Practice areas. Locked priority order.
01 / 04
Hands-on across enterprise stacks.
Windows Server / Active Directory lifecycle, Cisco IOS networking (VLAN, EtherChannel, inter-VLAN, ACL/NAT), Hyper-V virtualization, web application security testing, penetration testing workflow, SIEM/SOC stack operations. Lab-validated across multiple environments.
hands-on · lab-validated
02 / 04
AI as a working discipline, not a slogan.
Multi-MCP agent orchestration, typed auto-memory schemas, multi-tier verification ladders, knowledge graphs over mixed-source corpora. Production-scale workflow on commodity hardware.
orchestration · memory · verification
03 / 04
Multi-cloud, multi-tier, evidence-driven.
Static source review combined with live observable testing. Multi-cloud attack-chain framework across GCP / AWS / Azure. Forensic-trail capture per run. Submission readiness governance: five-stage gate from source-verify to final-verdict.
multi-cloud · multi-tier · live witness
04 / 04
Upstream PRs into widely-used codebases.
Cryptography (Google Tink ecosystem: Python, Tinkey, C++, Go, Java, AWS-KMS, GCP-KMS, HashiCorp Vault sub-projects), runtime sandbox (gVisor), Bluetooth stack (Bumble), package security (osv-scanner / osv-scalibr), CLI tooling (click).
view merged contributionscrypto · sandbox · package security
$ cat capabilities.tsv | verify
Windows Server / Active Directory lifecycle
Forest design, DC promotion, GPO authoring & troubleshooting, PowerShell admin tooling.
AD DS · GPO · PowerShell admin · Server 2016 – 2025
Cisco IOS networking
Switch & router configuration, VLAN/trunk design, link aggregation, inter-VLAN routing.
VLAN / trunk · EtherChannel · inter-VLAN · ACL · NAT
Hyper-V virtualization administration
Virtual switch design, VHD lifecycle, dynamic memory tuning, multi-VM lab provisioning.
VHD / VHDX · virtual switches · checkpoints · dynamic memory
Web application vulnerability testing
Manual + automated testing against OWASP Top 10 targets in controlled lab environments.
Burp · ZAP · SQLi / XSS / CSRF / SSRF · gobuster · sqlmap
Penetration testing workflow
Standard kill-chain: reconnaissance, enumeration, exploitation, post-exploitation.
recon → enumeration → exploitation → post-exploit
SIEM / SOC stack operations
Tier-1 alert triage methodology, IDS rule analysis, case management workflow.
Wazuh · Security Onion · Suricata · Zeek · alert triage
AI orchestration
Working agent architecture, not toy demos. Production scale on commodity hardware.
multi-MCP stacks · typed memory schemas · verification ladders
Open-source security contributions
Sustained upstream PRs into widely-used security libraries.
Tink · gVisor · Bumble · osv-scanner · click
FRAME-01 to FRAME-04 · operator-curated
Multi-layer architecture. Obsidian vault as source, Claude Code as orchestration, MCP servers (filesystem / REST / browser / web / creative), typed auto-memory with bidirectional vault sync, topic-classified knowledge graph, curated portfolio layer with stage gates. A single operator running an AI-assisted professional workflow at production scale on commodity hardware.
Multi-cloud research environment. Static source review combined with live observable testing under multi-tier AI verification (Scout / Judge / Sonnet / Opus). Session Persistence Layer, Attack State Machine, Resource Lifecycle Actions, Multi-Hop Chain Planner across GCP / AWS / Azure. Discovery-aware hunting with forensic-trail capture.
A five-stage gate that prevents low-signal vulnerability reports from reaching bounty programs: Source-verify · Live-witness · Audit-coverage · Cross-finding · Final-verdict. Includes forensic-trail capture (lifecycle.jsonl per run), audit-coverage cross-check against existing CVE / GHSA disclosures, cross-finding subset detection, F-class drops, sanitization checklist.
Open-source security research with focus on Google gVisor (container sandboxing and Linux runtime behavior). Sustained contributions include TOCTOU fixes in systrap, TUN device crash handling, Go concurrency race fixes, guest-writable shared memory hardening. Additional upstream PRs across Google Tink (cryptography), Bumble (Bluetooth stack), osv-scanner (package security), and click (CLI tooling).
view merged contributions$ systemctl status now.service
● now.service · operator workstream snapshot
Active: running
Loaded: research-stack.cfg
Running multi-cloud AI-assisted hunts via the ClearAhead pipeline. Paired-session live engine with multi-tier verification across GCP / AWS / Azure. Filing upstream PRs across Tink, gVisor, grpc, Bumble: the current batch covers AWS-KMS / GCP-KMS CRC32C integrity gates, gVisor nvproxy hardening, and grpc RBAC path canonicalization (sibling of CVE-2026-33186).
In parallel: live-fire blue-team practice under sustained operational pressure. Cloud-deployed lab pod with Security Onion 2.4, pfSense + Snort IPS, Wazuh agents, and a mixed Linux / Windows fleet, exercised against simulated adversary activity at production rate. Scope covers SOC alert triage, KQL pivot hunting, MITRE ATT&CK mapping, firewall and IDS tuning under load, and disciplined change management across reset cycles.
Response frameworks layered in as fallback discipline: CIS Critical Controls, NIST CSF, PCI-DSS, and HIPAA technical safeguards. Role spread across firewall, Windows, Linux, application, monitoring, and change-management leads, with shared runbooks for reset recovery and uptime continuity.
Two channels. One filter.
Open for OSS security collaboration, architecture review, and research dialogue. Cold sales and recruiter outreach route to /dev/null.