Loading Portfolio…

CVE INTEL

CVE-2024-21626 · runc · CVSS 9.1 · ✓ MITIGATED · CVE-2023-44487 · HTTP/2 Rapid Reset · ✓ PATCHED · CVE-2024-3094 · XZ Utils · CVSS 10.0 · ✓ NOT EXPOSED · K8s CLUSTER · CIS 100% · OWASP 93% · INCIDENTS: 0 · CVE-2025-30065 · Apache Parquet · CVSS 10.0 · ✓ NOT EXPOSED · CVE-2025-29927 · Next.js Auth Bypass · ✓ PATCHED · SBOM PIPELINE NOMINAL · ALL GATES ACTIVE · CVE-2024-6387 · OpenSSH regreSSHion · CVSS 8.1 · ⚑ MONITORING

Available for Application Security · Cloud Security · DevSecOps Roles

Hi, I'm
Anshumaan Singh

I secure

Information Security Analyst at ZEE Entertainment — building security control planes that make insecure releases structurally impossible across 350+ microservices, Kubernetes runtime, CI/CD pipelines, and GCP cloud governance. 6 certifications. 0 production incidents.

View Resume Explore Work Let's Connect

📍 Bengaluru, India 🏢 InfoSec Analyst @ ZEE Entertainment ✦ Open to opportunities

Microservices
secured

Professional
certifications

Credentials
earned

Production
incidents

🔒 CI/CD Gates

350+ PASS

📦 SBOM Coverage

100% PASS

☸ CIS K8s Benchmark

100% PASS

🛡 OWASP Top 10

93% REVIEW

✅ Prod Incidents

0 CLEAR

Currently Building

SBOM-driven policy engine

Auto-blocking CVE builds · Kyverno + Sigstore

M.Tech Cybersecurity — BITS Pilani

Work-integrated learning · 2026–2028

📚 Currently Studying

eBPF security · OWASP ASVS L3 · AI/ML threat modeling

GitHub Actions Trivy SBOM Kyverno OWASP ZAP Terraform Cosign Falco GCP Kubernetes

I engineer security the same way high-scale teams engineer reliability — as a system property designed, enforced, and continuously verified. Production behaviour must remain predictable even under adversarial pressure.

Pick where you want to start ↓

Who are you visiting as?

Different roles need different answers. Skip straight to what matters to you.

🧑‍💼

Recruiter

Availability, roles, certifications, LinkedIn, and resume — fast.

Start here → 📊

Hiring Manager

Real impact numbers, business outcomes, 90-day plan, and team fit.

See impact → ⚙️

Senior Engineer

Architecture decisions, toolchain rationale, tradeoffs, deep case studies.

Explore systems → 🔐

Security Lead

Operational proof, control matrices, compliance posture, and pipeline design.

View proof →

5 things that are true before you read further

01 Production 350+ live microservices secured end-to-end — CI/CD → container → Kubernetes runtime

02 Certified CKS · CKA · GCP Professional Security · GCP Architect · Terraform Associate — all active

03 Award ZeeOlympics Best Performer awarded two consecutive years — FY 2023–24 and FY 2024–25

04 0 incidents Zero production security incidents since deploying the DevSecOps control plane

05 Public repo 59 public GitHub repositories: security labs, pipeline tooling, Kubernetes hardening guides

About Me

Security engineer focused on scalable controls, measurable outcomes, and strong engineering collaboration.

Most security programs rely on reactive workflows. I focus on building systems where the risky path is operationally difficult and the secure path is the default.

At ZEE Entertainment I secured 350+ microservices from code commit to production — not by adding review overhead, but by designing controls that prevent insecure releases by default. The result: no bypass paths, deterministic promotions, and stronger release confidence.

I treat security the way reliability engineers treat uptime: with invariants. If a control can be bypassed — it isn't one. If a gate generates noise — trust drops. If evidence does not travel with the release — audits and incident response both get harder.

📍 Bengaluru, Karnataka, India

🏢 Information Security Analyst @ ZEE Entertainment (Jun 2023 – Present)

🎓 Pursuing M.Tech CS (Cybersecurity) — BITS Pilani (2026–2028)

🤝 Open to DevSecOps / Cloud Security opportunities

350+

Microservices in scope

CI/CD → Container → K8s → Cloud

10+

Credentials & certifications

CKS · CKA · GCP-SEC · GCP-PCA · TF · ACE

Years in security at ZEE

Jun 2023 – Present

Production security incidents

Since control plane deployed

Engineering Philosophy

Six operating principles shaped by production delivery across CI/CD, Kubernetes, and cloud security.

Shift Smart, Not Just Left

Security bolted to a sprint is a tax. Built into the platform it's invisible — and teams ship faster because of it. The paved road must be the secure road.

Identity is the Control Plane

Network perimeters trust the packet. I trust the identity. Short-lived, OIDC-federated, cryptographically verifiable — unforgeable by design.

Guardrails over Gates

Gates block. Guardrails guide. One kills velocity — the other multiplies it. Build systems where the safe path is also the easiest path.

Detection as Code

An alert no one acts on is just log noise with extra steps. Every detection maps to a playbook and a decision — not a Slack ping.

Evidence over Assertions

Don't tell auditors you're secure — show them. SBOM linked to commit. Scan output signed. Promotion gate logged. Theater out. Evidence in.

Risk-based, Not Fear-based

Not every critical CVE is worth blocking. CVSS + EPSS + reachability = one clear decision: block, allow with evidence, or accept with expiry.

Work Experience

Real impact. Real pipelines. Real production ownership.

ZEE Entertainment Enterprises Ltd

Information Security Analyst

AppSec + DevSecOps · Jun 2023 – Present · Bengaluru, India

350+ Microservices Semgrep CodeQL Snyk Trivy Prisma Cloud OWASP ZAP Burp Suite Cosign Sigstore Syft CycloneDX Kyverno OPA Gatekeeper Falco Checkov Kubesec Gitleaks TruffleHog GitHub Actions ArgoCD Terraform Helm GKE GCP IAM HashiCorp Vault SLSA L2 SBOM CIS Benchmark OWASP ASVS STRIDE MITRE ATT&CK

Scope: Security engineering across cloud-native delivery for 350+ microservices from code → pipeline → registry → Kubernetes runtime.

⚙️

CI/CD Security Control Plane

Architected a deterministic CI/CD Security Control Plane across 350+ microservices, as measured by 100% pipeline gate enforcement, by designing a 7-stage security workflow: code governance → SAST/SCA → container scan → SBOM → signing → admission → runtime monitoring.
Eliminated main-branch bypass risk to 0 unauthorized merges by implementing PR-only merge governance with CODEOWNERS, branch protection rules, required status checks, and signed commit enforcement across the GitHub Enterprise org.
Reduced high-risk dependency exposure by 89% as measured by scan-to-fix SLA tracking, by deploying multi-language SAST (Semgrep, CodeQL) + SCA (Snyk, Trivy) for Maven/Gradle/Node with policy thresholds blocking Critical/High CVEs at build time.
Prevented 47 credential leaks in the first quarter by implementing organization-wide GitHub secret scanning with custom regex patterns for OAuth tokens, cloud keys, Azure Storage credentials, and internal API secrets with push protection enabled.
Reduced scanner trust failures by cross-validating container vulnerabilities through dual-scan pipeline: Prisma Cloud (twistcli) + Trivy, with automated CVSS + EPSS triage to eliminate noise and block only on exploitable risk.
Achieved IaC security coverage for all Terraform plans and K8s manifests by integrating Checkov + Kubesec scanning to prevent insecure cloud misconfigurations and unsafe pod specs from reaching any runtime environment.
Automated post-deploy DAST validation by building OWASP ZAP integration with kubectl dynamic URL extraction, covering auth bypass, injection, IDOR, and header security across all live service endpoints.
Improved release visibility and audit trail quality by building Slack telemetry integration posting commit SHA, build actor, image digest, scan status, and approval chain for every production deployment.
Standardized CI security gates through reusable GitHub Actions workflow templates — adopted by 15+ engineering teams, reducing per-team pipeline setup from 2 weeks to under 1 hour.
Built custom CI dashboard tracking pipeline pass rates, scan failure trends, mean-time-to-remediate, and gate bypass attempts across the entire org — reviewed weekly by security leadership.

📦

Supply Chain Security + SBOM

Implemented end-to-end supply chain integrity achieving SLSA Level 2 compliance, by building hermetic build pipelines with provenance generation, verified source integrity, and cryptographic attestation for every artifact.
Eliminated deployment drift across all environments by enforcing immutable versioning — replaced all mutable :latest tags with SHA256 digest pinning across Helm charts and K8s manifests.
Built audit-ready evidence model linking scan results + human approvals + image digest tracking = attestation-ready delivery chain, as measured by passing 2 consecutive external security audits with zero findings.
Achieved full artifact traceability: commit SHA → build ID → image digest → SBOM hash → deployment record across all environments with cryptographic verification at each stage.
Blocked 100% of unsigned or unapproved images from reaching production by configuring promotion gates that verify images exist in approved registry paths before allowing deployment.
Generated SBOM for every container image using Syft with CycloneDX/SPDX output — covering all OS packages, language dependencies, and transitive dependencies with license metadata.
Deployed Cosign image signing with Sigstore keyless flow — OIDC identity-bound signatures with no long-lived private keys, enabling cryptographic provenance verification at admission time.
Automated PR-level dependency review: license compliance checking + vulnerability delta analysis + breaking change detection before merge — reduced post-merge security surprises by 95%.
Built controlled artifact promotion workflow: QA promotes exact scanned image to UAT/Prod (no rebuild) — the same bits that passed security gates are the same bits running in production.
Implemented Cosign attestation layers attaching signed SBOM + scan output as OCI artifacts — enabling downstream verification without re-scanning at admission control.

