Shift Smart, Not Just Left
Security bolted to a sprint is a tax. Built into the platform it’s invisible — and teams ship faster because of it. The paved road must be the secure road.
// DevSecOps · K8s Security · SBOM · Supply Chain · GCP Security · ● available
Anshumaan Singh
I engineer security the same way high-scale teams engineer reliability — as a system property designed, enforced, and continuously verified. Production behavior must remain predictable even under adversarial pressure.
Information Security Analyst (IC-2) at ZEE Entertainment, building security control planes across CI/CD, artifact supply chains, Kubernetes runtime, and GCP cloud governance — securing 350+ microservices so that insecure paths become operationally hard and secure delivery is the default.
0+
Microservices secured
0+
CI/CD security gates
0
Pro certifications
0+
Years in security
Security Control Plane — All Systems Nominal
Updated: just now
CI/CD Gates
350+ active
PASS
SBOM Coverage
100%
PASS
K8s CIS Benchmark
100%
PASS
OWASP Top 10
93%
REVIEW
Production Incidents
0
CLEAR
Anshumaan Singh
Security Systems Engineer
@ ZEE Entertainment
CKS
CKA
GCP
TF
LIVE SECURITY FEED
00:00:01 Pipeline scan completed — no criticals
00:00:02 SBOM generated — digest attached
00:00:03 CVE detected — EPSS 0.001 — accepted
00:00:04 Image promoted to UAT — gates passed
GitHub Actions
Trivy
SBOM
Kyverno
OWASP ZAP
Terraform
Cosign
Falco
Security Posture Score
Pipeline SecurityA+
Container HardeningA+
SBOM Coverage100%
Prod Incidents0
Currently Building
SBOM-driven policy engine
Auto-blocking CVE-detected builds · Kyverno + Sigstore
M.Tech Cybersecurity — BITS Pilani
Work-integrated learning program · 2026–2028
// Security Engineering Activity — 52 weeks
loading…
Less
More
Not a developer? Here's what this site is about.
Anshumaan Singh is a security engineer — the person whose job is to make sure software companies don't get hacked, don't leak data, and can move fast without breaking security. He does this at ZEE Entertainment (a major Indian media company) for 350+ apps. The technical content here is proof of work for hiring managers and fellow engineers.
About Me
$ whoami
nameAnshumaan SinghroleInfoSec Analyst IC-2 — ZEE Entertainmentscope350+ microservices · CI/CD · K8s · Cloud · AppSeccertsCKS · CKA · GCP-SEC · GCP-PCA · GCP-ACE · TF-ASClocationBengaluru, IndiastatusACTIVE ✓
Most security teams react. Watch alerts. Triage tickets. Ship reports. I build systems where the dangerous path is operationally hard before anyone notices it exists.
At ZEE Entertainment I secured 350+ microservices from code commit to production — not by reviewing more, but by making insecure releases structurally impossible. No bypass paths. No rebuilds in prod. No “we’ll fix it next sprint.”
I treat security the way reliability engineers treat uptime: with invariants. If a control can be bypassed — it isn’t one. If a gate produces noise — it erodes trust. If evidence doesn’t travel with the release — it doesn’t exist. That’s the philosophy behind everything I ship.
350+
microservices in scope
6
industry certifications
2+
years at ZEE
3
cloud platforms secured
Engineering Philosophy
Six principles tested under production pressure — not borrowed from a framework.
Identity is the Control Plane
Network perimeters trust the packet. I trust the identity. Short-lived, OIDC-federated, cryptographically verifiable — unforgeable by design.
Guardrails over Gates
Gates block. Guardrails guide. One kills velocity — the other multiplies it. Build systems where the safe path is also the easiest path.
Detection as Code
An alert no one acts on is just log noise with extra steps. Every detection I ship maps to a playbook and a decision — not a Slack ping.
Evidence over Assertions
Don’t tell auditors you’re secure — show them. SBOM linked to commit. Scan output signed. Promotion gate logged. Theater out. Evidence in.
