ENGINEERING PORTFOLIO — A. JANGIR // DESIGN · BUILD · RUN · SECURE
Selected work ↓
REF ENG/AJ  ·  AWS · AZURE · KUBERNETES · ISO 27001

Ankit Jangir

DevOps · SRE · MLOps · DevSecOps · Cloud Solution Architect

Platforms that ship fast, stay up, and can prove they're secure.

I design the platform, lead the team that runs it, and hold the pager. 4.7 years on enterprise, NGO and government systems at 100K+ scale — each one carried through the security due-diligence of banks and Big-Four assessors.

0
Users across 10+ platforms
0
Uptime, external checks via Site24x7
0
Average cloud cost reduced
0
Deployment frequency gain
0
Enterprise security reviews passed
0
Production security incidents

Disciplines

Five hats, one engineer

From the first architecture diagram to the 3 a.m. page.

ROLE · DEVOPS01

DevOps Engineering

Releases as a non-event. ~3× deploy frequency, ~60% faster, 500+ AWS resources as code.

TerraformHelmJenkinsGitHub ActionsAzure DevOpsDocker
ROLE · SRE02

Site Reliability

99.9% uptime at 100K+ users. Hardened staging cut production issues ~70%.

PrometheusGrafanaLokiDatadogDR DrillsSLOs
ROLE · MLOPS03

MLOps & Data Platform

GPU-backed autoscaling compute and orchestrated pipelines into a query-ready lakehouse.

GPU AutoscalingAirflowDBTTrinoClickHouseSuperset
ROLE · DEVSECOPS04

DevSecOps

Security gates in every pipeline, VAPT driven to closure, a 34-policy ISMS behind the product. Zero incidents.

SonarQubeVeracodeBlack DuckGuardDutyISO 27001SOC 2
ROLE · ARCH05

Cloud Solution Architecture

Multi-account AWS Organizations, multi-cloud, built for DR. ~50% lower spend.

AWSAzureGCPWell-ArchitectedMulti-AZCost Optimization

Scope of Ownership

Lead DevOps across two verticals

One practice, two verticals. I own the platform decisions for both.

VERTICAL · PRODUCT01

Product Platform

mGrant and mCom, shipped as multi-tenant SaaS and white-label. Architecture, scaling, tuning and cost sit with me.

Multi-tenant SaaSWhite-labelScalabilityCost Optimization
VERTICAL · CUSTOM02

Custom Delivery

Where the product doesn't fit, we build bespoke. Same security bar, per-client environments, provisioned as code — a new engagement is a deployment, not a rebuild.

Reusable IaC ModulesPer-client EnvsCI/CD Templates
ROLE · LEADERSHIP03

Team & Technical Leadership

I set the standards, review the designs, and gatekeep production. GEM Award 2022, 2023 and 2024.

Team LeadershipDesign ReviewProduction GatekeepingMentoring
ROLE · PRESALES04

Security Enablement for Sales

The technical half of winning enterprise deals. I answer the infosec questionnaires and map controls to evidence. Also scope DevOps-as-a-Service.

Vendor QuestionnairesEvidence CollectionClient TrustDevOps-as-a-Service
ROLE · AI05

AI Platform & AI-Assisted SDLC

Infrastructure behind AI proof-of-concepts — and AI inside the delivery lifecycle itself.

AI POCsGPU AutoscalingAI-Assisted SDLCML Infrastructure

Selected Work · Security Tooling

AI Security Audit Engine — I built the security team I couldn't hire

Internal codename Kotwal. One command audits the code, pen-tests the running deployment, and writes the fix.

$ audit --repo my-org/my-app --url https://app.example.com
0
Lines of Python
0
Modules shipped
0
Specialist sub-agents
0
SAST patterns
0
Live DAST scanners
0
False positives triaged out

Four specialist agents under one orchestrator. Each owns a different attack surface.

Code Auditor
Static analysis

Reads the repo. Secrets, PII, dependency CVEs, SAST patterns, workflow and branch policy.

Pen-Tester
Dynamic analysis

Probes what's actually running. SQLi, XSS, CSRF, IDOR, traversal, session and upload flaws.

Runtime Monitor
Live posture

Watches production. Uptime, certificate expiry, and the security headers auditors ask for.

