA), Model Evaluation, Supervised Learning, Unsupervised Learning, Forensics, Incident Response, Strategy, Containers, Insider Risk, Orchestration, Risk Models, ITSM, Supercomputers, Advanced Computing, Open-source LLMs, Program Management, IT Project Management, NetFlow, Malware Analysis, Memory Forensics, Security Management, Security Architecture
How to Work with Toptal
Toptal matches you directly with global industry experts from our network in hours—not weeks or months.
Share your needs
Choose your talent
Start your risk-free talent trial
Top talent is in high demand.
Start hiring