Risk-based, Not Fear-based
Not every critical CVE is worth blocking. Not every low is safe to ship. CVSS + EPSS + reachability = one decision: block, allow with evidence, or accept with expiry.
What I Built
Real pipelines. Real enforcement. Built for 350+ services — not a conference slide.
CI/CD Security Control Plane
- Multi-stage DevSecOps pipelines: build → scan → deploy → post-deploy validate.
- PR-only merges + CODEOWNERS + branch protections to eliminate bypass paths.
- Dependency ordering: verify → build → tag → scan → push → deploy → notify.
- Slack release telemetry with commit/build metadata + scan artifact retention.
Supply Chain Integrity + SBOM
- Immutable image versioning — removed latest tags to eliminate deployment drift.
- Build once → promote: Dev → UAT → Prod without rebuilds in production.
- Evidence chain: scan outputs + approvals + image digest tracking per release.
- Only scanned + approved digests via registry path enforcement.
Kubernetes Runtime Guardrails
- kubeaudit to detect risky workload patterns and enforce baseline hygiene.
- Secure deployment baseline: healthchecks, limits, safe defaults, namespace patterns.
- Prevented privileged workloads and unsafe configurations at admission time.
AppSec + Secrets Remediation
- Led response for hardcoded Azure storage keys, OAuth secrets, leaked tokens.
- Coordinated safe rotation workflows with zero production impact.
- Web / API / Mobile penetration testing with actionable remediation guidance.
Live Pipeline Simulation
Click git push to watch a commit travel through the full security control plane — 7 gates, 0 bypass paths.
git push
SAST / SCA
Build
Image Scan
Sign
Promote
K8s Deploy
pipeline.log — click a stage or press Run
$ awaiting trigger… press Run Pipeline below
System Design
I don’t patch systems. I design them to hold under pressure — where invariants replace assumptions and every control is structural, not procedural.
Core Security Invariants
- Identity is the control plane — short-lived, least privilege.
- Verification is deterministic — non-bypassable CI gates + evidence.
- Artifacts are immutable — digests + controlled promotion paths.
- Runtime is constrained — policy + RBAC + secure contexts.
- Everything is auditable — logs + scan outputs + approvals.
Design Principles
- Guardrails over manual reviews — automate the safety net.
- Secure paved roads enable engineering velocity.
- Risk-based gating — severity + exploitability + probability.
- Policy as code, evidence as artifacts, everything traceable.
- Commit → build → digest → deployment end-to-end traceability.
// SECURE SYSTEM DESIGN — END-TO-END ARCHITECTURE FLOW
Each layer enforces a different security control. No single point of bypass. Evidence flows from commit to runtime.
Reference Architecture
Source to prod. No untrusted artifact reaches runtime. Every transition has a gate and a receipt.
Pipeline Evidence Snapshot
SBOM / Attestation / Scan pipeline output
Proof-of-implementation artifact — real pipeline output, not a diagram.
// Every release is trustworthy — or it doesn't ship.
Source Governance
- Pre-commit + signed commits + PR-only merges
- CODEOWNERS + branch protection + required checks
- Main branch as single source of truth
CI Verification
- Ephemeral runners + deterministic security gates
- SAST + SCA + Secrets + IaC enforced at build time
- Quality gate: pass/fail with evidence artifacts retained
Supply Chain
- Build once → scan → SBOM → provenance signed
- Image digest tracking + immutability
- Evidence travels with release Dev→UAT→Prod
Runtime Enforcement
- Admission policy blocks unsafe workloads
- RBAC + namespaces + securityContext reduces blast radius
- Audit logs + SIEM + IR playbooks
Supply Chain Pipeline
How every artifact goes from git push to production. Every transition has a gate. Every gate leaves evidence.