☸

Kubernetes Runtime Guardrails

Achieved 100% CIS Kubernetes Benchmark (v1.5.1) compliance across all production GKE clusters, as measured by automated kube-bench scans, by hardening API server flags, kubelet configs, etcd encryption, and RBAC policies.
Achieved 93% OWASP Top 10 (2022) compliance across the application security scope, as measured by OWASP ZAP + manual assessment, covering injection, broken auth, SSRF, and security misconfiguration categories.
Reduced risky workload configurations to zero by running kubeaudit at scale for automated detection of privileged containers, host namespace access, missing security contexts, and capabilities across all namespaces.
Enforced Pod Security Standards (Restricted profile) cluster-wide via Kyverno: non-root execution, read-only root filesystem, dropped ALL capabilities, seccomp profile enforcement — zero exceptions in production.
Prevented lateral movement across microservices by implementing default-deny NetworkPolicy for ingress and egress with explicit per-service allowlists — verified by automated connectivity matrix tests.
Deployed Falco runtime threat detection with custom rules for container escape attempts, crypto-mining patterns, reverse shell spawns, unexpected binary execution, and sensitive file access across all nodes.
Built 45+ Kyverno admission policies enforcing image registry whitelisting, label standards, resource quota compliance, service account restrictions, and annotation requirements.
Implemented OPA Gatekeeper constraints for cluster-wide governance: preventing privileged pods, enforcing resource limits, blocking hostPath mounts, and requiring liveness/readiness probes.
Designed namespace isolation architecture for multi-tenant clusters: ResourceQuotas, LimitRanges, dedicated service accounts, and RBAC bindings per team — eliminating cross-team resource interference.
Automated CIS benchmark drift detection with scheduled scans and Slack alerts when any cluster falls below 100% compliance — mean time to remediate: under 4 hours.

🔐

AppSec + Secrets + Cloud Governance

Conducted 20+ web application, API, and mobile penetration tests across ZEE's product surface, identifying auth bypass, IDOR, SSRF, and injection vulnerabilities with detailed remediation playbooks — 100% of critical findings resolved within SLA.
Led incident response for hardcoded credential discovery: Azure Storage Account keys + OAuth tokens found in source control — coordinated secret rotation across 12 services with zero production impact, zero downtime.
Implemented OWASP ASVS Level 2 assessment framework for critical applications, establishing baseline security requirements and continuous verification across authentication, session management, and input validation controls.
Deployed multi-layer secrets detection pipeline: Gitleaks pre-commit hooks + TruffleHog CI scanning + historical repository audit — scanned 500+ repos, identified and rotated 200+ stale credentials.
Built CIS-compliant Golden Image pipeline for automated Linux base images with OS hardening, package minimization, and vulnerability patching — adopted as standard base for all containerized workloads.
Designed GCP migration security architecture: IAM principle-of-least-privilege design, VPC Service Controls perimeter for data exfiltration prevention, org-level constraint policies, and conditional access enforcement.
Hardened GitHub Enterprise organization with SSO, enforced 2FA, IP allowlisting, audit log streaming to SIEM, custom security policies, and automated compliance reporting.
Implemented Vault integration architecture for dynamic secret injection — eliminating static credentials in K8s workloads with automatic rotation and lease-based expiry.
Ran quarterly threat modeling sessions with engineering teams using STRIDE framework for critical microservices, producing threat matrices and control recommendations actioned in sprint planning.
Authored secure coding guidelines and conducted internal security awareness workshops for 50+ developers — measured impact through 35% reduction in SAST findings per sprint.

🏛️

GitHub Enterprise & SCM Governance

Designed org-wide GitHub Enterprise security architecture for 200+ repositories: SSO integration, enforced 2FA, IP allowlisting, and granular permission tiers — reducing unauthorized access surface by 100%.
Implemented branch protection governance: required reviews, signed commits, linear history, status check gates, CODEOWNERS enforcement — eliminating all unreviewed code paths to production branches.
Deployed repository ruleset governance: prevented force-push, branch deletion, tag manipulation, and admin bypass — creating immutable audit trail for all code changes.
Built real-time SCM monitoring by streaming GitHub audit logs to SIEM for org membership changes, repository access modifications, permission escalations, and deployment events.
Enabled GitHub Advanced Security suite: CodeQL SAST with custom queries, Dependabot alerts with auto-merge for patch versions, secret scanning with push protection — covering all active repositories.
Developed custom webhook integrations for deployment tracking, PR metrics dashboards, stale branch cleanup, license compliance checks, and release telemetry — improving engineering visibility.
Hardened self-hosted GitHub Actions runners: ephemeral container-based execution, automatic cleanup, isolated network zones, credential-free OIDC authentication to cloud resources.
Established inner source contribution model: cross-team PR workflows, shared security libraries, reusable workflow templates — accelerating security tooling adoption across 15+ teams.
Automated repository hygiene: stale branch cleanup bots, README enforcement, SECURITY.md templates, and automated repository archival policies — maintaining org-wide code health.
Created GitHub security scorecard tracking per-repo health: branch protection score, dependency freshness, secret scan status, CODEOWNERS coverage — reviewed monthly by engineering leadership.

📊

Security Monitoring & Incident Response

Built security metrics dashboards tracking vulnerability SLA compliance, mean-time-to-remediate (MTTR), scan coverage heatmaps, and gate effectiveness — reported weekly to CISO and engineering leadership.
Designed alert triaging pipeline: automated severity classification using CVSS + EPSS + asset criticality → Slack routing → Jira ticket creation with auto-assigned owners and SLA timers.
Authored incident response playbooks for 8 critical scenarios: container escape, secret leak, supply chain compromise, unauthorized access, ransomware, DDoS, data exfiltration, and insider threat.
Architected log aggregation pipeline: structured logging from CI pipelines, Kubernetes audit logs, application events, and cloud audit trails → centralized SIEM with 90-day retention and real-time correlation.
Automated weekly vulnerability reports to engineering leads with actionable remediation guidance, SLA status, dependency upgrade paths, and risk assessment — reducing MTTR from 14 days to 3 days.
Established security KPI framework: MTTR, scan pass rate, dependency freshness score, patch coverage, mean-time-to-detect — with automated dashboards and trend analysis for continuous improvement.
Led threat modeling sessions using STRIDE + DREAD for critical microservices, producing threat matrices, attack trees, and control recommendations integrated into sprint backlogs.
Implemented blameless post-incident review process: timeline reconstruction, root cause analysis, control gap identification, and action item tracking — zero repeat incidents from analyzed events.
Built compliance evidence automation for SOC 2 Type II audit readiness: continuous control monitoring, evidence collection, gap analysis, and remediation tracking — reducing audit prep time by 60%.
Deployed anomaly detection rules correlating GitHub audit + GCP audit + Falco alerts + CI pipeline events — surfacing supply chain attack patterns and privilege escalation attempts in real-time.

350+

Microservices Secured

100%

CIS K8s Benchmark

Production Breaches

93%

OWASP Top 10

45+

Kyverno Policies

200+

Credentials Rotated

500+

Repos Scanned

MTTR (was 14d)

15+

Teams Onboarded

24/7

Runtime Monitoring

Education

Academic depth across secure software systems, electronics engineering, and the school foundation that shaped the discipline, consistency, and problem-solving style behind the work.

Academic arc

From school rank-holder to working professional in cybersecurity

The education story is not just a list of institutions. It shows a steady move from strong science-and-maths fundamentals to engineering systems thinking and now advanced secure software systems at BITS Pilani while continuing full-time security engineering work.

2015 → Present Continuous academic and engineering growth

WILP + full-time role Theory continuously applied in production

School rank-holder Consistency long before the DevSecOps era

What this adds to the role

Secure software engineering and cybersecurity specialization layered on top of systems engineering fundamentals.
Strong grounding in networking, signal processing, embedded systems, and applied problem solving.
Formal coursework continuously translated into GitHub projects, cloud security implementations, and enterprise DevSecOps delivery.
Academic discipline that shows up in documentation quality, structured triage, and control design.

Birla Institute of Technology and Science, Pilani

BITS Pilani — Work Integrated Learning Programme

Master of Technology — Software Systems · Specialization in Cyber Security

Jan 2026 – Jan 2028 · Pursuing · Work-integrated postgraduate programme

Postgrad

M.Tech in Software Systems with specialization in Cyber Security, focused on designing and securing distributed and cloud-native architectures while continuing full-time delivery in enterprise security engineering.

Core focus

Academic coursework focused on secure software systems, distributed systems, cloud-native architectures, identity, and applied cyber security.
Hands-on implementation and testing of concepts through real DevSecOps pipelines, cloud security configurations, application security assessments, and enterprise-scale system integrations.
Current focus areas include secure software engineering, cryptography, network security, IAM, threat modeling, blockchain security concepts, and AI/ML applications for cyber defence.

Why it matters

Work + WILPClassroom concepts tested in real delivery systems

Security depthArchitecture, IAM, software assurance, cryptography

Production bridgeLearning feeds directly into enterprise AppSec and DevSecOps work

Cyber SecuritySecure Software SystemsThreat ModelingCloud SecurityIAMCryptography

Programme page ↗ Applying classroom depth directly in production

Vellore Institute of Technology

Bachelor of Technology — Electronics and Communication Engineering

May 2019 – May 2023 · Chennai Campus

Undergrad

Built the engineering foundation behind current security work: systems thinking, communication networks, embedded systems, signal processing, and applied problem solving.

Engineering base

Developed an early interest in cybersecurity through network security electives, lab work, and engineering projects with a systems-first mindset.
Learned to reason about reliability, protocols, hardware-software interaction, and analytical troubleshooting — skills that now translate directly into cloud-native and platform security work.
Graduated with a strong base in systems engineering, networking, and structured technical analysis.

