Above the Cloudline
To defend a system you must first learn to take it apart. Offense is not the opposite of safety — it is its rehearsal.
I build systems that are not just functional, but extraordinary — where security meets elegance and infrastructure becomes invisible.
With five years engineering cloud-native platforms at scale, I work fluently across Golang, Rust, Kubernetes, and eBPF. My range runs from kernel-level security research to enterprise cloud architecture — and I design every system to push the boundary of what's possible without ever losing sight of the people who depend on it.
To defend a system you must first learn to take it apart. Offense is not the opposite of safety — it is its rehearsal.
The best infrastructure disappears. When the kernel, the network, and the runtime all hold, the work that remains is the only work that ever mattered.
Architected real-time delivery routing and zone-optimization services with haversine geospatial math and a distributed datastore — millions of location queries daily at sub-50ms latency.
Built a self-service provisioning platform for containerized workloads on a secure microservices architecture, with compliance guardrails baked into every deployment path.
An MCP server exposing offensive-security tooling to AI agents — autonomous reconnaissance, exploitation, and reporting through a standardized protocol interface.
A dual-module eBPF research framework demonstrating offensive rootkit techniques alongside defensive runtime auditing — a controlled environment for Linux-kernel exploration.
An eBPF-based offensive toolkit for network discovery, process hiding, and container breakouts — built for stealthy red-team assessments of Kubernetes environments.
Kernel-level behavioral containment for AI agents using eBPF and LSM — monitoring and restricting autonomous actions at the syscall layer before they touch the system.
A controlled white-hat UEFI bootkit simulation for academic research and defensive detection engineering — helping defenders understand firmware-level persistence in the wild.
A security enforcer pairing eBPF syscall monitoring with WebAssembly-based policies — kernel-level observability and portable, cross-platform workload protection in one engine.