DevSecOps & Supply Chain
Threat modelling, IaC scanning, dependency hygiene, container hardening, secrets management, runtime detection, SBOM and image signing, audit-ready evidence.
Security teams don't slow engineering down. Bad security tooling does. Two-day vulnerability backlogs, scanners with 80% false positives, secret rotations done by Slack message — that's where breaches live.
What I implement
Pipeline gates — SAST (Semgrep), SCA (Snyk / Grype), IaC scanning (Checkov / tfsec), container scanning (Trivy), secret scanning (gitleaks). Configured to block what matters and warn on the rest. Whitelisting via PR with expiry.
Supply chain integrity — SBOMs generated per build, container images signed with Cosign, provenance attested via SLSA. You can prove what's in production and that nothing else is.
Secrets discipline — Vault or cloud-native secret manager, dynamic credentials where possible, zero secrets in env files or CI variables. Rotation automated. Access audited.
Runtime defense — Falco / GuardDuty / Defender tuned for your workloads, alert routing into the SOC channel that actually exists, integration with your incident response.
Compliance evidence pipeline — SOC2 / ISO 27001 / HIPAA controls mapped to actual technical evidence. Evidence collected continuously instead of scrambled together two weeks before audit.
What I won't do
Add tools without removing tools. The average startup has 9 security scanners and reads the output of 2. I'd rather have you running 4 well than 12 poorly.
Adjacent services.
Cloud & DevOps Engineering
Production cloud environments designed deliberately — resilient, cost-aware, and ready for the day you actually need them.
Internal developer platformsPlatform Engineering
Self-service platforms that turn 'open a ticket and wait three days' into 'open a PR and ship in fifteen minutes'.
EKS · GKE · AKS · self-hostedKubernetes & Container Orchestration
Production-grade Kubernetes — clusters that scale, upgrade cleanly, and don't wake people up.