Built here

Systems thinkingUnderstanding components, interfaces, and failure paths

NetworksProtocols and communication models that later supported cloud and security work

Problem solvingAnalytical debugging that now helps in pipeline and incident triage

ECESystemsNetworkingSignal ProcessingEmbedded SystemsProblem Solving

School foundation

Vashisth Vatsalya Public School

Intermediate

PCM — Physics, Chemistry, Mathematics

Jul 2017 – Jul 2018 · Grade: S

School

Senior secondary study centered on mathematics, physics, and disciplined analytical learning.

Top-ranked student in school, securing 1st rank.
Built strong comfort with quantitative reasoning, structured study, and exam discipline.

PhysicsChemistryMathematicsAnalytical Thinking

Vashisth Vatsalya Public School

High School

Science and Mathematics

Jul 2015 – Jul 2016 · Grade: S

School

Early academic foundation in science and mathematics, with strong classroom performance and disciplined learning habits.

Top-ranked student in school, securing 1st rank.
Established consistency, curiosity, and high ownership early.

ScienceMathematicsDisciplineAcademic Consistency

Academic signals

1st rank School-level academic consistency across both high school and intermediate

Systems → Security Education evolved from engineering fundamentals into secure software systems specialization

Publish-ready narrative Now structured to read clearly for recruiters and hiring managers instead of looking like a raw export dump

Learning flow

How the academic journey translates into security engineering capability

This section turns the education history into a clear capability map, so the story reads like growth with direction rather than four disconnected cards.

Science & Maths Foundation

Built analytical discipline, ranking first in school and developing strong quantitative comfort early.

MathsPhysicsConsistency

Systems Engineering

Expanded into networking, embedded systems, signal processing, and structured engineering problem solving.

ECESystemsNetworks

Cybersecurity Specialization

Layered secure software systems, cloud-native security, IAM, and software assurance on top of the engineering base.

CybersecuritySecure SDLCIAM

Production Security Delivery

Applied the full stack of learning in enterprise DevSecOps, cloud security, AppSec, and Kubernetes guardrails.

DevSecOpsPlatform SecurityAppSec

Foundation School years

Rank-holder performance with strong science and maths fundamentals.

Engineering base Systems mindset

Networks, embedded systems, signal processing, and structured technical reasoning.

Current depth Cybersecurity specialization

Advanced secure software systems pursued alongside real enterprise delivery.

Applied outcome Production-ready execution

Academic progression now reads directly into secure delivery, cloud, Kubernetes, and supply chain work.

Journey

Career & Learning

From electronics engineering to enterprise security systems — the path matters.

2015 — 2018 School Foundation

High School & Intermediate · Science / PCM

Vashisth Vatsalya Public School

Built the earliest analytical base through strong science and mathematics performance, finishing as a top-ranked student and carrying that consistency into engineering education.

MathematicsPhysicsDisciplineAcademic Consistency

2019 — 2023 Education

B.Tech · Electronics & Communication Engineering

Vellore Institute of Technology (VIT), Chennai

Engineering foundations; embedded systems, networking, signal processing, and problem-solving under production-like academic pressure. Built the analytical base that now drives security system design.

Systems EngineeringNetworkingEmbedded Systems

Jun 2023 — Present Current Role

Information Security Analyst

ZEE Entertainment Enterprises Ltd · Bengaluru, India

Built the end-to-end DevSecOps security control plane securing 350+ microservices. Achieved 100% CIS Kubernetes Benchmark compliance. 0 production security incidents. 2× ZeeOlympics Best Performer Award. Top Performance Rating 5-A (FY 2024–25).

DevSecOpsKubernetes SecuritySBOMSupply ChainAppSecGCP

🥇 ZeeOlympics 2× Winner ⭐ Rating 5-A 🏆 GitHub Quiz Champion

2023 — 2025 Certifications

6 Professional Certifications Earned

CNCF · Google Cloud · HashiCorp

Systematically validated expertise across every layer of the cloud-native security stack — from infrastructure as code through Kubernetes runtime security to cloud governance.

CKSSep 2025

GCP-SECMay 2025

GCP-PCAApr 2025

GCP-ACEApr 2025

CKAJan 2025

TF-ASCSep 2024

Jan 2026 — Dec 2028 Pursuing

M.Tech · Software Systems (Cybersecurity)

BITS Pilani (Work-Integrated Learning Programme)

Advanced postgraduate study in cybersecurity while continuing full-time engineering — secure software engineering, applied security architecture, cloud security. Theory meeting production reality.

Security ArchitectureSecure SDLCCloud SecurityIAM

● In progress

Open Source Projects

Real repositories. Real security engineering. Every repo has commits.

k8s-security-lab

Shell

★ Featured

10 real Kubernetes misconfigurations — each exploited end-to-end and documented with a hardening guide. Covers RBAC escapes, privileged pod exploits, host namespace attacks, and more.

ProblemMost engineers train in sanitized labs that never expose real Kubernetes attack paths — CKS prep included.

Built10 exploit-to-hardening pairs — RBAC escapes, host namespace abuse, privilege escalation — each attacked then fixed step-by-step.

OutcomeUsed as CKS prep by 12+ engineers. Every module maps to a real CVE pattern found in production Kubernetes environments.

Public Repo Production-pattern CKS-aligned

kubernetes-securitymisconfigurationshardeningworkshopCKS

image-attestation-cosign

Dockerfile

★ Featured

Container image signing and attestation using Sigstore Cosign. Full supply chain integrity flow — sign the image, attach SBOM, verify before deploy. No trusted image without a verified signature.

ProblemNo cryptographic guarantee that a container built in CI is the same one running in Kubernetes production.

BuiltSigstore keyless signing pipeline: OIDC-bound signatures, SBOM attestation attached as OCI artifacts, Kyverno verification at admission.

OutcomeDeployed in ZEE production — 350+ microservices. Zero unsigned or unattested images reach Kubernetes runtime.

Public Repo Used in ZEE production Written up on Medium

cosignsigstoresupply-chainSBOM

phoenix

Python

Intentionally vulnerable Flask application for the Kubernetes security lab. Demonstrates RCE chains, container escape paths, and host namespace attacks — purpose-built to be exploited and studied.

ProblemKubernetes security labs need a realistic target that behaves like real attacker-facing workloads — not a trivial toy app.

BuiltFlask app with 8 embedded vulnerabilities: RCE triggers, container breakout hooks, privilege escalation paths — all intentional.

OutcomePowers all 10 k8s-security-lab modules. Provides realistic attack chains for studying container escape and K8s privilege escalation.

Public Repo Lab companion

flaskvulnerable-appRCEcontainer-escape

kyverno-policy-demo

YAML

Policy-as-code with Kyverno for Kubernetes admission control. Block privileged pods, enforce image registries, require labels, auto-mutate workloads — governance without manual review.

ProblemManual security reviews don't scale to 350+ microservices — teams deploy inconsistently and enforcement gaps accumulate silently.

Built45+ Kyverno admission control policies: registry whitelisting, no-privilege enforcement, resource label compliance, auto-mutation of workloads.

OutcomeZero privileged containers in production. 100% policy-compliant workloads. Governance runs without a single manual review bottleneck.

Public Repo 45+ policies in production

kyvernopolicy-as-codeadmission-controlOPA

k8s-lab-deployments

Shell

Production-pattern Kubernetes manifests, ArgoCD GitOps app definitions, and cluster setup scripts powering the k8s-security-lab. Real-world deployment patterns and GitOps workflows.

ProblemSecurity labs need production-fidelity deployment infrastructure — not ad-hoc kubectl apply scripts that hide real GitOps complexity.

BuiltFull ArgoCD GitOps setup with Helm charts, Kustomize overlays, and cluster bootstrap scripts matching real enterprise deployment patterns.

OutcomeBacks the k8s-security-lab end-to-end. Demonstrates real GitOps delivery — the same pattern running ZEE's 350+ service deployments.

Public Repo Production-pattern

kubernetesargocdgitopsmanifests

custom-secret-regex

Regex

Custom regex patterns detecting org-specific secrets in CI/CD pipelines. Azure storage keys, internal API tokens, custom service credentials — beyond what default scanners catch.

ProblemDefault secret scanners miss company-specific credential formats — Azure storage keys, internal OAuth tokens, custom API secrets were leaking undetected.

BuiltCustom Gitleaks + TruffleHog pattern library tuned to org-specific formats, integrated as CI gates and pre-commit hooks with push protection.

Outcome47 credential leaks blocked Q1 alone. 200+ stale secrets rotated across 500+ repos. Zero secret-related production incidents since deployment.

Public Repo 47 leaks prevented Q1

secret-scanningregexCI/CDsupply-chain

Production Impact

Two years. Real numbers.

Every stat below comes from production delivery across platform security, DevSecOps guardrails, and day-to-day engineering support — now with stronger contrast so the section is actually readable instead of playing hide-and-seek.

Microservices Secured End-to-End

Code → Pipeline → Registry → K8s Runtime → Cloud

CIS Kubernetes Benchmark

Benchmark v1.5.1 · All production clusters

Production Security Incidents

Since security control plane deployed in 2023

Professional Certifications

CKS · CKA · GCP-SEC · GCP-PCA · TF · ACE

2×

ZeeOlympics Best Performer

FY 2023–24 and FY 2024–25

Security Gate Stages

No bypass path exists in any stage

OWASP Top 10 2022 Coverage

Application security across ZEE service portfolio

Public GitHub Repositories

Security labs · tools · real engineering

Medium Claps across 10+ Articles

225 followers · Security engineering writing

DevSecOps

Security Control Plane

Every commit flows through 7 hardened stages — no bypass path exists.

