About

Detection engineer working on SIEM, deception, and detection-as-code.

👋 Hi, I’m Joe Lopes

I’m a Lead Information Security Engineer working on threat detection, SIEM, and adversary engagement: building the systems that turn raw events into decisions, and the deception infrastructure that catches what conventional detection misses.

This site, lopes.log, is where I write about that work. Detection-as-code, deception engineering, log-pipeline economics, and the occasional reflection on the craft of running a SOC at scale. Long-form, written slowly, and published with intent. No ads ⛔. All opinions are my own. 🫡

Note

I’m Brazilian (Portuguese is my native language) and my given name is José (pronounced djo-zeh). In English it’s often mispronounced ho-zay, which is the Spanish form. Since José maps naturally to Joseph, I go by Joe — simpler, clearer, and travels better.

Joe Lopes

🔧 What I work on

A few threads run through most of what I write and build:

• Detection engineering as a discipline — rules, testing, coverage, false-positive economics. See Detection-as-Code, Then What? and Engineering Detection Rules.
• Deception engineering — honeypots, honeytokens, and adversary engagement as a first-class detection strategy. I maintain some open-source projects in this space:
  • Lantana — honeypot-as-code platform (Ansible, Terraform, Suricata, Cowrie, Dionaea).
  • Datura — LLM honeypot that mimics an insecure assistant to catch prompt-injection and exfil attempts.
• SIEM and log architecture — Chronicle, MISP integration, ingestion economics. See Integrating MISP with Chronicle SIEM and the Project Nebula series.
• AI-native security practice — using LLMs in detection and security engineering without losing the rigor. See AI-First Software Development.
• Rust for security tooling — including Cordyceps, a Rust ransomware proof-of-concept built to study the language and the threat.

🗣️ Talks

• Migrating to Google SecOps: A Tactical Playbook (2026) — Google HQ, São Paulo pt_BR (private)
• Visibilidade de Rede (2021) — Mind The Sec, remote pt_BR
• Práticas de NOC/SOC (2019) — Itaipu, Paraná pt_BR
• Método para Uso do SIEM como Ferramenta de Inteligência e Automação (2019) — CERT.br, São Paulo pt_BR
• A Abordagem da Cemig na Segurança Cibernética (2018) — CERT.br, São Paulo pt_BR
• Blockchains: Muito Além do Bitcoin (2017) — Cemig, Belo Horizonte pt_BR
• Estruturação de um CSIRT no Contexto de Smart Grid (2014) — CERT.br, São Paulo pt_BR

🔗 Elsewhere

• GitHub — /lopes
• LinkedIn — /jlopesjr
• RSS — /index.xml

🦫 Vigil

Vigil

Vigil is the beaver of lopes.log. Not cute, not angry, not heroic — focused, neutral, intelligent. Vigil works the way I try to: quietly, observing flows, reading structures, building meaning from fragments.

At lopes.log, I work with Vigil. Where others see logs, we see stories.