PROFILE // 2026

Mickael Soussan

AI & Cybersecurity Architect

  1. Professional Summary

    AI & Cybersecurity Architect with 10+ years of experience across malware research, reverse engineering, cyber threat intelligence, and AI-driven cybersecurity platforms. Specialized in designing agentic AI systems for cyber investigation, autonomous threat intelligence enrichment, retrieval-augmented generation, structured cyber data pipelines, and evidence-grounded LLM workflows. Currently building AI-native systems that transform raw cyber feeds, structured intelligence databases, and analyst knowledge into explainable, verifiable cyber intelligence outputs.

  2. Core Expertise

    • Agentic AI for Cybersecurity — LLM orchestration, multi-agent workflows, planner/executor/verifier patterns, tool-augmented reasoning, AI guardrails.
    • Cyber Threat Intelligence Automation — autonomous feed enrichment, CTI entity extraction, CVE intelligence, IOC processing, malware and threat-actor tracking.
    • RAG & Knowledge Systems — semantic retrieval, vector search, evidence-grounded answers, internal knowledge assistants.
    • Cyber Data Platforms — PostgreSQL, SQLite, Redis, Qdrant, Python, FastAPI, Docker, pipeline orchestration.
    • AI Reliability & Verification — hallucination reduction, claim/evidence validation, deterministic routing, read-only SQL guardrails, observability.
    • Malware & Reverse Engineering — malware behavior analysis, process injection, API hooking, unpacking, YARA, anti-debugging, anti-VM techniques.

  3. Professional Experience

    Product Researcher & Innovation — AI & Cybersecurity Systems

    Feb 2021 — Present

    Cyber threat intelligence vendor

    • Architect AI-driven cyber intelligence systems combining LLM orchestration, retrieval-augmented generation, structured cyber databases, and tool-based reasoning to support analyst-grade investigation workflows.
    • Designed and developed an agentic cyber investigation system that translates analyst questions into structured investigation plans, executes controlled database queries, and produces grounded CTI-style answers with verification checks.
    • Built multi-agent investigation flows — planner, SQL expert, controlled execution, CTI answer formatter, and post-generation verifier — to reduce hallucinations and improve trust in AI-generated intelligence.
    • Developed autonomous cyber feed enrichment pipelines that ingest, classify, enrich, cluster, normalize, and project threat intelligence from multiple sources into structured intelligence assets.
    • Designed entity extraction and normalization workflows for malware, threat actors, vulnerabilities, targeted sectors, targeted locations, indicators, and other CTI entities.
    • Built data flows connecting raw feed ingestion, enrichment logic, clustering, central PostgreSQL storage, Qdrant vector search, and dashboard-ready outputs.
    • Implemented RAG-based chatbot and investigation capabilities over cyber intelligence data, enabling natural-language access to internal knowledge and structured threat intelligence.
    • Introduced reliability mechanisms for AI systems: deterministic tool routing, evidence grounding, verifier agents, read-only SQL guardrails, and observability-oriented pipeline monitoring.
    • Developed ML/NLP models for Named Entity Recognition of malware and threat actors using spaCy, contributing to improved cyber threat intelligence extraction and enrichment.
    • Collaborated with product managers, analysts, and R&D teams to translate cyber research needs into AI-powered product capabilities and operational workflows.

  4. Selected AI & Cybersecurity Systems

    Agentic CTI Investigator

    Converts analyst questions into structured cyber investigations using planning, controlled database access, evidence grounding, and verification.

    • Planner, SQL expert, controlled execution, CTI answer formatter, and verifier stages.
    • Reduces hallucinations through evidence-backed responses.
    • Supports investigation over threat actors, malware, CVEs, campaigns, and temporal trends.

    Autonomous CTI Feed Pipeline

    Transforms raw cyber reporting into enriched, clustered, normalized, and searchable intelligence.

    • Automates ingestion, relevance filtering, enrichment, clustering, and central-store sync.
    • Extracts and normalizes CTI entities: malware, threat actors, CVEs, indicators, sectors, locations.
    • Connects feed processing, PostgreSQL, Qdrant vector search, and dashboard-ready reporting.

    AI Reliability & Verification Layer

    Adds trust, control, and verification to LLM-powered cyber intelligence workflows.

    • Deterministic tool routing and verifier-oriented workflows.
    • Read-only SQL guardrails, evidence grounding, and claim validation.
    • Improves trust in AI-generated CTI outputs.

  5. Earlier Experience

    Malware Researcher / Technical Lead

    Feb 2017 — Feb 2021

    Cyber threat intelligence vendor

    • Led malware research and reverse engineering focused on process injection, API hooking, anti-debugging, anti-VM techniques, unpacking, persistence, and evasion.
    • Produced technical malware intelligence to support detection, investigation, and cyber product capabilities.
    • Researched attacker tradecraft and malware internals to improve understanding of malicious behavior and execution techniques.
    • Provided technical guidance and contributed to malware analysis methodologies for complex malware families.

    Malware Analyst

    Dec 2014 — Feb 2017

    Cyber threat intelligence vendor

    • Analyzed ransomware, botnets, exploit kits, RATs, and commodity malware to produce technical cyber intelligence reports.
    • Extracted indicators of compromise, behavioral patterns, malware capabilities, and detection opportunities from malicious samples and campaigns.
    • Developed YARA rules and internal detection logic to identify malware infections and support threat monitoring.
    • Supported cyber intelligence operations through malware classification, technical reporting, and threat investigation.

    Research Intern — Secure Virtual Cloud Project

    2014

    Public research lab

    • Automated security test campaigns using the Metasploit Framework to evaluate infrastructure robustness and defensive mechanisms.
    • Supported research into secure virtualized cloud environments and attack simulation workflows.

  6. Technical Skills

    AI / LLM Systems
    • LLM orchestration
    • Agentic workflows
    • Multi-agent systems
    • RAG
    • Prompt engineering
    • Tool-augmented reasoning
    • Verifier agents
    • AI guardrails
    • OpenAI Agents SDK
    • Model Context Protocol
    Cyber Threat Intelligence
    • CTI automation
    • Malware / threat-actor tracking
    • CVE intelligence
    • IOC extraction
    • Entity normalization
    • Cyber feed enrichment
    • Intelligence clustering
    • MITRE ATT&CK
    Backend & Data
    • Python
    • FastAPI
    • PostgreSQL
    • SQLite
    • Redis
    • Qdrant
    • Docker
    • REST APIs
    • Data pipelines
    • Linux
    Security Research
    • Malware analysis
    • Reverse engineering
    • YARA
    • Process injection
    • API hooking
    • Anti-debugging
    • Anti-VM techniques
    • Unpacking
    Observability & Ops
    • Grafana
    • Loki
    • Logging pipelines
    • Monitoring
    • Docker Compose
    • systemd
    • GCP
    NLP / Retrieval
    • spaCy
    • Named Entity Recognition
    • Embeddings
    • Semantic search
    • Vector databases
    • Entity extraction

  7. Education

    B.Sc. in Computer Science Relevant coursework: Securing Information Systems, Building Secure Applications, Web Application Security, Applied Cryptography.