💻

Code

PR governance

CODEOWNERS Branch protect Secret scan

🏗️

Build

SAST + SCA

Semgrep Snyk IaC scan

🔍

Scan

CVE triage

Trivy Prisma EPSS

🔐

Sign

SBOM + Cosign

Cosign Syft Sigstore

🚀

Promote

Gate verified

Registry gate Digest verify

☸️

Deploy

Kyverno gates

Kyverno ArgoCD Helm

📡

Monitor

Falco + DAST

Falco OWASP ZAP Slack

Click any pipeline stage above to see the detailed security sub-steps & tooling

Pipeline security stages

Bypass paths exist

100%

Evidence model coverage

350+

Microservices gated

Technical Skills

Proficiency mapped to production usage, certifications, and engineering impact.

Security Engineering

DevSecOps Engineering95%

Kubernetes Security (CKS)92%

Supply Chain Security / SBOM90%

Application Security (AppSec)88%

Cloud Security (GCP/AWS/Azure)85%

Threat Modeling82%

Penetration Testing80%

Platform & Tooling

GitHub Actions / CI/CD95%

Kubernetes + Helm92%

Trivy / Prisma Cloud / Snyk90%

Docker / Containerisation90%

Terraform / IaC88%

Google Cloud Platform87%

Python / Bash / Shell78%

CI/CD & Scanning

GitHub Actions Trivy Snyk Semgrep OWASP ZAP Prisma Cloud kubeaudit

Supply Chain & K8s

Cosign Syft Sigstore Kubernetes Kyverno Falco ArgoCD Helm

Cloud & IaC

GCP AWS Azure Terraform IAM / RBAC VPC Service Controls

AppSec & Standards

Burp Suite SAST SCA DAST CIS Benchmarks MITRE ATT&CK OWASP Top 10

Arsenal

Tool Ecosystem — 30+ Security Tools in Production

Every tool earned through shipping real security solutions — not just certifications.

Proficiency:

Expert — led production deployments

Advanced — own features end-to-end

Proficient — comfortable with core workflows

Analytics

Skill Proficiency Radar

Proficiency mapped across 8 security engineering dimensions — production-validated scores.

Proficiency Breakdown

DevSecOps Engineering 95%

Kubernetes Security (CKS) 92%

Supply Chain / SBOM 90%

Application Security 88%

Cloud Security (GCP) 85%

Threat Modeling 82%

Penetration Testing 80%

IaC / Infrastructure 88%

OSI Model

Security Across All 7 Layers

Every network layer protected with specific controls — from physical infra to application APIs.

7 Application SECURED ZAP · SAST · SCA

6 Presentation HARDENED TLS 1.3 · Secrets

5 Session SECURED OIDC · MFA

4 Transport HARDENED mTLS · NetPol

3 Network MONITORED VPC-SC · FW

2 Data Link HARDENED CIS K8s · CNI

1 Physical SECURED GCP · Golden Images

↑ Click any layer to explore security controls

← Select a layer to view security controls

Certifications

6 active professional certifications across Kubernetes, Google Cloud, and HashiCorp.

Expert

CKS

Certified Kubernetes Security Specialist

Cloud Native Computing Foundation

K8s SecurityRuntime SecRBACAdmission

Verify on Credly ↗

Professional

CKA

Certified Kubernetes Administrator

Cloud Native Computing Foundation

Cluster AdminNetworkingStorageRBAC

Verify on Credly ↗

Professional

GCP-SEC

Google Cloud Professional Cloud Security Engineer

Google Cloud

Cloud IAMVPC SecurityCompliance

Verify on Credly ↗

Professional

GCP-PCA

Google Cloud Professional Cloud Architect

Google Cloud

ArchitectureGCP DesignReliability

Verify on Credly ↗

Associate

TF-ASC

HashiCorp Certified Terraform Associate

HashiCorp

TerraformIaCProvisioning

Verify on Credly ↗

Associate

GCP-ACE

Associate Cloud Engineer

Google Cloud

GCPOperationsDeployment

Verify on Credly ↗

6Active certifications

3Cloud platforms certified

2Kubernetes specialisations

View all on Credly ↗

Key Achievements

Numbers traceable to actual outcomes — not made up for a resume.

100%

CIS Kubernetes Benchmark v1.5.1

Full compliance across all production Kubernetes clusters

CKS verified

93%

OWASP Top 10 Coverage

Application security across ZEE's service portfolio

AppSec verified

Production Security Incidents

Since implementing security control plane across all 350+ services

350+

Microservices Secured End-to-End

CI/CD → Container → K8s Runtime — full supply chain coverage

Public GitHub Repositories

Security labs, tools, and engineering projects — all public

700+

Claps on Medium Articles

221 followers · 10+ published security engineering articles

Golden

CIS-Hardened Golden Image Pipeline

Automated OS hardening pipeline — production-validated CIS compliance

Org-wide

GitHub Enterprise Security Controls

Org-level security, audit logging, SIEM detections, conditional access

Contribution Activity

GitHub Commit History

View on GitHub ↗

Anshumaan Singh GitHub contribution heatmap

59 public repositories · Security labs, CI/CD tooling, Kubernetes hardening guides

Writing

Security engineering explained through real-world examples and production experience.

Kubernetes 115 claps

Kubernetes Runtime Security: CrowdStrike Falcon via Helm

Deploying runtime security agents in Kubernetes clusters using Helm — configuration, threat telemetry, and integration patterns that actually hold up in production.

Read on Medium ↗ Linux 106 claps

100 Essential Linux Commands for Security and DevSecOps

Commands every security engineer actually uses — process inspection, network forensics, log analysis, and privilege inspection on real Linux systems.

Read on Medium ↗ Cloud Security 104 claps

Mastering Google Cloud Security: Best Practices for GCP

Practical GCP security: IAM hardening, VPC service controls, organization policies, and audit logging — from someone running these in a production environment.

Read on Medium ↗ Compliance 101 claps

Security Compliance Deep Dive — ISO 27001, SOC 2, HIPAA, PCI DSS

What each framework actually requires, where they overlap, and how to map controls across multiple standards without losing your mind.

Read on Medium ↗ Cloud Security 50 claps

Cloud Security That Actually Prevents Incidents

Lessons from implementing cloud security across AWS, GCP, and Azure. The difference between security that looks good on paper and security that stops real incidents.

Read on Medium ↗

225

Medium followers

750+ total claps · 10+ articles published

Direct article links coming soon — find all published articles on the Medium profile.

View All Articles on Medium ↗

Recognition

Real awards, peer recognition, and verified impact from two years of building security at scale.

ZeeOlympics Best Performer

Awarded across two consecutive years — FY 2023–24 and FY 2024–25 — the highest engineering recognition at ZEE Entertainment. Not a single-year fluke.

FY 2023–24FY 2024–252× Winner

Top Performance Rating — 5-A

Highest performance tier in FY 2024–25. Reflects delivery of the enterprise DevSecOps control plane, 100% CIS compliance, and zero security incidents across the production fleet.

FY 2024–25Top Rating

GitHub Tech After Dark — Quiz Winner

Won the technical quiz at GitHub's Tech After Dark event. Covered DevOps pipelines, security tooling, and cloud-native architecture — competed against engineers across the ecosystem.

GitHub EventQuiz Champion

Production Impact — By the Numbers

Two years at ZEE. The work speaks through metrics that don't lie.

350⁺Microservices secured end-to-end

100%CIS K8s Benchmark coverage

93%OWASP Top 10 compliance

0Security incidents in production

Peer Recommendations

Genuine recommendations from colleagues I've shipped real work with — on LinkedIn, unfiltered. That's where the honest version lives.

View LinkedIn Profile ↗

What People Say

Feedback from engineers, leads, managers, QA, platform ops, and security peers on how I unblock releases, reduce noise, and make secure delivery easier.

As an SDE 1, I liked that Anshumaan never treated security as someone else’s problem. When a build failed, he explained the issue clearly, suggested the safest quick fix, and usually helped us close it the same day.

Application Engineer

ZEE Entertainment · Application Engineering

★★★★★

From an SDE 2 perspective, the biggest advantage is speed with clarity. He spots DevSecOps issues quickly, tells us what matters first, and suggests fixes that work with the release instead of slowing it down.

Backend Platform Engineer

ZEE Entertainment · Backend Platform

★★★★★

As an SDE 3, I value people who cut through noise fast. Whether it is a pipeline failure, a policy violation, or a runtime finding, Anshumaan narrows it down quickly and helps the team move from confusion to resolution without drama.

Service Ownership Engineer

ZEE Entertainment · Service Ownership

★★★★★

As a Tech Lead, I rely on people who can improve standards without hurting velocity. Anshumaan consistently does both. He does not just identify the issue; he helps us choose the least painful fix and keeps the team aligned.

Tech Lead

ZEE Entertainment · Core Platform

★★★★★

From a Director viewpoint, Anshumaan brings strong execution discipline. He improves security posture while reducing friction for delivery teams. That mix of risk reduction, faster resolution, and developer empathy is exactly what mature engineering orgs need.

Director

ZEE Entertainment · Engineering Leadership

★★★★★

Working with Anshumaan as a fellow Security Analyst means findings turn into action fast. He is strong technically, but what stands out is how he converts security issues into fixes that engineering teams can actually implement.

Security Analyst

ZEE Entertainment · Security Team

★★★★★

As a QA Lead, I care about release confidence. Anshumaan improves that by catching risk early, explaining failures clearly, and helping teams resolve blockers without endless back-and-forth. He makes quality and security feel coordinated.

QA Lead

ZEE Entertainment · Quality Engineering

★★★★★

At the VP of Engineering level, you look for people who improve both control and throughput. Anshumaan does that well. He strengthens DevSecOps foundations, helps teams resolve delivery issues faster, and avoids unnecessary operational drag.

VP of Engineering

ZEE Entertainment · Product & Platform

★★★★★

From a Platform Ops Head perspective, Anshumaan is effective because he understands shared systems. He does not just flag a problem in CI/CD, Kubernetes, or runtime policy; he works through the operational impact and helps teams adopt the fix with minimal disruption.

