THOR-SEC

About

Independent means this work is self-directed, published on its own timeline, and separate from any employer role. Research is developed in authorized lab environments, documented with reproducible methods, and released when it is ready for public review.

Defensive security sets the priorities: authorized scope, clear evidence, containment before expansion, and output that security teams can use in operations. Professional experience informs the research; THOR-SEC does not represent any employer.

Views and research are personal. THOR-SEC is an independent open-source cybersecurity research portfolio and is not affiliated with, endorsed by, or representative of any current or former employer.

Research Focus

• AI Security and LLM Infrastructure

  Tool-connected agents, prompt boundaries, and LLM deployment controls.

• Defensive Security Automation

  Automated triage, enrichment, and response workflows for defensive operations.

• Detection Engineering and SIEM Workflows

  Detection rules, log normalization, alert tuning, and correlation logic.

• Incident Response and Root Cause Analysis

  Investigation methods, timeline reconstruction, and post-incident documentation.

• Secure Code Review and Application Security

  Review of authentication, authorization, input handling, and common vulnerability classes.

• Threat Intelligence and Vulnerability Research

  Mapping adversary techniques to defensive controls and evaluating exposure risk.

• Cybersecurity Writing and Security Documentation

  Incident reports, runbooks, and architecture notes for security teams.

Open-Source Research

Published repositories with source code, documentation, and defensive use guidance.

• Featured project

  llm-agent-control-plane

  A defensive reference implementation for tool-connected LLM agents. Agents may propose actions; an external control plane authorizes them.

  llm-agent-control-plane models a defensive pattern for tool-connected LLM systems: agents can propose actions, but a separate policy layer decides whether those actions are allowed. The project focuses on authorization boundaries, auditability, and safer automation patterns rather than treating model output as trusted execution.

  Example authorization pattern

  # Agent proposes; control plane authorizes
  proposal = agent.plan(user_input)
  decision = control_plane.authorize(proposal, policy, identity)
  if decision.allowed:
      executor.run(proposal.action)

  Source: policy_engine.py in llm-agent-control-plane

  View repository on GitHub

Field Notes

Short research notes from authorized lab work, detection engineering, and defensive security analysis.

• June 2026 · Research note

  OAuth Anomaly Baseline

  A compact detection pattern for identifying unusual OAuth grant behavior by comparing per-user token activity against a rolling baseline. The goal is to surface unusual client and scope combinations for defensive review.

  Splunk SPL baseline example

  index=authentication sourcetype=oauth:token
  | stats dc(client_id) AS clients dc(scope) AS scopes count BY user
  | eventstats avg(count) AS avg_grant stdev(count) AS stdev_grant BY user
  | eval threshold=avg_grant+(3*stdev_grant)
  | where count > threshold AND clients > 1

• June 2026 · Research note

  LLM Agent Authorization Boundary

  A defensive design note for tool-connected LLM systems. The agent may propose an action, but authorization should happen in a separate policy layer with identity context, allow/deny decisions, and audit logging.

  Authorization pattern

  decision = control_plane.authorize(action, identity, policy)
  
  if decision.allowed:
      audit.log(action, identity, "allowed")
      tool.execute(action)
  else:
      audit.log(action, identity, "blocked")

Responsible Use

THOR-SEC supports authorized defensive security work only. Research and tools are intended for systems, applications, accounts, networks, and data that are owned, operated, or explicitly authorized for testing or analysis. THOR-SEC does not support unauthorized access, credential theft, phishing, data exfiltration, malware deployment, denial-of-service activity, sabotage, or any activity intended to cause harm.

Experience Snapshot

Background in security operations and engineering. Listed for context; THOR-SEC research is independent of these roles.

Core Competencies

• Endpoint Detection and Response
• Endpoint Security Support and Escalation Management
• SIEM and Log Ingestion
• Detection Engineering and Playbook Automation
• Incident Response and Root Cause Analysis
• REST APIs, OAuth, SDK Debugging
• Splunk Administration and Observability
• Kubernetes, Linux, Windows, macOS
• Python and Bash Automation
• Quality Assurance and Release Validation
• Enterprise Backup and Recovery

Employment History

• Technical Support Engineer, Cortex XDR Palo Alto Networks
• Software Engineer II / Technical Support Warner Bros. Discovery
• Technical Operations Engineer II / Splunk Admin DoubleVerify
• Software Quality Assurance Analyst Getac Video Solutions
• Senior Technical Support Engineer Veritas Technologies
• Deskside IT Support Representative IBM

Cybersecurity Writing and Publications

Published work on cybersecurity reporting, AI security workflows, prompt-oriented programming, and security documentation.

• Exploit the Reader: Cybersecurity Writing for Reports That Survive Reality

  • View Kindle edition
  • View paperback edition

• Prompting as a Programming Language: A Practical Guide to Prompt-Oriented Programming, AI Workflows, and Automation

  • View Kindle edition
  • View paperback edition

• Selected Essays

  • Unique Violation on Substack

• Selected Cybersecurity Articles

  A focused selection of cybersecurity and AI security essays from Unique Violation.

  • The 15 Failure Points Hiding Inside Every LLM API LLM API security architecture
  • A Model That Says “No” Is Not a Firewall AI agent security
  • The MCP Attack Surface: Why Your AI Agent’s New “USB-C Port” Is a Remote Execution Tier MCP attack surface
  • skill.md Is an Unsigned Binary With Your Keys Agent skill security
  • Your Purple Team Is a Report Factory Purple team engineering
  • Stop Chasing Malware Names. Start Defending the Cybercrime Supply Chain. Cybercrime supply chain defense
  • Security Stack Engineering Governed security operations
  • High-Speed IOC Correlation: A Python Pipeline for Analysts & Researchers IOC correlation pipeline

Learning Records

Public learning and badge records are available for verification.

• Coursera Learning Profile: coursera.org/learner/th0rth0r
• Credly Badge Portfolio: credly.com/users/isaac-thor

Research Collaboration

For defensive security questions, research ideas, or collaboration proposals, send a concise email with the topic, authorization context, and intended scope.

Email a research proposal

Do not send secrets, credentials, customer data, exploit code, or confidential logs in the first message.