Source Governance
Pre-commit hooks · Signed commits · PR-only merges · CODEOWNERS · Branch protection rules
CI Security Gates
SAST · SCA · Secret scanning · IaC scan · Evidence retained per build · Deterministic pass/fail
SBOM + Signing
Syft generates SBOM · Cosign signs image · Digest locked · Supply chain provenance · Attestation attached
Controlled Promotions
Build once → Dev → UAT → Prod · QA approval gates · Digest-only deployments · No rebuilds in production
Runtime Enforcement
Kubernetes admission control (Kyverno) · RBAC · securityContext · NetworkPolicies · DAST post-deploy · SIEM monitoring
GitOps — ArgoCD & GitHub Actions
ArgoCD declarative GitOps for K8s deployments · GitHub Actions ephemeral runners · Branch-based environment promotion · Rollback via Git revert
Service Mesh — Istio & mTLS
Istio service mesh for east-west mTLS encryption · Envoy proxy sidecars · Traffic policy enforcement · Mutual TLS between microservices · Zero-trust network identity
eBPF Runtime Security — Falco & Cilium
eBPF kernel-level visibility · Falco runtime threat detection with custom rules · Cilium network policy enforcement · Syscall-level audit with near-zero overhead · Deepening: Tetragon for process-level tracing
// Runtime Security Stack — Defense in Depth
GitHub Actions
→
ArgoCD GitOps
→
Kyverno Admission
→
Istio mTLS
→
Falco + eBPF
→
SIEM Alerts
Every layer adds enforcement. eBPF gives kernel-level visibility without modifying application code. Istio encrypts all east-west traffic. ArgoCD ensures only Git-approved state runs in production.
Case Studies
Not hypotheticals. Not labs. These happened — here’s what I did.
RPT-2024-001
INCIDENT
Secrets Leakage Response
- Detected hardcoded Azure Storage keys + OAuth secrets — validated exposure scope.
- Coordinated secure rotation without production downtime.
- Implemented prevention: secret scanning + branch protections + audit evidence.
✓ Reduced recurrence through enforcement + governance
RPT-2024-002
INVESTIGATION
Scanner Inconsistency Analysis
- Prisma returned zero CVEs for known-vulnerable images — root-caused the gap.
- Cross-validated with Trivy + public CVE refs to confirm true risk exposure.
- Improved pipeline trust: scan evidence retention + multi-scanner validation.
✓ Fewer failures from scanner inconsistency
RPT-2024-003
DESIGN
Controlled Promotions
- "Build once, promote many" — no rebuilds in prod, no drift.
- Approval gates + registry path enforcement block unauthorized deployments.
- Digest-level traceability across all environments.
✓ Full commit-to-production traceability
RPT-2024-004
AUTOMATION
OWASP ZAP DAST + K8s
- Automated DAST via kubectl runtime service discovery for real endpoints.
- Post-deploy checks reflecting production-like behavior (not assumptions).
- Integrated into CI/CD with blocking thresholds and evidence retention.
✓ Improved coverage beyond static analysis
Threat Model
I model threats the way attackers think — not the way auditors check boxes. Kill-chain mapped. Response-ready. No theoretical vectors that can’t be exploited.
SEVERITY: CRITICAL
Primary Threat Vectors
- Credential theft — tokens, OAuth secrets, cloud keys
- Pipeline compromise — runner persistence, secret exposure
- Dependency compromise — typosquatting, malicious packages
- Container base image vulnerabilities + drift via mutable tags
- Kubernetes privilege escalation — privileged pods, host mounts
- Lateral movement — east-west traffic abuse
- Data exfiltration — egress misuse, weak PII boundaries
SEVERITY: HIGH
Kill Chain Defense Mapping
- Recon → WAF + rate limiting + minimal exposure
- Initial Access → secrets scanning + SAST + admission deny
- Privilege Escalation → RBAC + securityContext hardening
- Lateral Movement → segmentation + NetworkPolicy + mTLS
- Exfiltration → egress restrictions + PII boundaries
- Impact → SIEM detections + IR containment playbooks
Evidence
Saying you ran the scan isn’t evidence. Here’s what real pipeline evidence looks like.