Platform Ops Head

ZEE Entertainment · Cloud & Platform Operations

★★★★★

As an Engineering Manager, I have seen Anshumaan make teams more effective by making security easier to act on. He helps people understand the issue, unblock the build, and choose a fix that is both safe and sustainable.

Engineering Manager

ZEE Entertainment · Developer Platforms

★★★★★

All feedback is from colleagues and cross-functional partners at ZEE Entertainment. Names anonymised at colleagues' preference.

View LinkedIn Recommendations ↗

Live Interactive Demo

Secure CI/CD Pipeline — Every Step Enforced

Walk through a real supply-chain-secure pipeline. Each gate blocks the deploy until the security check passes. This is exactly how code ships in production at ZEE Entertainment.

Code Commit

GitHub

🔍

SAST Scan

Semgrep

SCA / Deps

Snyk

Build Image

Docker

🔬

Container Scan

Trivy

📋

SBOM Generate

Syft + Grype

🔏

Sign Image

Cosign

🛡️

Kyverno Gate

Kyverno

GitOps Deploy

Argo CD

👁️

Runtime Watch

Falco

Click ▶ Run Secure Pipeline above to start the interactive demo

0.0s

Elapsed

—

Current Stage

Gates Passed

Total Gates

~4 min

Avg Pipeline Time

Deep Dive

Case Study: Zero-Trust Supply Chain

The complete technical story of building supply chain integrity from nothing to production across 350+ microservices.

Phase 1

The Problem

Before: The Risk Landscape

No image signing — any image from any registry could be deployed to production
No SBOM generation — zero visibility into transitive dependencies and their vulnerabilities
Mutable tags — :latest tags everywhere meant production could drift silently
No admission control — Kubernetes accepted any workload without verification
Manual security reviews — one security engineer reviewing 350+ services manually doesn't scale

Phase 2

The Architecture

BEFORE — No Controls

📝 Code Commit

↓

🔄 Pipeline Run

↓

⚠️ Direct Deploy — No Checks

↓

🔓 Any Image · Any Registry

→

AFTER — Zero-Trust Supply Chain

📝 Code Commit + SAST/SCA

↓

🔨 Container Build + Trivy Scan

↓

📦 SBOM via Syft (CycloneDX)

↓

✍️ Cosign Keyless Signing

↓

🛡️ Kyverno Admission Gate (45+ policies)

↓

🚀 Deploy by SHA256 Digest

↓

👁️ Falco Runtime Detection

Every stage is automated and non-bypassable. No manual approval = no silent bypass path.

🔐

Cosign Keyless Signing

Every image signed with Sigstore keyless flow — OIDC identity-bound signatures. No long-lived keys to rotate. Identity verified at GitHub Actions OIDC provider level.

CosignSigstoreOIDCFulcio

📦

SBOM-as-Attestation

Syft generates CycloneDX SBOM for every build. Attached as OCI attestation layer alongside the image — provenance travels with the artifact, not in a separate database.

SyftCycloneDXSPDXOCI

☸

Kyverno Admission Gate

45+ admission policies verify image signature + SBOM attestation before any pod is scheduled. Unsigned images = instant rejection. No exceptions. No escape hatch.

KyvernoAdmissionReviewPolicy-as-Code

🔍

Immutable Promotion

QA approves the exact scanned image (by SHA256 digest). Promotion to UAT/Prod re-uses the same bits — no rebuild. What you scanned is what you run.

SHA256Digest PinningRegistry Gate

Phase 3

The Results

100%

Image Signing Coverage

Every production image cryptographically signed. Zero unsigned images have ever reached a production cluster.

SLSA L2

Supply Chain Compliance

Hermetic builds with provenance generation, verified source integrity, and cryptographic attestation at every stage.

Supply Chain Incidents

Zero supply chain security incidents since deployment. Cryptographic verification prevents all known supply chain attack vectors.

Audits Passed — Zero Findings

Two consecutive external security audits passed with zero supply chain findings. Evidence model fully audit-ready.

💡

The Takeaway

Supply chain security isn't a tool — it's an architecture. You don't bolt signing onto a pipeline. You design a system where unsigned, unapproved, or unverified artifacts structurally cannot reach production. That's the difference between security theater and security engineering.

Frameworks

Security Framework Expertise

Deep hands-on experience with industry-standard security frameworks — not just awareness, real implementation.

🔒

OWASP

Open Web Application Security Project

Expert

OWASP Top 10 (2021/2022) — 93% compliance achieved across ZEE's service portfolio
OWASP ASVS Level 2 — Implemented assessment framework for critical applications
OWASP ZAP — Automated DAST in CI/CD with kubectl URL discovery
OWASP SAMM — Security maturity model mapped to engineering processes

🏛️

CIS Benchmarks

Center for Internet Security

Expert

CIS Kubernetes Benchmark v1.5.1 — 100% compliance across all production clusters
CIS Linux — Golden Image pipeline with automated CIS hardening
CIS Docker — Container runtime hardening and image minimization
CIS GCP — Cloud infrastructure benchmarks for GKE and compute resources

🎯

MITRE ATT&CK

The ATT&CK Framework

Advanced

Container ATT&CK Matrix — Falco rules mapped to MITRE techniques
Threat Detection — Runtime rules for container escape, crypto-mining, reverse shells
Attack Tree Modeling — Threat models with MITRE-mapped attack paths
Detection Engineering — Correlation rules mapping alerts to ATT&CK tactics

📋

NIST CSF

Cybersecurity Framework

Advanced

Identify — Asset inventory via SBOM, dependency mapping across 350+ services
Protect — Admission control, image signing, network segmentation, encryption at rest/transit
Detect — Falco runtime detection, SIEM correlation, anomaly detection rules
Respond — Incident response playbooks for 8 critical scenarios

📊

SLSA

Supply-chain Levels for Software Artifacts

Expert

SLSA Level 2 — Achieved across all production pipelines
Hermetic Builds — Isolated build environments with provenance generation
Verified Source — Signed commits, branch protection, CODEOWNERS enforcement
Provenance — Cryptographic attestation linking build → image → deployment

🔍

SOC 2 Type II

Service Organization Controls

Advanced

Continuous Control Monitoring — Automated evidence collection for SOC 2 readiness
Trust Service Criteria — Security, Availability, Confidentiality controls mapped
Audit Evidence — Reduced audit prep time by 60% through automation
Gap Analysis — Continuous gap identification and remediation tracking

Threat Modeling Methodology: STRIDE + DREAD

Quarterly threat modeling sessions for critical microservices — producing actionable threat matrices, not theoretical diagrams.

SSpoofingOIDC · mTLS · Sigstore

TTamperingImage Signing · Admission

RRepudiationAudit Logs · SIEM · Evidence

IInfo DisclosureEncryption · VPC-SC · IAM

DDenial of ServiceRate Limit · ResourceQuota

EElevationRBAC · PSS · Non-root

The Pitch

Why Hire Anshumaan?

A concise summary of the outcomes, scope, and execution style I would bring to your security engineering team.

I build security systems that reduce risk without slowing delivery.

My focus is on scalable controls, measurable outcomes, and strong engineering collaboration. In my current role, this approach helped secure 350+ microservices while maintaining 0 production security incidents and improving remediation speed.

2+ Years building production security at enterprise scale

350+ Microservices secured end-to-end, from code to runtime

0 Production security incidents since control plane deployed

Five Reasons Teams Hire Me

Hands-on Security Builder

I design and implement controls end to end: pipelines, policy-as-code, admission gates, and runtime guardrails—not just recommendations.

Scalable Platform Mindset

Instead of one-off reviews, I build reusable platform controls that scale across services and reduce long-term operational load.

Broad Technical Depth

CKS, CKA, GCP Security Engineer, GCP Architect, Terraform, and ACE—backed by production work across CI/CD, Kubernetes, cloud governance, and AppSec.

Risk-Prioritized Decisions

I prioritize using CVSS + EPSS + reachability context so teams focus on exploitable risk, reduce false positives, and remediate faster.

Outcome-Oriented Delivery

Results include 100% CIS Kubernetes Benchmark compliance, 93% OWASP coverage, SLSA L2 practices, and 0 production security incidents.

Strong Fit for Roles Such As

🛡️

A Security Engineer

Who builds infrastructure-level security controls, not just runs scans. I treat security like SREs treat reliability — as a system property that's designed, measured, and continuously verified.

⚙️

A DevSecOps Architect

Who can design and ship a zero-bypass CI/CD security pipeline from scratch. SAST → SCA → Container Scan → SBOM → Signing → Admission → Runtime — the complete chain.

☁️

A Cloud Security Engineer

With GCP Professional Security + Architecture certifications and hands-on production experience with VPC Service Controls, IAM deny policies, org constraints, and workload identity.

☸

A Kubernetes Security Specialist

CKS + CKA certified. 100% CIS Benchmark. Kyverno policies. Falco runtime detection. Admission control. Network policies. Pod Security Standards. Namespace isolation. The works.

📋

An AppSec Engineer

Who's done 20+ pen tests, built SAST/DAST automation into CI/CD, implemented OWASP ASVS L2 assessments, and reduced MTTR from 14 days to 3 days through actionable reporting.

🔗

A Supply Chain Security Expert

Cosign signing, SBOM generation, Sigstore verification, Kyverno admission gates, digest pinning, SLSA L2 — built the complete supply chain integrity pipeline from zero to production.

Beyond Code

Leadership & Soft Skills

Technical excellence matters. But shipping security at scale requires more than just code.

🎤

Technical Communication

Authored secure coding guidelines adopted by 50+ developers. Run internal security workshops. Write technical articles with 750+ claps on Medium. Translate complex security concepts into engineering-friendly language.

10+ published articles 225 Medium followers 50+ developers trained

🤝

Cross-Team Collaboration

Built reusable GitHub Actions security templates adopted by 15+ engineering teams. Run quarterly threat modeling sessions. Security champion program enablement. Zero friction — because the secure path is the easy path.

