DevOps Engineering
Releases as a non-event. ~3× deploy frequency, ~60% faster, 500+ AWS resources as code.
Platforms that ship fast, stay up, and can prove they're secure.
I design the platform, lead the team that runs it, and hold the pager. 4.7 years on enterprise, NGO and government systems at 100K+ scale — each one carried through the security due-diligence of banks and Big-Four assessors.
Disciplines
From the first architecture diagram to the 3 a.m. page.
Releases as a non-event. ~3× deploy frequency, ~60% faster, 500+ AWS resources as code.
99.9% uptime at 100K+ users. Hardened staging cut production issues ~70%.
GPU-backed autoscaling compute and orchestrated pipelines into a query-ready lakehouse.
Security gates in every pipeline, VAPT driven to closure, a 34-policy ISMS behind the product. Zero incidents.
Multi-account AWS Organizations, multi-cloud, built for DR. ~50% lower spend.
Scope of Ownership
One practice, two verticals. I own the platform decisions for both.
mGrant and mCom, shipped as multi-tenant SaaS and white-label. Architecture, scaling, tuning and cost sit with me.
Where the product doesn't fit, we build bespoke. Same security bar, per-client environments, provisioned as code — a new engagement is a deployment, not a rebuild.
I set the standards, review the designs, and gatekeep production. GEM Award 2022, 2023 and 2024.
The technical half of winning enterprise deals. I answer the infosec questionnaires and map controls to evidence. Also scope DevOps-as-a-Service.
Infrastructure behind AI proof-of-concepts — and AI inside the delivery lifecycle itself.
Selected Work · Security Tooling
Internal codename Kotwal. One command audits the code, pen-tests the running deployment, and writes the fix.
Four specialist agents under one orchestrator. Each owns a different attack surface.
Reads the repo. Secrets, PII, dependency CVEs, SAST patterns, workflow and branch policy.
Probes what's actually running. SQLi, XSS, CSRF, IDOR, traversal, session and upload flaws.
Watches production. Uptime, certificate expiry, and the security headers auditors ask for.
Enforces the rules. Branch protection, secret scanning, CODEOWNERS, disclosure policy.
Frameworks & Attestations
Evidence maintained for the frameworks banks and Big-Four assessors test vendors against.
DevSecOps · Control Domains
Eight domains, policy through to evidence. Each one auditor-ready.
34 policies and an end-user guide: access control, incident response, secure development, third-party risk, cloud, PAM, retention.
External assessor cycles with ZAP, Qualys and NMAP — driven through action-taken reports to full revalidation.
SonarQube SAST, CycloneDX SBOM, and mandatory Veracode + Black Duck gates in Azure DevOps.
GuardDuty, Inspector, WAF and Fleet Manager in production. Encryption at rest, VPC segregation, hardening baselines.
PII assessments, field-level encryption, retention SoPs with executable queries, data-localization compliance.
RBAC matrices, joiner-mover-leaver, access recertification, MFA and PAM — each with reviewable evidence.
DR policy, executed drills with formal reports, backup completion reporting, business-impact assessment.
Questionnaires and independent assessments for banks, insurers and Big-Four assessors — controls mapped to evidence.
Reference Architectures
Production platforms across AWS and Azure. Segmented, encrypted, observable from the first diagram.
Client Due Diligence · Passed
Full controls-to-evidence exercises. Each one cleared.
Vendor security assessment answered with full ISMS (34 policies), 16 registers, SBOM, DR-drill report, and SOC 2/3.
ISG questionnaire responses and vendor security assessment, with application SBOM and control evidence.
Independent assessment on Azure — cloud config, SSO, vendor licenses, with Veracode + Black Duck release gates.
IT security VAQ, pen-test action-taken evidence, ISO certificate, and incident-management SLA.
Platform security questionnaire responses mapped to live ISMS controls and evidence.
Security questionnaire, ISMS policy suite, SOC 2/3, VAPT revalidation, and ISO 27001 statement.
Vendor information and security assessment completed against ISMS evidence set.
Evidence Files · Selected Engagements
Four engagements where assess → remediate → evidence → revalidate is on record.
A 53-control internal security assessment, carried end to end.
The artifact set every client assessment draws from.
Full attestation package for retail-enterprise vendor onboarding.
Application assessment and infrastructure resilience.
Toolbox
The short list, not the exhaustive one. Anything here I can be interrogated on.