Evidence Pack Includes
- SAST, SCA, Secrets, IaC, Image scan, DAST reports per build
- Build metadata: workflow run ID, commit SHA, branch, actor
- Artifact metadata: image digest, tags, registry path
- Promotion approvals: QA gates / policy decisions per stage
- All artifacts retained per pipeline for compliance and RCA
SBOM Snapshot — Real Output
Real pipeline artifact attached to a release. Not mocked.
// CVE Intelligence Watchlist
Live EPSS-scored
CVE ID
Component
CVSS
EPSS
Status
CVE-2024-21626
runc / containerd
9.1
0.041
✓ Mitigated
CVE-2023-44487
HTTP/2 Rapid Reset
7.5
0.972
✓ Patched
CVE-2024-3094
XZ Utils / liblzma
10.0
0.001
✓ Not exposed
CVE-2024-6387
OpenSSH regreSSHion
8.1
0.031
⚑ Monitoring
CVE-2023-52425
libexpat / Python
7.5
0.002
⊘ Risk accepted
CVE-2025-29927
Next.js Auth Bypass
9.1
0.018
✓ Patched
CVE-2025-24813
Apache Tomcat RCE
9.8
0.046
✓ Mitigated
CVE-2025-30065
Apache Parquet RCE
10.0
0.021
✓ Not exposed
CVE-2025-22224
VMware vSphere ESXi
9.3
0.012
⚑ Monitoring
CVE-2025-21395
npm / package-lock
8.4
0.009
✓ Mitigated
EPSS scores sourced from FIRST.org. Trivy + Prisma cross-validated. Updated per pipeline run.
Risk Engine
Not every critical CVE should block a release. Not every low-severity is safe to ignore. This is how I separate signal from noise and keep engineering teams moving.
Risk Scoring Inputs
- CVSS → technical severity baseline
- EPSS → likelihood of exploitation in the wild
- Exploit maturity → public exploit availability
- Reachability → exposed surface + runtime path analysis
- Compensating controls → RBAC, WAF, egress restrictions
Policy Gate Outcomes
- Block — exploitable criticals or active policy violations
- Allow + evidence — low risk with full traceability
- Exception + expiry — tracked risk acceptance
- Auto-promote — clean evidence + approved digest
Experience
Two years. One team. One mission: make insecure releases structurally impossible across 350+ microservices.
Cluster Security Status — Production
namespace: zee-prod-*
Workload
Type
Replicas
Image Policy
Last Scan
Status
api-gateway
Deployment
3/3
✓ signed
00:01 ago
Running
auth-service
Deployment
5/5
✓ signed
00:02 ago
Running
sbom-validator
CronJob
1/1
✓ attested
00:00 ago
Running
falco-daemonset
DaemonSet
12/12
✓ signed
00:01 ago
Running
kyverno-admission
Deployment
2/2
✓ policy
00:00 ago
Running
All workloads enforce: no-root · read-only-fs · resource limits · digest-pinned images
ZEE Entertainment Enterprises Ltd
Information Security Analyst (IC-2)
350+ microservices
CI/CD gates
SBOM
K8s guardrails
Scope
Security engineering across cloud-native delivery for 350+ microservices from
code → pipeline → registry → Kubernetes runtime.
CI/CD Security Control Plane
- Engineered CI/CD Security Control Plane: deterministic enforcement across build, scan, deploy, and post-deploy validation.
- PR-only merge governance: CODEOWNERS + branch protections + required checks to eliminate main-bypass risk.
- Multi-language SAST + SCA for Maven/Node with policy thresholds blocking high-risk dependencies.
- Organization-wide secret scanning: OAuth secrets, cloud keys, hardcoded tokens across all repositories.
- Container scanning: Prisma Cloud (twistcli) + Trivy cross-validation to reduce scanner trust failures.
- IaC scanning to prevent insecure K8s manifests/cloud misconfigs from reaching runtime.
- OWASP ZAP DAST with kubectl dynamic URL extraction for post-deploy validation coverage.
- Pipeline order: verify → build → tag → scan → push → deploy → validate → notify.
- Evidence retention: scan outputs, logs, approvals, digests per pipeline for compliance and RCA.