Policy Inspector
Compliance gate

Enforces the rules. Branch protection, secret scanning, CODEOWNERS, disclosure policy.

Ships: branded DOCX report Top-10 email digest Auto-PR into the target repo OpenSSF Scorecard 0–100 Scheduled via GitHub Actions

Frameworks & Attestations

The standards enterprises audit against

Evidence maintained for the frameworks banks and Big-Four assessors test vendors against.

ISO
ISO/IEC 27001Certified ISMS
S2
SOC 2Trust services
S3
SOC 3Public report
VA
VAPTPen-test + revalidation
OW
OWASP / ZAPApp assessment
DP
DPDP · LocalizationData protection
SB
CycloneDX SBOMSupply chain

DevSecOps · Control Domains

Security owned end to end

Eight domains, policy through to evidence. Each one auditor-ready.

DOM · ISMS01

ISMS Governance & Policy

34 policies and an end-user guide: access control, incident response, secure development, third-party risk, cloud, PAM, retention.

ISMS-001…034End-User GuidePolicy Exceptions
DOM · VAPT02

Vulnerability Mgmt & Pen Testing

External assessor cycles with ZAP, Qualys and NMAP — driven through action-taken reports to full revalidation.

OWASP ZAPQualysNMAPRevalidation
DOM · APPSEC03

Application Security & SDLC

SonarQube SAST, CycloneDX SBOM, and mandatory Veracode + Black Duck gates in Azure DevOps.

SonarQubeVeracodeBlack DuckSBOM
DOM · CLOUD04

Cloud Security (AWS / Azure)

GuardDuty, Inspector, WAF and Fleet Manager in production. Encryption at rest, VPC segregation, hardening baselines.

GuardDutyInspectorWAFKMS
DOM · DATA05

Data Protection & Privacy

PII assessments, field-level encryption, retention SoPs with executable queries, data-localization compliance.

PII AssessmentEncryptionRetention SoP
DOM · IAM06

Identity & Access Management

RBAC matrices, joiner-mover-leaver, access recertification, MFA and PAM — each with reviewable evidence.

RBACJMLMFAPAM
DOM · BCDR07

Business Continuity & DR

DR policy, executed drills with formal reports, backup completion reporting, business-impact assessment.

DR DrillsBackup ReportsBIA
DOM · VENDOR08

Vendor Security & Due Diligence

Questionnaires and independent assessments for banks, insurers and Big-Four assessors — controls mapped to evidence.

ISGVRA / VAQQuestionnaires

Reference Architectures

Systems designed to be secure by construction

Production platforms across AWS and Azure. Segmented, encrypted, observable from the first diagram.

Production Kubernetes Platform

AWS · EKS
Enterprise SaaS · autoscaling · multi-AZ
Users WAF CloudFront ALB EKS · Karpenter RDS Multi-AZ· Redis
  • Security plane: GuardDuty, Security Hub, Inspector, Config, KMS & ACM across the account.
  • GitOps: Terraform (S3 tfstate) + GitHub + ECR; Bastion access via MFA only.
  • Observability: Prometheus, Grafana & Loki, with Site24x7 external checks.

Multi-AZ Resilient Web Platform

AWS · EC2
Mumbai / Hyderabad · active-active
Users WAF ALB App · AZ1 / AZ2 MariaDB· Redis
  • Resilience: application tier across two availability zones behind the balancer.
  • Hardening: private App/DB subnets, NAT egress, ACM TLS, KMS-encrypted S3.
  • Access & alerts: Bastion SSH with MFA; CloudWatch → SNS alerting.

Three-Tier Enterprise Platform

Azure
Big-Four assessor engagement · IaC provisioned
Users DDoS Public LB Web Subnet Internal LB App Subnet MongoDB · 1P/2S
  • Segmentation: isolated Web, Application & Database subnets inside one VNet.
  • Secrets & data: Key Vault, Blob Storage, Azure Monitor, Communication Service.
  • Delivery: whole environment as code via Terraform + Azure DevOps CI/CD.

