I help teams ship faster without shipping vulnerabilities — by building security into IaC, CI/CD pipelines, and Kubernetes from day one.
Recent focus areas:
- Secure-by-default Terraform — hardened AWS modules, policy-as-code with OPA/Rego, SARIF reporting
- Multi-tool DevSecOps pipelines — SAST, SCA, secrets detection, IaC and container scanning in GitHub Actions
- Kubernetes hardening — OPA Gatekeeper constraints, network policies, runtime detection, CIS compliance
- Threat modelling — STRIDE, DREAD, MITRE ATT&CK for regulated (healthcare/fintech) workloads
Based in London, UK — open to hybrid or remote-first roles.
DevSecOps Engineer · Cloud Security Engineer · Security Engineer (Platform/Cloud)
| Project | What I built | Impact | Stack |
|---|---|---|---|
| Terraform AWS Security Hardening | Hardened AWS stack (VPC, EC2, RDS, S3, KMS) with Checkov, tfsec & OPA wired into GitHub Actions. SARIF uploads feed the GitHub Security tab at PR level. Full SOC 2 control mapping and findings register included. | 19 Checkov + 19 tfsec findings → 0 on main. All Critical/High remediated. | Terraform · Checkov · tfsec · OPA/Rego · GitHub Actions · AWS |
| DevSecOps Pipeline | Two-branch pipeline: main holds intentionally vulnerable code to prove every gate catches real issues; hardened branch is fully remediated. Open PR with before/after diffs, CVSS scores and MITRE ATT&CK mappings for every finding. |
7 vulnerability classes eliminated — SQLi, SSTI, CMDi, path traversal, YAML injection, hardcoded creds, root container. | GitHub Actions · CodeQL · Bandit · Trivy · Gitleaks · Docker |
| Kubernetes Security Portfolio | Hardened a 3-node GKE cluster end-to-end: OPA Gatekeeper constraints (no root/privileged pods, required resource limits), namespace network policies, Trivy image scanning, RBAC audit, custom Falco rules. | CIS non-compliance: 38% → 6% | GKE · Kubernetes · OPA Gatekeeper · Falco · Trivy · Helm |
| Healthcare Threat Model | Full threat model for a fictional NHS-style cloud platform on AWS. 31 threats across STRIDE categories, all DREAD-scored and placed in a risk register. ATT&CK Navigator layer JSON included. APT attack simulation timeline written to show where controls break real kill chains. | 31 threats identified, mapped to MITRE ATT&CK, NIST CSF, NHS DSPT & UK GDPR. | STRIDE · DREAD · MITRE ATT&CK · NIST CSF · AWS |
DevSecOps & CI/CD
Cloud & IaC
Containers & Kubernetes
Languages
- HashiCorp Terraform Associate 003 (2025)
- AWS Certified Cloud Practitioner (2025) — AWS Solutions Architect Associate in progress
- GitHub Actions Certification (2025)
- Google Cybersecurity Professional Certificate (2024)
- BCS Information Security Management Principles (2024)
- SailPoint Certified IdentityNow Associate (2024)
Actively seeking DevSecOps / Cloud Security Engineer roles. Happy to walk you through any of the projects above — just reach out.