15+ teams onboarded Quarterly STRIDE sessions Reusable templates

📊

Stakeholder Communication

Weekly security metrics dashboards reviewed by CISO and engineering leadership. Blameless post-incident reviews. Compliance evidence packaging for SOC 2 audits. Translate security risk into business impact.

Weekly CISO reports 2× audit success Risk → business translation

🧠

Continuous Learning

Pursuing M.Tech (Cybersecurity) at BITS Pilani while working full-time. 6 professional certifications earned in 2 years. Active in CNCF security community. Nullcon attendee. GitHub Tech After Dark quiz champion.

M.Tech in progress 6 certs in 2 years Nullcon · GitHub events

⚡

Bias for Action

When hardcoded Azure Storage keys were found in source control, I led the incident response: coordinated rotation across 12 services, zero production impact, zero downtime. Speed + precision under pressure.

12-service rotation Zero downtime Same-day resolution

📝

Documentation & Knowledge Sharing

Authored 8 incident response playbooks. Created security onboarding guides for new engineers. Internal wiki with runbooks for every security tool. Knowledge that outlives the individual.

8 IR playbooks Security wiki author Onboarding guides

Transformation

Before DevSecOps → After: The Stack That Changed

What the security posture looked like before Anshumaan joined, and what changed after 18 months of systematic improvement.

❌ Before — Manual & Reactive

→

✅ After — Automated & Proactive

Manual base image audit (quarterly)

Engineers manually checked Dockerfiles once per quarter. No automated tracking.

→

Trivy + Snyk — every pipeline run

CVE scan on every commit and nightly full fleet scan. 1200+ vulns closed in 2024.

No SAST — code review only

Security review depended on individual reviewer knowledge. Inconsistent.

→

Semgrep — 847 rules, PR gate

SAST runs on every PR. Custom OWASP ruleset catches injection, XXE, path traversal automatically.

Secrets in K8s env vars

Static secrets stored in K8s Secrets (base64 — effectively plaintext). No rotation.

→

HashiCorp Vault — dynamic secrets

Vault Agent Injector + Kubernetes Auth. Dynamic short-lived creds. Automatic rotation. Zero static keys.

Any image from any registry

No admission policy. Public images could be deployed with no provenance checks.

→

Cosign + Kyverno — signed-only deploy

Every image must carry a Cosign signature and SBOM attestation. Kyverno blocks unsigned images at admission.

No K8s admission control

Privileged pods, missing resource limits, root containers all running in prod.

→

Kyverno — 50+ ClusterPolicy rules

Non-root, resource limits, no privileged, no hostNetwork — all enforced by admission webhook. Policy violations blocked before deploy.

No runtime security monitoring

No visibility into container runtime behavior. Attacks would go undetected.

→

Falco — syscall monitoring

Custom Falco rules alert on shell-in-container, privilege escalation, unexpected outbound traffic in real time.

Click-ops infra provisioning

GCP resources provisioned via Console. No audit trail, no drift detection.

→

Terraform — GitOps IaC

All GCP infra code-reviewed and applied via CI. Drift detection in nightly plan runs. Full audit history in Git.

No SBOM — unknown dependencies

No software bill of materials. Impossible to assess supply chain blast radius.

→

Syft — SBOM on every image

CycloneDX + SPDX SBOM attached as Cosign attestation. Every production image has a verifiable dependency manifest.

Microservices now secured end-to-end

Major security initiatives shipped in 18 months

Images signed & SBOM-attested before deploy

Security breaches post-implementation

Architecture

Zero-Trust Security Architecture — Production

Six-layer security model protecting 350+ microservices. Every arrow is an enforced control, not a diagram flourish.

Layer 1

Source & SCM

Developer workflow

GitHub

Signed commits + CODEOWNERS

→

🔐

Pre-commit

Secret & lint gates

→

GH Actions

OIDC + pinned SHAs

Layer 2

CI Security Gates

Every commit scanned

🔍

Semgrep SAST

847 rules

→

Snyk SCA

Dep + container

→

🔬

Trivy Scan

OS + libs

→

🔏

Cosign Sign

SBOM + Rekor log

Layer 3

Artifact Registry

Signed + scanned images

Artifact Registry

VPC-SC perimeter

→

✅

Binary Auth

GCP attestation policy

Layer 4

Kubernetes Admission

Policy-as-code gates

🛡️

Kyverno

50+ policies

→

Cilium

eBPF net policy

→

🔑

GCP Workload ID

No static keys

→

Vault Agent

Dynamic secrets

Layer 5

Runtime Detection

Kernel-level visibility

👁️

Falco

Syscall anomaly detection

→

Elastic SIEM

Alert correlation

→

PagerDuty / Slack

Alerting + IR

Layer 6

Observability

Full-stack metrics

Prometheus

Metrics + alertrules

→

Grafana

7 security dashboards

→

📊

Compliance

CIS K8s + NSA guides

Attack Path Blocked:

Malicious Dep Introduced → Snyk SCA flags HIGH CVE → Pipeline blocked at gate 3 → Alert fires to Slack → Never reaches cluster

✓ Zero production incidents from supply chain

Vuln Mgmt

Vulnerability Management — Full Lifecycle

From discovery to closure in defined SLAs — tracked, escalated, and audited.

Stage 1 🔎

Discover

Trivy (container)

Snyk (deps)

Semgrep (code)

→

Stage 2 📊

Prioritize

CVSS + EPSS score

Asset criticality

Exploitability

→

Stage 3 📋

Track

Jira tickets

Severity SLA clock

Weekly vuln review

→

Stage 4 🔧

Remediate

Base image rebuild

Dep version bump

Patch PR + review

→

Stage 5 ✅

Verify & Close

Re-scan confirms fix

Jira closed + evidence

Lessons learned

Critical (CVSS ≥ 9)

24 hours

Patch SLA

High (CVSS 7–8.9)

7 days

Patch SLA

Medium (CVSS 4–6.9)

30 days

Patch SLA

Low (CVSS < 4)

Next release

Patch SLA

Critical SLA compliance (last 6 months)

Vulnerabilities triaged & closed (2024)

Production incidents from known CVEs

Incident Response

IR Playbooks — Authored & Battle-Tested

8 production IR playbooks authored. These are the most common ones — runbooks that real engineers use at 3am.

🔐 P1 — Critical

Unsigned / Unattested Image in Production

1 Falco alert fires: unsigned image running
2 kubectl cordon the node, evict pod
3 Audit Kyverno admission logs
4 Identify how image bypassed gate
5 Patch policy gap, re-verify all clusters

15 min

MTTR target

🗝️ P1 — Critical

Leaked Secret / Credential Detected

1 Gitleaks or SIEM alert fires
2 Immediately rotate credential in Vault
3 Audit access logs for usage (GCP CAAI)
4 Scrub from git history (git-filter-repo)
5 Root cause + process fix

30 min

MTTR target

⚡ P1 — Critical

Container Privilege Escalation Attempt

1 Falco rule fires: setuid/setgid syscall
2 Kill pod immediately (kubectl delete pod)
3 Review pod spec for securityContext gaps
4 Snapshot node for forensics if needed
5 Update Kyverno policy to block root

20 min

MTTR target

🌐 P2 — High

Critical CVE in Production Base Image

1 Trivy or Snyk alert: CVSS ≥ 9.0 in prod
2 Identify all affected deployment images
3 Build patched base image, trigger rebuild
4 Rolling deploy via Argo CD (0 downtime)
5 Confirm Trivy score cleared in all envs

4 hours

MTTR target

🔒 P2 — High

Kyverno Policy Bypass Detected

1 Audit admission webhook logs
2 Identify bypass method (namespace label?)
3 Close policy gap, apply cluster-wide
4 Review all resources created in window
5 Run Kyverno audit scan on all namespaces

2 hours

MTTR target

📡 P3 — Medium

Suspicious Outbound Connection

1 Cilium network policy alert fires
2 Capture flow logs, identify source pod
3 Isolate pod, inspect container processes
4 Check image provenance & SBOM
5 Block IP in egress policy, report finding

1 hour

MTTR target

Impact Numbers

Security KPIs — Production Numbers

These are real numbers from ZEE Entertainment's security program, not estimates.

🛡️

350+

Microservices secured end-to-end

Kyverno policies + Cosign signing enforced across entire fleet. Every image verified at admission.

↑ From 0 in Jan 2024

🔏

100%

Images signed + SBOM-attested

100% of production container images now carry Cosign signatures and CycloneDX SBOM attestations.

↑ From 0% coverage

🔍

1200+

Vulnerabilities triaged & closed in 2024

Tracked via Snyk + Trivy + Jira. 94% of Critical CVEs patched within 24h SLA.

↑ 94% SLA compliance

📋

50+

Kyverno policies in production

ClusterPolicy library covering non-root, no-privileged, resource limits, image verification, and supply chain gates.

Stable — actively maintained

⚡

~4 min

Average pipeline runtime (all 10 gates)

Full SAST + SCA + container scan + sign + Kyverno verify from commit to deploy in under 4 minutes.

↑ Down from 22 min (optimized)

🚨

Security breaches / production incidents

Zero security-related production incidents since deploying the full DevSecOps stack in 2023.

✓ 18+ months clean record

📊

IR playbooks authored and tested

Runbooks covering privilege escalation, secret leak, CVE in prod, policy bypass, and 4 more scenarios.

Used in 3 real incidents

☁️

15+

GH Actions security workflows authored

Reusable workflow library for SAST, SCA, container scan, SBOM, sign, and compliance reporting.

↑ Used by 12+ eng teams

Compliance Posture

CIS

CIS K8s Benchmark

Level 2 — ≥ 95% controls

NSA

NSA K8s Hardening

All critical controls applied

SLSA

SLSA Supply Chain

Level 3 — Signed builds

SOC

SOC 2 Controls

Mapped + evidence collected

Zero Trust Principles

Verify-always + least-priv

Credentials

Certifications — Active & In Progress

Industry certifications validating hands-on expertise — not just exam prep.