- Slack release telemetry with commit/build/actor metadata to reduce release ambiguity.
- Parallel scanning stages: improved velocity while preserving enforcement integrity.
Supply Chain Security + SBOM
- Controlled artifact promotion: QA promotes images separately for UAT/Prod — no rebuilds in production.
- Immutable versioning (v1.0) prevents deployment drift caused by mutable latest tags.
- Only scanned + approved images eligible for deployment via digest-level validation.
- Evidence model: scan results + approvals + digest tracking = attestation-ready delivery.
- Traceability: commit → build → image digest → deployment across all environments.
- Promotion gates to block images not present in approved registry paths.
Kubernetes Security Engineering
- kubeaudit to detect risky cluster/workload configurations at scale.
- Baseline enforcement: secure probes, resource limits, safe defaults, namespace isolation.
- Privileged workload prevention and unsafe pattern blocking via admission enforcement.
- Kubernetes cluster setup + validation with kubeadm (v1.28.1).
- Blast radius control through workload boundaries and least-privilege patterns.
- Achieved 100% CIS Kubernetes Benchmark (v1.5.1) compliance across production clusters.
- Achieved 93% OWASP Top 10 (2022) coverage across application security scope.
Cloud Governance + Migration Security
- Secure cloud governance strategy across environments and teams.
- Secure IAM and access boundary design to reduce cloud attack surface.
- GCP migration security design for HIPI project.
- Posture improvements aligned with production delivery requirements.
- Governance as guardrails (policy-as-code) not documentation-only controls.
- Strengthened GitHub Enterprise security with org-level controls, audit logging, and SIEM detections.
- Built Golden Image pipeline for CIS-compliant Linux images with automated OS hardening.
- Enforced perimeter security using Conditional Access + IP restrictions + service controls.
AppSec + Secrets Remediation
- Web, API, and mobile penetration testing across application security scope.
- Auth, access control, API misuse, and misconfiguration validation.
- Secure design review and remediation guidance for engineering teams.
- Led response for hardcoded Azure Storage Account keys and OAuth credentials in source control.
- Coordinated secret rotation safely, zero production impact.
- Bridge between AppSec + DevOps + QA + Engineering for secure releases at scale.
Education
M.Tech — Software Systems (Cybersecurity)
Work-integrated postgraduate: secure software engineering, applied security architecture, cloud security, IAM, and assurance across SDLC.
Vellore Institute of Technology, Chennai
B.Tech — Electronics & Communication Engineering
Engineering foundations: systems, networks, embedded systems, signal processing, and computing fundamentals.
Open Source Projects
Real repositories. Real security engineering. Every repo has commits. Every problem is documented.
10 real Kubernetes misconfigurations — each exploited end-to-end and documented with a hardening guide. A hands-on security workshop covering RBAC escapes, privileged pod exploits, host namespace attacks, and more.
kubernetes-security
misconfigurations
hardening
workshop
CKS
Intentionally vulnerable Flask application built for the Kubernetes security lab. Demonstrates RCE chains, container escape paths, and host namespace attacks — purpose-built to be exploited and studied.
flask
vulnerable-app
RCE
container-escape
host-escape
Production-pattern Kubernetes manifests, ArgoCD GitOps app definitions, and cluster setup scripts powering the k8s-security-lab. Demonstrates real-world deployment patterns and GitOps workflows.
kubernetes
argocd
gitops
manifests
Container image signing and attestation using Sigstore Cosign. Demonstrates the full supply chain integrity flow — sign the image, attach SBOM, verify before deploy. No trusted image without a verified signature.
cosign
sigstore
supply-chain
SBOM
Policy-as-code with Kyverno for Kubernetes admission control. Demonstrates how to block privileged pods, enforce image registries, require labels, and auto-mutate workloads — governance without manual review.
kyverno
policy-as-code
admission-control
OPA
Custom regex patterns for detecting org-specific secrets in CI/CD scanning pipelines. Handles Azure storage keys, internal API tokens, custom service credentials — beyond what default scanners catch.
secret-scanning
regex
CI/CD
supply-chain
Terminal Explorer
An interactive terminal. Try: help · whoami · skills · certs · experience · github
Welcome to devsecopswithanshu.com
Type help for available commands. Press Tab to autocomplete.
help
whoami
skills
certs
experience
github
contact
matrix
Technical Skills
Proficiency mapped to production usage, certification outcomes, and engineering impact — not self-reported buzzwords.
