GRC leader with 12+ years building compliance, risk, and security programs at high-growth tech companies and public-sector orgs. I don't just manage audits. I write the code that automates them.
I started in the trenches: racking servers, writing PowerShell scripts, managing VMware clusters. That sysadmin foundation taught me how infrastructure actually works, which turned out to be the thing most GRC people are missing.
From there I moved into security operations and eventually into GRC program management, leading risk programs and building a vendor assessment process covering 2,000+ vendors for the City of San Francisco (55 departments, 30,000 employees) before shifting to high-growth startups.
At Amplitude and Handshake, I found my groove building compliance programs that actually work. SOC 2, ISO 27001, and PCI DSS on the company side. SSPA, bank due diligence, and Mag 7 customer assessments on the other. I built the programs and simultaneously built the internal tooling to automate the boring parts. This is also where I learned firsthand how painful customer trust workflows are and became convinced that no human should ever manually fill out a security questionnaire again.
AI has been part of my toolkit since the early GPT-3.5 days, when I started using it to accelerate GRC workflows like policy drafting, risk analysis, and evidence mapping. That evolved into writing Python scripts with Copilot, then building full production applications with Claude. Today I use AI-assisted development to ship internal security tools on GCP, going from idea to deployed Cloud Run service in days, building tools that would otherwise never exist.
The throughline: I make security programs that don't depend on me being in the room. Automated evidence collection, self-service vendor reviews, codified risk processes. Programs that outlast the audit cycle.
End-to-end ownership of audit programs from scoping through delivery. Zero-exception track record across SOC 2, ISO 27001, and PCI DSS. Built automated evidence collection pipelines that cut audit prep time by 80%.
Build governance and risk programs from scratch: policy frameworks, risk registers, risk councils, and assessment methodologies. Experienced with FAIR quantitative risk and ISO 27005 qualitative approaches.
Design, build, and deploy production security applications using Claude Cowork. Full-stack apps on GCP Cloud Run that automate vendor risk, customer trust, and compliance workflows, shipping tools in days that would otherwise never exist.
Deployed self-service customer trust portals and AI-powered questionnaire response, reducing time spent on security questionnaires by 90%+. Built vendor risk programs assessing 2,000+ vendors with risk-based tiering and SLA-driven review processes.
Enterprise-scale security awareness and training programs with onboarding controls, phishing simulations, and completion enforcement. Build security culture through education, not just policy.
Deep infrastructure roots: VMware, Active Directory, Linux/Windows ops. PowerShell and Ansible automation. The foundation that makes everything else possible.
Fully automated security request intake system, from GTM to Linear to Wolfia. 14 systems integrated, zero manual steps. Reduced time spent on customer security questionnaires by 90%+.
Automated vendor risk platform that syncs with procurement (Ramp) and project tracking (Linear). Tracks 162 vendors with automated risk evaluation, daily syncs, and Slack alerts.
22 security policies managed as markdown in GitHub with automated publishing to Notion via GitHub Actions. Every change is version-controlled, peer-reviewed, and audit-ready.
Automated the operational layer behind a vulnerability management program: weekly reporting, metrics reconstruction, triage routing from code ownership, exception tracking, and program hygiene. Daily jobs handle the remembering so the program does not depend on one person.
.claude/skills folder and they work immediately. Built from real production workflows, anonymized for public use.A reusable pattern for automating vulnerability management operations. Drop it into any Claude project and it handles reporting templates, triage routing logic, exception workflows, and program hygiene rules.
View skill →Complete deployment patterns for shipping internal apps on Cloud Run with security built in. Covers Docker builds for Apple Silicon, IAP authentication, Secret Manager injection, SQLite persistence via GCS FUSE, in-process APScheduler with catch-up logic, and role-based access control.
View skill →Capture your personal writing style and apply it consistently across every Claude output. Define your voice once with a structured profile covering formal documents, informal comms, and absolute rules. Load it in seconds at the start of any session.
View skill →OWASP and Docker published separate guides on securing AI agents within weeks of each other. They come from different angles and land in the same place. The overlap is the playbook.
Read post →It started with a screenshot of a manual Friday report. It ended with a system that handles the operational memory behind an entire vulnerability management program.
Read post →The Model Context Protocol connected AI to your internal tools. It also connected your internal tools to every vulnerability class from the last twenty years of application security, all at once.
Read post →