Fatih Serdar Çakmak — Cyber Security Operations (SOC) Intern
Computer Engineering student at Istanbul Technical University (class of 2027). Started in Industrial Automation at Kocaeli ENKA, which turned out to be solid prep for OT/IT security. At Doğuş Teknoloji I worked across SIEM, SOAR, EDR and NDR platforms: L1 incident response, SOAR playbook writing (phishing playbooks especially), EDR alert tuning, and IT/OT segmentation. Now part-time at Fibabanka doing daily alert triage, CTI review, and n8n SOC automation (LLM-assisted triage, IOC enrichment, phishing analysis) in a BDDK-regulated banking environment. MITRE ATT&CK is how I think about threats. Off the clock I build open-source security tooling for AI systems: Tamga, a self-hosted LLM security proxy, and MCPRadar, a scanner that checks MCP servers for nasty surprises.
Projects
- Tamga — Self-Hosted LLM Security Proxy: Open-source proxy you host yourself, sitting between your app and the LLM provider (OpenAI, Anthropic, Azure, Vertex). Redacts PII inline (TC Kimlik, IBAN, credit cards), blocks leaked secrets, and catches prompt injection with sub-millisecond static scanning via an Aho-Corasick DFA. Ships KVKK / BDDK / GDPR / PCI-DSS compliance mappings, hash-chained audit logs, a Next.js incident dashboard, and a 309-prompt adversarial suite gated in CI.
- MCPRadar — Security Scanner for MCP Servers: Catches tool poisoning, prompt injection, and supply-chain rug pulls in Model Context Protocol servers before your agent runs them. 6 detection rules (zero-width Unicode, injection patterns, encoded blobs, hidden HTML/Markdown, permission scope mismatch, dangerous tool names), SARIF output that drops straight into the GitHub Security tab, and SQLite snapshot diffing to flag silent schema changes. One-shot run with uvx, no install needed.
- İTÜ MCP — University Portal MCP Server: Local MCP server that connects an ITU student's Ninova (LMS) and OBS (student portal) accounts to Claude, Cursor, Codex, and other MCP clients. Ask about assignments, deadlines, grades, transcripts, or attendance in natural language; reads PDF/DOCX files, uploads homework only with explicit confirmation. Local-first: credentials never leave the machine and are sent only to ITU endpoints.
- SOC Simulation: SIEM/SOAR Case Study: End-to-end SOC simulation: 127 alerts, 126 false positives, 1 real threat. Maps multi-stage attacks to MITRE ATT&CK TTPs, with a React dashboard for real-time alert visualization, realistic log datasets to test SIEM correlation rules, and Python-based SOAR playbook flows for automated triage and enrichment.
- SOC n8n Workflows: 10 production-shaped SOC automation playbooks for n8n: LLM-assisted alert triage, phishing analysis, IOC enrichment, human-approved containment, CVE watch, and SOC reporting. Import-ready JSON, zero secrets.
- WDI Analytics — Full-Stack Data Platform: Platform for exploring World Bank development indicators across six domains (countries, health, emissions, energy, freshwater, sustainability). A Flask blueprint API behind a React + TypeScript SPA, with role-based access control (admin / editor / viewer), parameterized SQL to block injection, and audit logging on every change. Chart.js trends, a Leaflet world map, CSV export, Docker Compose, Alembic migrations, and a CI pipeline. Built as an ITU term project (BLG-317E).
FSCAKMAK
fatih serdar çakmak · soc analyst · itu cs