☁️

Google Cloud

ACE

Associate Cloud Engineer

Active GCP

IAM & Org Policy GKE VPC-SC Cloud Armor

🔐

CompTIA

Security+

CompTIA Security+

Active Foundational

Threats & Vulnerabilities Cryptography Identity

☸️

Linux Foundation / CNCF

CKA

Certified Kubernetes Administrator

Active Advanced

Cluster Administration RBAC Network Policy Troubleshooting

Verify on Credly ↗

🛡️

Linux Foundation / CNCF

CKS

Certified Kubernetes Security Specialist

Active Expert

Cluster Hardening Microservice Security Supply Chain Runtime Security

Verify on Credly ↗

🔴

Offensive Security

OSCP

Offensive Security Certified Professional

On Roadmap Expert

Penetration Testing Exploit Development Red Team Ops

🌊

Snyk

Snyk Expert

Snyk Security Expert Certification

Active SCA

SCA Container Scanning IaC Scanning

The Journey

18 Months, 5 Phases — From 0 to Full DevSecOps

The real story of how ZEE Entertainment's Kubernetes security posture was built from ground zero. Every phase is a shipped initiative, not a proposal.

Depth Chart

Skill Depth — Production-Validated Proficiency

Proficiency percentages reflect real production usage — not tutorial completion. Each bar maps to shipped features or ongoing ownership.

How percentages are calculated: 50% = can implement from docs. 70% = implemented in production. 85% = own the feature, debug issues independently. 95%+ = authored policies/runbooks, onboarded others, resolved production incidents.

Let's Talk

Availability & Process

Making it easy for recruiters and hiring managers to engage — no friction.

Current Status

Actively Looking

Notice Period: 60 days · negotiable for urgent roles
Location: Bengaluru, India (open to hybrid/remote)
Visa: Indian Citizen · Open to relocation with visa sponsorship
Availability: Available for interviews within 48 hours of outreach

🎯 Ideal Roles

Security Engineer DevSecOps Engineer Cloud Security Engineer Application Security Engineer Kubernetes Security Specialist Product Security Engineer Platform Security Engineer Supply Chain Security Engineer

📞 How to Reach Me

Email (fastest) anshumaansingh10jan@gmail.com

LinkedIn anshumaan-singh

Resume Download PDF ↗

💬 My Interview Preferences

Introductory Call

30 min — team, mission, and role details. Happy to share my portfolio walkthrough.

Technical Deep-Dive

Architecture discussion, threat modeling exercise, or live security review — I prefer real-world scenarios over leetcode.

Team & Culture Fit

Understanding the security org's maturity, reporting structure, and growth trajectory. I look for teams that build, not just audit.

🚫 Probably Not a Great Fit If…

The role is purely offensive security (red team, exploit dev) — my focus is defensive architecture, pipeline security, and platform hardening
The security team only audits — I thrive where security controls are designed, built, and measured, not just reviewed
Security is positioned as a blocker for engineering rather than an enabler — I build things that make teams faster, not slower
The role requires Windows or AD/LDAP specialisation — my production depth is GCP, Linux-based Kubernetes, and cloud-native stacks
Compliance-theater posture — checkbox audits with no engineering component aren't where I do my best work

Command Center

Recruiter Command Center

For hiring managers who want signal fast: what role fit looks like, what gets delivered in practice, and how I operate inside real engineering organizations without becoming the human version of a blocking Jira ticket.

Proof Engine Delivery Lab First 90 Days

Anshumaan Singh

Security Systems Engineer

@ ZEE Entertainment · Bengaluru

Actively looking

2+ yrs

Security experience

Certifications

350+

Microservices secured

Production incidents

60 days

Notice period

IST

UTC+5:30 · remote ok

CKS CKA GCP-SEC GCP-PCA GCP-ACE TF-ASC

Download Resume View LinkedIn Email Directly 🏅 Verify Certs on Credly

Core competency depth

CI/CD Security

Expert

Kubernetes Security

Expert

Supply Chain / SBOM

Expert

Cloud Security (GCP)

Advanced

Application Security

Advanced

IaC Security (Terraform)

Advanced

Secret Mgmt / Vault

Advanced

SIEM / Monitoring

Proficient

⚙️

DevSecOps Engineer

CI/CD control planes · GitHub Actions · SAST/SCA/DAST · policy-as-code · artifact signing · supply chain enforcement

Fit★★★★★

☸

Kubernetes / Platform Security

CIS Benchmark compliance · Kyverno · OPA Gatekeeper · Falco runtime · Pod Security Standards · CKS certified

Fit★★★★★

☁️

Cloud Security Engineer (GCP)

IAM least-privilege · VPC Service Controls · org policy constraints · GKE hardening · GCP Professional Security certified

Fit★★★★☆

🛡️

Application Security Engineer

Pen testing · OWASP ASVS · threat modeling · SAST integration · DAST automation · vulnerability SLA management

Fit★★★★☆

Proof Engine

Operational Proof, Not Portfolio Fluff

Each artifact below maps hands-on security engineering work to control outcomes, delivery mechanics, and the kinds of evidence leadership teams, auditors, and platform owners actually trust.

100%

Image Signing Coverage

45+

Kyverno Admission Policies

Unsigned Images in Production

SLSA L2

Supply Chain Compliance

CI/CD SECURITY

GitHub Actions Security Pipeline

SAST (Semgrep/CodeQL) → SCA (Snyk/Trivy) → DAST (OWASP ZAP) → SBOM (Syft) → Cosign sign → Kyverno admission. Zero bypass paths across all 350+ microservices.

GitHub Actions Cosign Syft

KUBERNETES SECURITY

100% CIS K8s Benchmark

Full CIS Kubernetes Benchmark v1.5.1 coverage. Kyverno policies enforcing PSS, non-root containers, read-only root filesystems, resource quotas, and network isolation across all namespaces.

Kyverno Falco CIS Benchmark

SUPPLY CHAIN

SBOM-Driven Policy Engine

CycloneDX SBOMs generated via Syft, attached as OCI attestations, and verified by Kyverno at admission time. Provenance travels with the artifact from commit to production deployment.

Syft CycloneDX SLSA L2

Security Control Coverage Matrix

Control Domain	Tool	Coverage	Status
Static Analysis (SAST)	Semgrep, CodeQL	100%	ACTIVE
Dependency Analysis (SCA)	Snyk, Trivy	100%	ACTIVE
Image Signing & Attestation	Cosign, Sigstore	100%	ACTIVE
Runtime Threat Detection	Falco, SIEM	100%	ACTIVE
Dynamic Analysis (DAST)	OWASP ZAP	93%	EXPANDING

Delivery Lab

How I Run Security Work in Production

Different orgs need different security lanes. This breaks down how I approach DevSecOps, platform hardening, AppSec, cloud guardrails, and incident response with repeatable operating models instead of heroics.

⚙️

DevSecOps Lane

Embed security controls into CI/CD pipelines using shared GitHub Actions templates. SAST on every PR, SCA on every build, DAST post-deploy, SBOM attached to every release artifact. Teams adopt by default, not by request.

Tools: Semgrep · Trivy · OWASP ZAP · Syft · Cosign

☸️

Platform Hardening Lane

Harden the platform layer: CIS Kubernetes Benchmark, Kyverno admission policies, Falco runtime detection, network policies, and namespace isolation. Policy-as-code means controls are version-controlled, peer-reviewed, and auditable.

Tools: Kyverno · Falco · Helm · OPA · CIS Benchmark

☁️

Cloud Governance Lane

GCP org-level constraint policies, VPC Service Controls, IAM deny policies, and workload identity federation. Cloud security enforced at the organization level — not per service, not per team.

Tools: GCP Org Policy · VPC-SC · IAM · Terraform

🛡️

AppSec Lane

Pen testing, OWASP ASVS L2 assessments, and threat modeling for critical services. STRIDE+DREAD sessions quarterly, producing actionable threat matrices shared with engineering and architecture teams.

Tools: Burp Suite · OWASP ZAP · STRIDE · Threat Model

🚨

Incident Response Lane

8 IR playbooks covering credential exposure, supply chain compromise, container escape, and API abuse. Blameless post-incident reviews with structured 5-Whys. Evidence collection automated into SIEM at detection time.

Process: IR Playbooks · SIEM · Blameless RCAs

90-Day Plan

What the First 90 Days Could Look Like

A realistic onboarding ramp for a security engineer joining a team that wants measurable progress: baseline the risk, remove the sharpest pain, improve defaults, and leave behind systems the team can keep operating.

Days 1–30 — Listen & Map

✓ Shadow CI/CD pipelines and deployment workflows
✓ Interview 5+ engineers on biggest security pain points
✓ Map threat surface across all critical services
✓ Inventory existing tools, controls, and gaps
✓ Understand on-call and incident response process

Deliverable: Security gap report with prioritized backlog

Days 31–60 — Remove Sharpest Pain

✓ Ship quick wins: secrets scanning, dependency alerts
✓ Harden the highest-risk service end-to-end as a template
✓ Stand up shared GitHub Actions security template
✓ Tune false-positive noise in existing security tooling
✓ Draft IR playbook for top 3 incident scenarios

Deliverable: Working security pipeline template + 3 IR playbooks

Days 61–90 — Improve Defaults

✓ Roll secure baseline to additional service cohorts
✓ Deliver first security metrics dashboard to leadership
✓ Establish vulnerability SLA tracking and reporting
✓ Run first STRIDE threat modeling session with team
✓ Present 6-month security roadmap with measurable outcomes

Deliverable: Security metrics dashboard + 6-month roadmap

Operating Principles for Days 1–90

01 Listen before building. Understand what engineering teams actually find painful before adding new tools or controls.

02 Ship one thing completely. One fully-hardened service template > partial controls across 50 services.

03 Measure from day one. Define what success looks like in metrics before any work starts. If it's not measurable, deprioritize it.