Defense-in-Depth Uplift

AWS · Security Model
Current → Proposed · 6 layers
Perimeter Network Host Application Data Operational
  • Perimeter & network: Shield + WAF + Cognito; Transit Gateway + Network Firewall.
  • App & data: Secrets Manager, CodePipeline scans, Macie, KMS, CloudTrail.
  • Operational: Artifact + Config for continuous audit & compliance management.

Self-Service Analytics

mGrant · Trino
Embedded BI over operational data
Angular / Superset Trino · Coordinator Workers 0…n MongoDB Atlas
  • Distributed SQL: Trino coordinator/worker cluster querying MongoDB directly.
  • Delivery: Superset dashboards embedded in the Angular SaaS login.
  • Isolation: secured VPC peering between the cluster and Atlas.

Lakehouse Data Pipeline

Data · Airflow
Ingest → transform → serve → BI
FTP MinIO DuckDB ClickHouse Superset
  • Orchestration: Apache Airflow driving each stage of the flow.
  • Layers: MinIO object landing, DuckDB transform, ClickHouse serving store.
  • Insight: Superset querying ClickHouse for analyst-facing dashboards.

Client Due Diligence · Passed

Enterprise security assessments cleared

Full controls-to-evidence exercises. Each one cleared.

Leading Indian Bank
Banking · BFSI
Cleared

Vendor security assessment answered with full ISMS (34 policies), 16 registers, SBOM, DR-drill report, and SOC 2/3.

Private-Sector Bank
Banking · ISG
Cleared

ISG questionnaire responses and vendor security assessment, with application SBOM and control evidence.

Big-Four Assessor
Advisory · Audit
Cleared

Independent assessment on Azure — cloud config, SSO, vendor licenses, with Veracode + Black Duck release gates.

Global Investment Bank
Capital Markets
Cleared

IT security VAQ, pen-test action-taken evidence, ISO certificate, and incident-management SLA.

Manufacturing Enterprise
Industrials
Cleared

Platform security questionnaire responses mapped to live ISMS controls and evidence.

Retail Enterprise Group
Retail
Cleared

Security questionnaire, ISMS policy suite, SOC 2/3, VAPT revalidation, and ISO 27001 statement.

Financial-Services Firm
BFSI
Cleared

Vendor information and security assessment completed against ISMS evidence set.

Evidence Files · Selected Engagements

The work behind the seals

Four engagements where assess → remediate → evidence → revalidate is on record.

Enterprise DMS

ISA · PII · VAPT

A 53-control internal security assessment, carried end to end.

  • ISA-01 Asset inventory coverage & patching process evidence
  • ISA-07 SonarQube SAST across admin & mobile APIs
  • ISA-22 AWS Inspector, GuardDuty & malware protection
  • ISA-12 Pen test → action taken → 2nd-round revalidation
  • DEL/RET Data retention & deletion SoP with queries
All controls closed

mGrant

Product Compliance

The artifact set every client assessment draws from.

  • ARCH Technology architecture & security design document
  • ISMS 34 policies + 16 operational registers
  • PRIV Privacy statement, DR policy, JML process
  • DUE-D Banks, insurers & Big-Four assessors
  • VAPT VAPT certificate & ISO 27001 alignment
Continuously maintained

Retail Enterprise

Enterprise Onboarding

Full attestation package for retail-enterprise vendor onboarding.

  • ISMS Nine-policy ISMS pack + end-user guide
  • SOC SOC 2 & SOC 3 reports supplied
  • VAPT VAPT revalidation report
  • CERT ISO 27001 certification statement
Questionnaire cleared

NGO Platform

Assess · Harden · Recover

Application assessment and infrastructure resilience.

  • ZAP OWASP ZAP application security report
  • HARD Server configuration & control documentation
  • DR Disaster-recovery plan & data-management strategy
  • OBS CPU / disk / memory utilization monitoring
Remediated & documented

Toolbox

What I work in daily

The short list, not the exhaustive one. Anything here I can be interrogated on.

Cloud
AWSAzureKubernetes · EKSDocker
Delivery
TerraformHelmGitHub ActionsJenkinsAzure DevOps
Observability
PrometheusGrafanaLokiDatadog
Security
GuardDutySonarQubeVeracodeBlack DuckOWASP ZAP
Data & code
PythonBashAirflowTrinoPostgreSQL · MySQL · MongoDB