Oct 2024 – Present · 1 yr 7 mos

• Helping figure out how to apply AI and code comprehension to scale product security and code reviews.

Jun 2024 – Present · 1 yr 11 mos

• Helping an organization that's helping organizations govern cloud access for all identities - human and machine

Jun 2024 – Present · 1 yr 11 mos

• Providing expert guidance, oversight, and second opinions to a practitioner run, practitioner focused security industry advisory startup

Mar 2024 – Jan 2025 · 10 mos

• I took a sabbatical, and relocated to Stockholm!
• I spent my time advising startups, writing on security, reading 80+ books, and overall had a great time

Jan 2023 – Jan 2025 · 2 yrs

Aug 2022 – Feb 2024 · 1 yr 6 mos · Remote

• Helped establish Infrastructure Security as a discipline, and led security partnership for the Infrastructure Area
• Ask me about:
• The Path to Zero Touch Production
• Bootstrapping security as part of a company wide migration to EKS
• Building industry leading security for Terraform Automation
• Fighting fires, and making attackers' lives difficult
• Side quests to save millions of dollars

Mar 2022 – Jul 2022 · 4 mos

• In addition to previous responsibilities:
• Manage a team of 3 (2 analysts, 1 product security engineer)
• Represent security on Cedar's Architecture Steering Group

Nov 2020 – Mar 2022 · 1 yr 4 mos

• Third security hire, helped define and grow the program:
• Security Partner for highest-risk portfolio of Data, Platform, and Integrations pillars. 93% CSAT in Engineering.
• Created security interview rubrics and sat on hiring committee for DevOps, IT, and Security hires. Sourced Staff and Manager hires. Successfully hired and on-boarded Security Analysts and a Product Security Engineer.
• DRI for Cloud (AWS) Security, Security Operations, Incident Response, Pentesting, post-M&A integration of Cedar and OODA Health security programs
• Introduced and matured business-facing Rapid Risk Assessments and Vendor Risk procedures
• SME for PCI Compliance (Service Provider Level 1), supported sales via security due diligence and customer exec conversations
• Supervised Proof-of-Value exercises for MDR, SAST, DAST, SIEM, CSPM and Vulnerability Management platforms - driving cost efficiencies through balance of open-source utilities and investments in commercial partners
• Led values identification exercise and evangelized Security Values internally and externally (https://decode.cedar.com/defining-cedars-security-values/)
• In a team of two, designed, deployed, and operated Cedar's first API (~250k requests a day)

Jul 2017 – Oct 2020 · 3 yrs 3 mos

• Joined NCC Group through the acquisition of VSR.
• Security Consultant: July 2018-June 2020
• Conducted 50+ security engagements, including web and mobile applications (iOS, Android), cloud security (AWS, GCP), code review (Ruby, JS, Python, PHP, Java), M&A (pre- and post-terms), staff augmentation (product security, vendor security, and bug bounty, spent a cumulative six months working for multiple FAANG companies in 6 week or 3 month stints) and even physical security
• Technical lead for complex engagements, serving the Group's highest-profile clients, orchestrating teams of up to 10, and supporting over $1 million in sales through scoping and pre-sales efforts
• Spearheaded the North American Cloud Working Group, standardizing and improving sales and delivery

Jun 2017 – Oct 2020 · 3 yrs 4 mos

• (acquired by NCC Group)
• Co-op Jul-Dec 2017, part time through June 2018
• white/gray/blackbox web application penetration tests
• internal and external networks
• mobile applications
• Social engineering (and vishing, smishing)
• Broke into at least one building (physical security assessment)
• As an intern, logged the most hours in the office on super smash bros

Jul 2016 – Dec 2016 · 5 mos

• mostly defending my machine from being used as a ctf by coworkers
• vulnerability scans, external network penetration tests, CRUD web application assessments

Jun 2015 – Aug 2015 · 2 mos · Yokneam Illit, IL

• Developed secure full-stack login flow for venture funded cyber security startup using Flask and OrientDB. Contributed to compilation of threat intelligence packages for F500 clients.

Jul 2014 – Apr 2018 · 3 yrs 9 mos · Boston, MA

• Software and hardware technical support for students and faculty. Trained dozens of junior staff. Automated malware remediation (24h -> 10m). Automated scheduling notifications.

Jan 2012 – Jun 2014 · 2 yrs 5 mos · Milton, MA