Project Vivarium: AI Agents as Red Team and Blue Team
An experiment in adversarial AI: local, air-gapped agent crews playing attacker and defender against each other in a sealed, fully observable lab.
Security Engineering · London
Mansour Jalaly
Security engineer specialising in detection engineering, cloud security, and incident response.
Proven across detection engineering, digital forensics and incident response, and cloud security on OCI, AWS, and Azure. Owns ML-assisted detection development at Oracle; previously led ransomware and BEC investigations in consulting at S-RM.
Get in touchCISSP · GSEC · OCI Security Professional
Background
From forensic investigations to detection at cloud scale.
Mansour started in consulting at S-RM, leading digital forensics and incident response engagements — ransomware, business email compromise, insider threat, and cloud intrusion — for organisations from SMEs to large enterprises. That work instilled a disciplined approach to evidence, adversary behaviour, and communicating clearly with executives during live incidents.
At Oracle, the focus shifted from responding to incidents to preventing and detecting them at scale: designing ML-assisted detection models for Oracle Cloud Infrastructure, maintaining detection content as code, and automating triage and enrichment so investigations start with context rather than raw alerts.
The common thread is treating detection as an engineering discipline — version-controlled, tested, mapped to MITRE ATT&CK, and validated end-to-end in a self-hosted lab before it is trusted in production.
Principles
Security engineered for real systems, not abstract theory.
Understand how a system behaves, identify where it can fail, and build controls that hold up under pressure. The objective is not security theatre — it is defensible, practical security that works when it matters and supports delivery rather than slowing it down.
That means favouring strong signal over alert volume, automation over repetition, and evidence over assumption. It also means writing things down: clear reporting is part of the engineering, not an afterthought.
Beyond Work
Research, competition, and training.
Outside of work, Mansour runs a cloud-integrated home lab for detection research and is active in forensics and exploitation CTFs on Hack The Box and TryHackMe — keeping the offensive perspective sharp enough to inform the defensive one.
Away from a keyboard: Brazilian Jiu-Jitsu (blue belt at Grand Union BJJ) and boxing. He speaks English and Farsi fluently, and conversational German.
Insights
Notes from building and defending real systems.
Passing the CISSP: Lessons Learnt, and What Comes Next
How I prepared for and passed the CISSP, what I would do differently a second time, and how I am thinking about CCSP, OSCP, and CEH from here.
Detection as Code: Treating Your Rules Like Software
Version control, CI testing, and ATT&CK coverage mapping turned a folder of SIEM rules into an engineering discipline. What changed, what it cost, and what I would do differently.
Contact
The best time to fix detection and response is before you need it.
Most security programmes discover their gaps during an incident — the most expensive possible moment. Whether you need detections that actually fire, a cloud environment hardened without slowing delivery, or an experienced investigator when something has already gone wrong, this is the work I do every day.
I have run detection at cloud scale and led investigations under live-incident pressure — backed by CISSP, GSEC, and OCI Security credentials, and results you can measure: 75% fewer false positives, ~60% faster detection, and investigations that end with clear decisions rather than open questions. If that is the standard you want for your organisation, let's talk.
Direct line: mansour@jalaly.com · London, United Kingdom · More on working together