Security Engineering

I build security systems that reduce risk and prove it.

I'm a GCP and AWS platform security engineer. I like messy environments, unclear ownership, and noisy telemetry, because that's where real security work lives. I build the pipelines, controls, and tooling that turn 'we think we're okay' into 'we can prove it,' without making engineering feel like a paper mill.

  • AWS and GCP
  • Platform Security and IAM
  • Detection and DFIR Enablement
  • Security Automation
  • Compliance Reality: SOC 2 and PCI
  • Insider Threat and Investigations
Portrait of DJ MooreSignature of DJ Moore Read the blog →

How I Work

About

I prioritize a few key security problems that actually move risk, build systems that reduce the problem permanently, and then make it easy for other teams to do the right thing without needing security in the room. I work close to the seams where things break: identity, logging, CI/CD, policy, and the "who owns this?" problem.


I'm not interested in security theater. I like controls you can verify, telemetry you can trust, and workflows that don't depend on heroics. When I ship something, I want it to keep working after launch: documented, automated where it should be, and measurable enough that both leadership and engineers understand the outcome.


I've done this in regulated environments where PCI and audit requirements are real, and in places where privacy and legal constraints matter just as much as detection. I've also lived the small team reality where you can't scale by doing more manual work, so you scale by building better systems and teaching others how to use them.

Capabilities

What I Do

Platform Security

I design the control plane for cloud environments: identity, segmentation, and guardrails that are easy to operate and hard to bypass. The goal is consistent access patterns, smaller blast radius, and fewer "special cases" that turn into future incidents.

  • Cloud identity design across GCP and AWS (roles, groups, approvals, governance)
  • Network segmentation and scoped environments for compliance and risk reduction
  • Threat modeling for platform changes and sensitive code paths

Detection, DFIR, and Logging

I care about signal. I like clean pipelines, stable schemas, and detections that someone will still trust at 2 a.m. I build triage patterns, tuning workflows, and playbooks so response stays calm and repeatable.

  • SIEM migrations and operations (Chronicle, Splunk), plus log routing and normalization
  • Detection tuning that reduces noise without throwing away real signal
  • Incident response workflows: clear triage, enrichment, and consistent steps for responders

Automation and IaC

If something is repeatable, I want it coded. I use automation to reduce drift, reduce manual toil, and keep the "right way" easy to adopt. I'm comfortable writing the glue code that turns tools into a system.

  • Terraform modules and standards for identity and platform security
  • Python and Bash automation for ETL, workflows, and repeatable operations
  • Self-service patterns that move security from "ticket queue" to "review and governance"

Insider Threat and Investigations

I've built and operated insider threat capabilities in regulated environments, balancing security, privacy, and legal constraints. The work is less about "monitor everything" and more about scoped, justified triggers that create defensible evidence when something is off.

  • Partnering with legal, privacy, GRC, and policy teams to define what's allowed and why
  • Investigation workflows that focus on anomaly detection, evidence collection, and least-privilege access
  • Controls around sensitive records and high-profile access patterns in healthcare environments

GitHub

GitHub Projects

proxmox-terraform

A single VM configured for running 5-10 Docker containers.

TerraformProxmoxCloud-InitDocker

proxmox-upgrader

A utility designed to streamline and automate the upgrade process for Proxmox servers.

PythonProxmoxAutomation

oraclecloud-portainer-free-tier-terraform

Terraform setup for OCI Portainer for containerization.

TerraformOCITailscaleDockerPortainer

Proof

Selected Work

Vulnerability Management Program Built From Scratch

Problem
We started with visibility shock: millions of vulnerability findings across the environment and no scalable way to assign ownership, track remediation, or produce clean evidence for PCI. Early efforts relied on manual spreadsheets and ad-hoc follow-ups.
What I built or changed
Sequestered PCI resources into a segmented environment to shrink scope and focus effort. Built a BigQuery-backed vulnerability inventory by pulling Prisma Cloud data via Python ETL and combining it with repository ownership mapping. Layered in GitHub security signals (SAST and dependency findings) and built a dashboard so teams could self-serve: "what is mine, where did it come from, and how do I fix it?"
Result
Took PCI vulnerability state from "chaos and manual tracking" to a single pane of glass with ownership and evidence, driving PCI vulnerabilities (low through critical) down to zero in under six months. Reduced audit thrash and made remediation a repeatable workflow.
Tools
GCP, Prisma Cloud, BigQuery, Python, GitHub Advanced Security, ClickUp

GCP IAM Privilege Reduction With Governance and Cleanup

Problem
Migration to GCP left behind overly broad, inconsistent permission models: primitive roles, custom roles with huge permission sets, and console-created access patterns that caused drift and privilege creep.
What I built or changed
Used Security Command Center IAM analysis to identify permissions actually used over time, then rebuilt access through Terraform-managed groups and bindings. Introduced a governance model where access changes flowed through PR review, and aligned identity workflows across Okta, Google Workspace, and GCP so access didn't require constant manual moves.
Result
Reduced unused permissions by 50% across major groups while keeping teams productive, shrinking blast radius and replacing console drift with reviewable, self-documenting infrastructure-as-code.
Tools
GCP IAM, Security Command Center, Terraform, Okta, Google Workspace, GitHub PR workflows

SIEM Migration and Strong Signal to Noise Improvement

Problem
A legacy SIEM created operational drag and noisy alert streams. Separately, a single SCC alert type was generating tens of thousands of events that responders were close to ignoring entirely.
What I built or changed
Migrated from AlienVault to Chronicle, moving core integrations (forwarders, Pub/Sub sources, webhooks) and adding new coverage where it mattered. For the high-noise SCC alert, partnered with engineering to isolate the exact benign pattern and implemented targeted suppression logic that removed the noise without losing real signal.
Result
Modernized SIEM operations by reducing care and feeding and improving reliability. Tuned a single detection stream down by ~89k events, preserving trust and preventing responders from blanket-ignoring a whole alert category.
Tools
Chronicle, SCC, Pub/Sub, forwarders, detection tuning, cloud integrations

Splunk Consolidation and Entra ID SSO

Problem
Splunk was fragmented across accounts with monolithic servers, inconsistent access controls, and user sprawl. Admin work was not scalable, and offboarding required touching too many systems.
What I built or changed
Re-architected Splunk into components (indexers, search head, heavy forwarders) and replaced monoliths with a centralized model. Built CloudFormation templates for repeatable server foundations and wrote Bash automation to migrate configs and data, including validation checks. Implemented Entra ID SSO via SAML to consolidate identity and role mapping.
Result
Reduced account sprawl and made access management centralized and sane. Automation cut hours of migration babysitting per server, improved repeatability, and enabled scalable growth across accounts.
Tools
AWS, Splunk, CloudFormation, Bash, Entra ID (SAML), SSM/systemd workflows