About

I am a principal security engineer in Amazon Threat Intelligence, where I helped build the core capabilities and programs that define Amazon's cyber threat intelligence function. My work focuses on investigations into sophisticated threat activity, including nation-state and well-resourced criminal actors, and on turning those intelligence findings into practical defensive outcomes across Amazon.

My background blends threat intelligence, malware and threat analysis, and enough engineering to prototype and operationalize tooling when needed. The intelligence I lead and advise on informs strategic security decisions across Amazon and feeds the protections offered through AWS security services.

Selected Work

Amazon Threat Intelligence (AWS)

• Principal Security Engineer for Amazon Threat Intelligence, helping to design and grow the programs, workflows, and capabilities that underpin Amazon's cyber threat intelligence function.
• Lead and subject-matter expert for investigations into sophisticated threat activity, with a focus on nation-state and high-end criminal operations.
• Integration of threat intelligence into AWS security services and infrastructure protections, including:
  • Amazon Inspector — vulnerability intelligence and enrichment behind AtigData, connecting real-world adversary behavior and exploit trends to cloud workload risk.
  • Amazon GuardDuty Malware Protection — intelligence-driven malware analysis and YARA-style signature contributions informing the malware scan engine.
  • Amazon GuardDuty — enhancements to detection features for command-and-control (C2) findings and other intelligence-driven alerts.
  • MadPot and Sonaris — contributions to AWS’s honeypot-driven threat intelligence (MadPot) that powers Sonaris, AWS’s active-defense system used to block large-scale attacks against AWS infrastructure.
• Speaker at AWS re:Inforce (TDR304) on scaling AWS threat intelligence: session announcement.
• Co-presenter of Amazon Threat Intelligence’s nation-state research at CYBERWARCON; public summary on the Amazon Security Blog: nation-state actors bridging cyber and kinetic warfare .

Previous Work at Microsoft

Before Amazon, I was an early builder in Microsoft’s Threat Intelligence Center (MSTIC), where I developed much of the team’s initial tooling and analysis capabilities that supported early nation-state intrusion investigative work.

• Security software engineer in Microsoft’s Threat Intelligence Center (MSTIC), contributing to early investigative tooling and workflows that supported emerging nation-state intrusion analysis.
  • Sysinternals Sysmon (product page): contributed detection and monitoring features including RawAccessRead, WMI persistence monitoring, and expanded ProcessCreate fields. Contributions were acknowledged in Mark Russinovich’s Troubleshooting with the Windows Sysinternals Tools .
  • Office 365 Advanced Threat Protection / Windows Defender ATP — developed C# components for the Azure threat intelligence service that delivered attribution reports into Office 365 Advanced Threat Protection and Windows Defender Advanced Threat Protection.
  • MEX Debugging Extension (documentation): implemented enhancements enabling Excel process analysis within MEX for Office-focused investigations.
  • Office Readiness Toolkit (tool overview): authored the internal VBA macro-analysis subsystem, including the lexical analyzer, abstract syntsx tree (AST) generator, and analyzer engine.

Open Source & Tools

I publish some of my tooling and experiments publicly on GitHub, mostly around detection engineering, reverse engineering, and automation.

• GitHub profile: github.com/davidmagnotti
• Selected projects include an OLE CF file parser for YARA-X and contributions to other open source projects.

Hobby Projects

I build small browser games and coding experiments as a way to stay sharp and decompress. They’re not representative of my day job, but they were fun to make:

Coding

• Biocode — Python coding puzzles in the browser focused on bioinformatics, with solutions generated using a local LLM.

Games

• car battle — Drive using tap/click or arrow keys, avoid getting hit, and use boosts to destroy enemy cars (built with pixi-js).
• red light — Drive to the finish line and don’t move on red (using crisp-game-lib).
• dodge — Tap to change slider direction and dodge obstacles (using crisp-game-lib).
• flying ship — Keep the ship between the pillars (using crisp-game-lib).
• simon says — Watch and copy the pattern.