Proficiency vs. max — based on cert outcomes & production impact
// Security Engineering
// Tools & Platforms
// Tech Stack Icons
Kubernetes
Docker
GH Actions
Terraform
GCP
AWS
Azure
Linux
Python
Helm
ArgoCD
Prometheus
Grafana
GitHub
Sigstore
Bash
Currently deepening:
eBPF runtime security (Cilium / Falco)
SLSA supply chain framework (Level 3)
Zero-trust mesh (Istio + mTLS)
BITS Pilani M.Tech CS — Cybersecurity track
Certifications
Six industry-recognized credentials — each tested under real exam pressure, each applied in production.
Expert
CKS
Certified Kubernetes Security Specialist
Cloud Native Computing Foundation · Linux Foundation
Advanced
CKA
Certified Kubernetes Administrator
Cloud Native Computing Foundation · Linux Foundation
Professional
GCP-SEC
Professional Cloud Security Engineer
Google Cloud
Professional
GCP-PCA
Professional Cloud Architect
Google Cloud
Associate
TF-ASC
HashiCorp Certified: Terraform Associate
HashiCorp
Associate
GCP-ACE
Associate Cloud Engineer
Google Cloud
Achievements
Numbers that are traceable to actual outcomes — not made up for a resume.
100%
CIS Kubernetes Benchmark v1.5.1
Achieved full compliance across all production Kubernetes clusters
CKS verified
93%
OWASP Top 10 (2022) Coverage
Application security scope coverage across ZEE's service portfolio
AppSec verified
0
Production Security Incidents
Since implementing security control plane across all 350+ services
350+
Microservices Secured End-to-End
CI/CD → Container → K8s Runtime — full supply chain coverage
59
Public GitHub Repositories
Security labs, tools, and engineering projects — all public
700+
Claps on Security Engineering Articles
221 followers · 10+ published articles on Medium
Golden
CIS-Hardened Golden Image Pipeline
Automated OS hardening pipeline — production-validated CIS compliance
Org-wide
GitHub Enterprise Security Controls
Org-level security, audit logging, SIEM detections, conditional access
FAQ
What does a typical week look like for you?
Security engineering sprints: reviewing CI/CD pipeline scan results, remediating high-priority CVEs with engineering teams, tuning SIEM detections, participating in design reviews for new microservices, and writing security runbooks. No two weeks are identical — that's the point.
What makes your DevSecOps approach different?
I treat security as a system property, not a review step. My pipelines don't "check" security — they structurally prevent insecure releases. The CI gate either passes or the build doesn't exist. No "we'll fix it next sprint." No bypass path.
Open to new opportunities?
How do you approach CVE triage?
CVSS alone is noise. I use a three-signal model: CVSS (technical severity) + EPSS (exploitation probability in the wild) + reachability (is the affected code path actually executed in my runtime?). Only the intersection of all three drives immediate action.
Do you do pen testing or just pipeline security?
Both. I've done web app, API, and mobile pen testing at ZEE Entertainment — auth bypass, access control, API misuse, and misconfiguration validation. I also built the DAST automation that runs post-deploy in CI/CD via OWASP ZAP with kubectl runtime URL discovery.
What's your stack for a greenfield security program?
Start with identity (OIDC, short-lived credentials). Layer in CI security gates (SAST + SCA + secrets scan). Add image scanning + SBOM before registry push. Enforce Kubernetes admission via OPA/Kyverno. Connect to SIEM. Everything else is config on top of those six primitives.
How do you manage security at scale across 350+ microservices?