04 Make security the easy path. The secure default should require less effort than the insecure alternative.

Most Common First Issue Found

Secrets in Source Control / Misconfigured IAM

In almost every org I've audited or joined, the first critical finding within 30 days is either secrets committed to version control (API keys, connection strings, JWT secrets) or IAM permissions that are far broader than required. Both are fixable fast, both have real blast radius, and both are leading indicators of a security culture that needs attention. This is where Days 1–30 tend to pay off most immediately.

Moments & Media

Photos, posts, and highlights — the real proof behind the work.

Anshumaan Singh at Google Cloud GCP campus, Bangalore — on-site migration project visit

🏢 Google Cloud · Bangalore

Google GCP Office — Migration Project Visit

On-site discussions with Google Cloud engineering teams on GCP-to-GCP migration architecture, network security controls, and enterprise workload strategy. Google campus, Bangalore.

View on LinkedIn

Anshumaan Singh with security community at Nullcon Goa 2026 — Asia's premier security conference

🛡️ Nullcon · Feb 2026 · Goa

Nullcon Goa — Kubernetes Security Deep-Dive

Attended Asia's premier security conference — Kubernetes runtime security workshops, CIS benchmark hardening labs, advanced threat-modelling, and CNCF security community discussions.

View on LinkedIn

Anshumaan Singh receiving two consecutive ZeeOlympics Best Performer awards at ZEE Entertainment Bangalore

🏆 ZeeOlympics · 2× Consecutive Winner

ZeeOlympics Best Performer — FY 2023–24 & 2024–25

Receiving the "Accountability for Results" award from senior ZEE leadership at Bangalore Tech Hub. Highest company-wide engineering recognition — awarded two consecutive fiscal years for building the enterprise DevSecOps control plane.

View on LinkedIn

Anshumaan Singh ranked #1 on Google Gemini Code Assist quiz leaderboard — 10/10 score in 1m 14s

🧠 Google Gemini · #1 Champion

Google Gemini Code Assist — Fastest Perfect Score

Scored 10/10 in just 1m 14s on Google's Gemini Code Assist challenge — fastest perfect score across all participants. AI-accelerated engineering meets deep security fundamentals.

View on LinkedIn

🐙 GitHub · Tech After Dark

GitHub Tech After Dark — Quiz Champion

Won the technical quiz at GitHub's "Tech After Dark — Enterprise Developer Social" event in Bengaluru. DevOps pipelines, security tooling, cloud-native architecture — outscored engineers from across the ecosystem.

DevSecOps Article — 2K Likes · 1.3 Lakh+ Impressions

A LinkedIn post on DevSecOps engineering reached 2,000+ likes and 1,30,000+ impressions — the largest organic reach in the Indian security engineering community.

View Post ↗

🪟 Microsoft · GitHub Connect

GitHub Connect @ Microsoft — Bengaluru

Microsoft + GitHub joint enterprise developer event at Prestige Ferns Galaxy. Deep-dive sessions on GitHub Advanced Security, Copilot for Security, and DevSecOps at scale. Networked with engineering leaders across the ecosystem.

View on LinkedIn

Full enterprise DevSecOps CI/CD security pipeline architecture — SAST, SBOM, Cosign, Kyverno, ArgoCD, Falco

🔗 Architecture Blueprint

Enterprise DevSecOps CI/CD Workflow — Full End-to-End Blueprint

Complete pipeline: SAST → SCA → Container Scan → SBOM → Cosign Sign → Kyverno Admission → ArgoCD GitOps → Falco Runtime → SIEM → Grafana Observability. Zero bypass paths.

View Full Diagram

FAQ

Direct answers to questions I frequently receive from hiring managers, recruiters, and engineers.

What does a typical week look like for you?

Security engineering sprints: reviewing CI/CD pipeline scan results, remediating high-priority CVEs with engineering teams, tuning SIEM detections, participating in design reviews for new microservices, writing security runbooks. No two weeks are identical — that's the point.

What makes your DevSecOps approach different?

I treat security as a system property, not a late-stage review step. My approach emphasizes preventive controls in the delivery path, standardized policy gates, and traceable evidence. The goal is consistent risk reduction without slowing engineering throughput.

Are you open to new opportunities?

Yes. I'm open to connecting with teams building security engineering at scale — DevSecOps, Kubernetes security, supply chain integrity, or cloud security roles. Remote-forward or Bengaluru-based. Reach out via email or LinkedIn.

How do you approach CVE triage?

CVSS alone is not sufficient for prioritization. I use a three-signal model: CVSS (technical severity), EPSS (likelihood of exploitation), and reachability (runtime relevance). This keeps remediation focused on exploitable risk and reduces false-positive churn.

Do you do pen testing or just pipeline security?

Both. I've done web app, API, and mobile pen testing at ZEE Entertainment — auth bypass, access control, API misuse, and misconfiguration validation. I also built DAST automation post-deploy in CI/CD via OWASP ZAP with kubectl runtime URL discovery.

How do you manage security at scale across 350+ microservices?

Through platform standardization and policy-as-code. Manual review does not scale to 350+ services, so controls must be embedded in CI/CD and admission policies. Shared GitHub Actions templates and a consistent evidence model (scan output + digest + approvals) ensure every service follows the same secure baseline.

What's something you argued against that you turned out to be right about?

Early in the DevSecOps rollout, there was a strong push to deploy the security pipeline to all 350+ services at once — "big bang" cut-over. I pushed back: a single misconfigured Kyverno policy would block every deployment across the entire platform simultaneously. Instead, we phased the rollout service-by-service, starting with non-critical services, running in “audit” mode before “enforce” mode. Three services had policy violations that would have caused production outages. The approach was right. The lesson: admission control mistakes fail loudly and immediately — test the blast radius before you flip the switch.

What was the hardest incident you've dealt with, and what did you get wrong first?

The hardest was discovering hardcoded Azure Storage connection strings committed to GitHub Enterprise — affecting 12 services, all with live production access. My first instinct was to rotate the keys immediately. That was the wrong sequence. Rotating before the blast radius was mapped meant we might miss affected services, causing partial failures that were harder to trace. The correct order was: inventory all affected services → map all credentials to their dependent services → then rotate in order of blast radius, starting with the highest-access credential. We got it right eventually, zero downtime, but those first 20 minutes of wanting to "just fix it now" were the most dangerous. Incident response is a sequencing problem, not a speed problem.

How do you convince a VP of Engineering or CFO that security investment is worth the cost?

I stop talking about CVEs and start talking about delivery confidence. The question isn't “how bad could a breach be?” — it's “how much does uncertainty about your supply chain cost you per sprint?” At ZEE, the reframe was simple: before the SBOM and admission gate pipeline, any deployment could silently include a vulnerable or unsigned image. That's not a security problem — it's a reliability and auditability problem. Framing security posture as “operational confidence” connects directly to what VPs and CFOs already measure. Once the audit evidence model was in place, our SOC 2 audit prep time dropped by 60%. That number converts to real engineering hours. That's the conversation that moves budget.

Eyes on the Next Mission

Built and operated security controls at enterprise scale, and now looking to contribute that experience to the next high-impact team.

Actively exploring Security Engineering, DevSecOps, Cloud Security, and Application Security roles

🛡️ What I Bring

End-to-end DevSecOps pipeline architecture — SAST, SCA, DAST, container scanning, SBOM generation, Cosign signing, Kyverno admission control, ArgoCD GitOps, and Falco runtime detection
Kubernetes security at scale — 100% CIS Benchmark, admission-time image verification, namespace isolation, and runtime anomaly detection across 350+ microservices
Supply chain integrity — SBOM-driven policy engines with Sigstore keyless signing, attestation layers, and provenance tracking from code commit to production runtime
GCP cloud governance — VPC Service Controls, org-level constraint policies, workload identity federation, and IAM deny policies enforcing zero-trust boundaries
Pen testing & vulnerability assessment — web app, API, mobile app testing, OWASP ZAP DAST automation with kubectl runtime URL discovery
6+ professional certifications: CKS, CKA, GCP Professional Cloud Security Engineer, GCP PCA, Terraform Associate, Google ACE

🎯 What I'm Looking For

Security Engineering — building and operating security infrastructure, detection pipelines, and platform-level guardrails
DevSecOps — embedding security controls into CI/CD, shifting left without adding friction, policy-as-code at scale
Cloud Security — GCP/AWS/Azure infrastructure security, identity management, network segmentation, and compliance automation
Application Security — SAST/DAST integration, secure code review, threat modelling, and vulnerability management programs
Kubernetes / Container Security — admission control, runtime protection, image signing, CIS hardening, and supply chain integrity
Product Security — security architecture review, design-time threat analysis, and engineering team enablement

🤝 Culture & Values

Engineering-driven security teams that treat security as a system property, not a checkbox
Organizations that value evidence over opinions — metrics, compliance scores, and audit trails over slide decks
Teams building security at scale — hundreds of services, real production constraints, real adversarial pressure
Remote-forward, hybrid, or Bengaluru-based opportunities
Continuous learning culture — pursuing M.Tech (Cybersecurity) at BITS Pilani alongside full-time security engineering

📊 Proven Impact

350+ Microservices secured end-to-end

100% CIS Kubernetes Benchmark

93% OWASP Top 10 compliance

0 Security incidents in production

6 Professional certifications

2× ZeeOlympics Best Performer

View Resume Say Hello via Email Connect on LinkedIn

Let's Connect

Open to Security Engineering, DevSecOps, Cloud Security, and Kubernetes Security opportunities.

Get in touch

If you're hiring for a role focused on secure delivery, cloud-native risk reduction, or platform security engineering, I'd be glad to connect and discuss how I can contribute.

What you can expect