
Siebe Moeskops
Internship
Motivated IT professional with a strong foundation in networking, cloud infrastructure, and security. Passionate about building, securing, and automating reliable systems.
Netleaf — SOC Intern
Adversary Emulation Internship | Cloud and Cyber Security 2026


Introduction to Netleaf
Netleaf is a Belgian cybersecurity and networking company that provides managed security services and SOC solutions. During my internship in the Cloud & Cyber Security department, I focused on improving how security detections are validated and monitored within the SOC.
- The Problem
Within Netleaf, existing detection validation processes relied heavily on manual testing. This manual approach was time-consuming, difficult to scale, and provided limited visibility into detection gaps within existing rules as well as the effectiveness of newly developed custom detections.
2. Approach
To address this challenge, a rule validation framework was developed through three internship tasks. Atomic Red Team simulations were used to validate existing detections and identify coverage gaps, while Terraform and GitLab CI/CD were explored to automate the deployment and validation of custom detection rules. Continuous validation was then implemented to regularly verify that detections remained operational and effective over time.
3. Outcome
The final solution resulted in an automated SOC validation framework capable of validating existing detections, testing newly developed custom rules, and continuously monitoring detection effectiveness over time. Centralized Grafana dashboards and SQLite databases provided clear reporting and visualization of executed attack simulations, triggered alerts, failed validations, and overall detection coverage, contributing to a more scalable and efficient SOC validation process.

Task 1 – Coverage Mapping
The first phase of the internship focused on coverage mapping and detection validation within the SIEM environment. Atomic Red Team techniques were executed individually, using Velociraptor to identify which Rapid7 detection rules were triggered for each simulated attack scenario.
By correlating executed techniques with generated alerts, it became possible to determine where detection gaps existed and which attack techniques lacked sufficient rule coverage inside the platform.
In addition, centralized dashboards and visualizations were developed to provide a clear overview of executed tests, triggered detections, and overall detection coverage across the environment.

Validation of detection rules

Correlation between executed attacks and SIEM alerts

Identification of detection gaps

Centralized visibility
Task 2 – Detection-as-Code Pipeline
The second phase of the internship focused on the automated creation, validation, and lifecycle management of new custom Rapid7 detection rules.
Building further on the validation and correlation flow developed during the first phase, a dedicated GitLab CI/CD pipeline was created to automatically deploy new custom detection rules through Terraform. By executing Atomic Red Team simulations against these new made rules, I could verify whether the newly created detections generated alerts successfully inside Rapid7. This gave me the confirmation that the newly deployed rules were working correctly.
The workflow also introduced centralized validation reporting and selective cleanup mechanisms to improve scalability, consistency, and efficiency within the detection engineering process.

Automated deployment of new rules

Validation of newly created rules

Selective cleanup of failed detection rules


Task 3 – Continues Detection Validation
The third phase of the internship focused on continuous detection validation. A scheduled GitLab CI/CD pipeline was developed to automatically execute batches of Atomic Red Team tests at fixed intervals. By repeatedly testing detection rules over time, it became possible to identify which detections continued to trigger reliably and which no longer responded as expected. This provided ongoing visibility into detection effectiveness and helped identify rules that may have become outdated or less effective over time.
This approach provided continuous visibility into the operational status and reliability of detection rules, helping identify detections that required tuning, updates, or further investigation.

Continuous validation of detection visibility

Identification of unstable or outdated detection rules

Scalable continuous validation workflow
Internship Documents
Project Charter
Contains the project scope, objectives, stakeholders, planning, risks, and the overall approach of the internship assignment.
Realization document
Provides a complete technical overview of the project, including the research, workflows, technologies, and final solution.
Reflection
Covers the personal and technical learning experiences, challenges, and growth achieved throughout the internship period.
Siebe Moeskops
Cloud & Cyber Security student passionate about networking, infrastructure, automation, and security operations.
Get In Touch

Heist-op-den-Berg 2220, Antwerpen

(+32) 468 30 05 98

siebe.moeskops@student.thomasmore.be