Policy as code is the only way. You can't review 350+ services manually — you make the insecure path impossible at the platform level. I use Kyverno admission policies to block unsafe deployments, org-level GitHub Actions templates to standardize CI security gates, and a single evidence model (scan output + digest + approval) that every service inherits automatically. The controls live in the platform, not in per-service config.
What's your approach to threat modeling — STRIDE, PASTA, or something else?
I use STRIDE for system-level threat enumeration during design reviews, and PASTA for risk-priority ranking in sprint planning. In practice, I focus on attack surfaces: credential paths (secrets, tokens, IAM), pipeline injection points (runner compromise, dependency substitution), and runtime escape vectors (privileged pods, host mounts, RBAC gaps). The framework is less important than covering the actual blast radius per component.
How do you handle security incidents at 2am?
Pre-built runbooks and a clear escalation tree — decisions made during incidents should be policy, not improvisation. I've built runbooks for secrets leakage (validate exposure → rotate → audit trail), container escape (isolate pod → revoke credentials → force redeploy), and RBAC violation (lockdown namespace → audit log review → policy update). The goal is to move from detection to containment in under 15 minutes.
What's your view on eBPF and service mesh for cloud-native security?
eBPF is the most impactful new primitive for runtime security — kernel-level visibility with near-zero overhead, no agent sidecar needed. Falco + Cilium gives you both network policy enforcement and syscall-level threat detection. Istio mTLS ensures all east-west traffic is encrypted and identity-verified. Together they remove implicit trust from the data plane. I'm actively deepening expertise in Tetragon for process-level observability.
How do you measure the effectiveness of a DevSecOps program?
Four key metrics: (1) Mean Time to Remediate critical CVEs — should be hours, not sprint cycles. (2) Gate escape rate — how many high-risk changes slip through CI? Should be zero. (3) SBOM freshness — is every running artifact's dependency graph known and current? (4) Policy violation trend — are we blocking more insecure patterns or are teams routing around controls? Improving all four simultaneously means the program is actually working.
Writing & Publications
221 followers
/
700+ claps
/
10+ articles published
/
Security engineering depth — written for practitioners, not marketing
Runtime Security
👏 115
Most Read
CrowdStrike Falcon
Kubernetes Runtime Security: Deploying CrowdStrike Falcon Sensor via Helm Charts
Production-grade deployment of CrowdStrike Falcon sensor across Kubernetes clusters — runtime threat detection, DaemonSet topology, and Helm-managed rollouts.
DevSecOps
👏 106
Security CLI
Log Analysis
100 Essential Linux Commands for Security & DevSecOps Professionals
A curated reference every security engineer must master — file inspection, network forensics, process analysis, log investigation, and system hardening from the terminal.
Cloud Security
👏 104
IAM
Cloud Armor
SCC
VPC SC
Mastering Google Cloud Security: Best Practices for a Resilient GCP Infrastructure
IAM hardening, Cloud Armor WAF, Security Command Center, VPC Service Controls, and posture management for enterprise GCP environments.
Compliance
👏 101
ISO 27001
SOC 2
HIPAA
PCI DSS
A Deep Dive into Security Compliance: ISO 27001, SOC 2, HIPAA, PCI DSS & More
What each major compliance framework actually requires, where they overlap, and a pragmatic plan for implementation across engineering and security teams.
Multi-Cloud
👏 50
Latest
Cloud Security That Actually Prevents Incidents: Lessons from Production
Real lessons from implementing cloud security across AWS, GCP, and Azure in production — what actually prevents incidents versus what is security theater.
221 Medium followers
·
700+ total claps
·
10+ published articles
View all on Medium ↗
Connect
If you’re building security that has to hold under pressure — or breaking systems to find out what doesn’t — I want to hear from you.
$ initiate-contact --method=email --priority=high
→ Establishing secure channel to anshumaansingh10jan@gmail.com
→ Response time: typically within 24h
→ Open to: DevSecOps / Cloud Security Engineer opportunities
Ask Anshumaan — simulated Q&A
Try: "certs", "skills", "experience", "projects", "sbom", "k8s"