Microsoft Sentinel & Defender XDR
Design and implement Microsoft security solutions for Norwegian customers — Sentinel, Defender XDR, Entra ID, Intune. Run PoCs and technical pilots across the Microsoft security platform.
- trym@labs ~ %whoami
- Senior Cybersecurity Consultant — Spirhed Norway AS · since apr 2026
- trym@labs ~ %cat focus.md
-
Microsoft security that operators actually use.
Sentinel, Defender XDR, Entra ID — for Norwegian customers.
Built Crayon's MDR from scratch (2022–26). Now at Spirhed.
- trym@labs ~ %ls -la ~/labs/
- -rw-r--r-- lifetracker building-rw-r--r-- ainorge building
- trym@labs ~ %
- now
- 4 labs live · 9 total
- talks
- available — get in touch
- reach
- [email protected]
What I do
Microsoft security work for Norwegian customers — through Spirhed Norway AS. Three areas where I spend most of my time.
MDR service design
Service design for managed detection and response — offering, onboarding, multi-tenant operations. Draws on building Crayon's MDR from scratch and leading the security operations team.
Detection engineering & KQL hunting
Detection engineering, threat hunts and incident response in Microsoft Sentinel and Defender XDR. KQL queries for forensic analysis and detection automation that reduces false positives.
$ whoami --long
Senior Cybersecurity Consultant at Spirhed Norway.
Before Spirhed: built Crayon's MDR from scratch and led the security operations team. Two years of hands-on cloud security consulting before that — forensic investigations, identity security deployments, and KQL hunting in Sentinel and Defender XDR.
Håkansson Labs
The full catalogue — what the terminal teased above, with stack, status and a way in. All built outside of any employer, except where flagged as client delivery.
Live & shipped 6 of 9
02Public Data
Politipuls
Real-time map of Norwegian police incidents.
Astro · Cloudflare Workers · D1 live read case
03Newsletter
Morgenbrief
Daily Norwegian finance brief, in your inbox before market open.
Astro · Cloudflare Pages · Buttondown live read case
04DeliveryClient delivery
Kyvco — delivery
Kyvco AS delivers electronic and physical security (alarm, access control, camera, welfare technology) for Norwegian municipalities and housing cooperatives. I designed and built their corporate web presence on Next.js 15 and Cloudflare. A delivery, not my company.
Next.js 15 · Cloudflare Pages · Cloudflare Workers shipped read case
05custom-detection-validatorTool live 06Data API
mcp-for-udir
An MCP server that exposes Utdanningsdirektoratet (Udir) curriculum data — competence aims, learning goals, subject structures — to AI agents. Makes Norwegian K–12 curriculum machine-queryable.
MCP · TypeScript · Udir grep shipped github
08open-apisCatalog live In build 3 of 9 — not yet shippable
01Infrastructure
The Conductor
Self-hosted orchestration for autonomous build & deploy.
Mac mini (M-series) · Self-hosted Actions · Claude agents building read case
07Personal MCP
Tryms-helse / Lifetracker
A personal health data project: a Mac-mini-hosted MCP backend that ingests HealthKit data, plus an iOS app that surfaces it. No public landing — runs as personal infrastructure.
Swift / HealthKit · MCP · Mac mini backend building building — private
09Platform
AINorge / NM i AI 2026
A platform for hosting Norwegian AI competitions: escape rooms, data challenges, model-jailbreak arenas. Early build aiming at NM i AI 2026.
TypeScript · Astro · Cloudflare building building — private
Frequently asked
Who is Trym Håkansson and what does he work on?
Senior Cybersecurity Consultant at Spirhed Norway, based in Moss. He advises on, designs and implements Microsoft security solutions for Norwegian customers — Sentinel, Defender XDR, Entra ID. Outside of work he runs Håkansson Labs — a portfolio of personal projects including Politipuls (real-time map of Norwegian police incidents), Morgenbrief (a daily Norwegian finance newsletter), and The Conductor (self-hosted orchestration that builds and deploys his own sites).
What does a Microsoft security consultant actually do?
A Microsoft security consultant designs and operates the security platform Microsoft sells — primarily Microsoft Sentinel (SIEM), Defender XDR (endpoint + identity + email + cloud), Entra ID (identity), and Microsoft Purview (data protection). Day-to-day work covers detection engineering with KQL, incident response playbooks, MDR service design, identity hardening, and architecture reviews — translating Microsoft product capability into outcomes a Norwegian operations team can actually run.
What is the difference between Microsoft Sentinel and Defender XDR?
Microsoft Sentinel is the SIEM and SOAR layer — it ingests logs from any source, runs KQL analytics rules, and orchestrates response. Microsoft Defender XDR is the unified extended-detection-and-response platform that natively covers endpoints (Defender for Endpoint), identity (Defender for Identity), email (Defender for Office 365), and cloud apps. In a mature deployment both are used together: Defender XDR for native Microsoft telemetry, Sentinel for everything else plus correlation across the lot.
What is MDR and how do you design a managed-detection-and-response service?
MDR is the operational service wrapped around detection tooling — 24/7 monitoring, triage, escalation, and response delivered as a service rather than as software. Designing one means choosing the platform (Sentinel + Defender XDR on the Microsoft stack), defining alert tiers and escalation paths, building detection content and runbooks, agreeing SLAs and reporting, and standing up the multi-tenant operations model that makes the economics work across more than one customer.
Where is Trym based and what regions does he serve?
Moss, Norway. He works for Spirhed Norway across the Nordics, with Norwegian customers as the primary focus. Reachable at [email protected] or via LinkedIn for consulting, speaking, or collaboration inquiries — including remote-friendly engagements across Europe.
How can I hire or contact Trym?
For consulting through Spirhed Norway AS, speaking engagements, or collaboration on Håkansson Labs projects, the fastest channel is email at [email protected]. LinkedIn at linkedin.com/in/trym-haakansson works as a secondary route, and the response time on both is typically within one business day.
$ contact
Get in touch
For consulting through Spirhed, speaking, or to discuss anything from Håkansson Labs — email is the fastest way.