◉ EMMANUEL TIGOUE
AI Security Engineer • SecurityX • SSCP • CCNA
I secure AI systems and build the governance around them. 14-container Zero Trust platform, 37 GRC documents, detection to alert in under 30 seconds.
◉ CISSP IN PROGRESS // SPRING 2026
// Clearance Stack
Certifications
◉ IN PROGRESS
ISC2 CISSP
Spring 2026
// Service Record
Experience
CoreDirective
| AI Security Engineer
Atlanta, GA • Sep 2025 – Present
14
Container Stack
37
GRC Documents
80%
Triage Reduction
0
Exposed Ports
- Secured AI gateway (Claude Opus 4.6, OWASP LLM Top 10, MITRE ATLAS) and red teamed 25 test cases for prompt injection, jailbreak, and data exfiltration pre-launch
- Built shift-left CI/CD (Trivy, Semgrep, Gitleaks, OPA, Cosign, SBOM) and executed DAST with OWASP ZAP: zero injection vulns across 8 categories, 4 header fixes same-day
- Cut alert noise from 200+ to 12 actionable findings by tuning Falco eBPF rules with Datadog routing via Falcosidekick
- Defined 16 Terraform files, 30+ resources, 8 OPA policies. Deployed Teleport PAM (JIT) and Keycloak SSO (3-tier RBAC)
- Reduced external attack surface to zero exposed ports through Cloudflare Zero Trust tunnels with mTLS
- Assessed Google Cloud IAM across 7 APIs: OAuth 2.0 lifecycle, org-level policies, cross-domain identity federation
- Automated ops via n8n SOAR with NeMo-sandboxed AI and Ollama local inference, cutting triage by 80%
- Authored 37 GRC documents: SSP (133 NIST 800-53 controls), POA&M (27 findings), 10 policies, 5 IR playbooks, DAST assessment, pen test
Texaco
| IT Security & Operations Manager
Atlanta, GA • Mar 2022 – Feb 2026
65%
Cost Reduction
90m
Containment Time
86%
Fewer Audit Findings
12h
Recovered Weekly
- Led incident response across 3 locations: POS skimmer investigations, credential compromises, and vendor access incidents. Built 6-step IR runbook cutting containment from 8 hours to 90 minutes
- Segmented flat network into 4 VLANs isolating POS payment, back-office, guest Wi-Fi, and management. Validated with Nmap scans
- Deployed Splunk SIEM with correlation rules cutting mean time to detect from 48 hours to under 4 hours
- Hardened Active Directory with GPO baselines, least-privilege enforcement, and credential rotation. Reduced audit findings from 14 to 2
- Maintained PCI DSS compliance across 45+ devices with quarterly Nessus scans, segmentation validation, and SAQ documentation
- Automated patch deployment, provisioning, and compliance reporting with Python and PowerShell, recovering 12 hours weekly
- Established AI governance aligned to NIST AI RMF with LLM-powered phishing detection and incident prioritization
// Academic Record
Education
Georgia State University
| Atlanta, GA
GPA: 3.7 • Dean's List
- B.B.A. Computer Information Systems | May 2026
Concentration in Cybersecurity - B.B.A. Business Economics | May 2026
- A.S. Business Administration | May 2025
// Proof of Work
What I Built
Operational security platform built on DigitalOcean, migrated from AWS EC2 for cost optimization. STRIDE threat-modeled, then deployed. Every metric below is verifiable in the public repository.
14
Deployed Containers
16
NIST Control Families
65%
Cost Reduction
8
OPA Policies
15
SOAR Workflows
<30s
Detection to Alert
37
GRC Documents
133
NIST Controls Mapped
5
IR Playbooks
System Architecture // CoreDirective Security Platform
14 containers • 3 Docker networks • 7 layers • Click any layer to expand
Layer 1 // Perimeter & Edge
◉ Cloudflare Tunnel TLS 1.3
◉ Cloudflare DNS/WAF EDGE
Zero public ports exposed. All ingress through Cloudflare encrypted tunnels. WAF rules filter malicious traffic at the edge. DDoS protection and bot management at no additional cost. All services accessed through encrypted tunnel routes.
Layer 2 // Identity & Access
◉ Teleport PAM PAM
◉ Keycloak RBAC IAM
◉ Vault Secrets KMS
Teleport enforces JIT access. SSH sessions are time-limited, recorded, and auditable. Keycloak provides 3-tier RBAC with SSO. Vault manages dynamic credentials with automatic rotation. Zero hardcoded secrets in the entire stack.
Layer 3 // Docker Network Segmentation
◉ net-core BRIDGE
◉ net-ai AIR-GAP
◉ net-monitoring MONITOR
Three isolated Docker networks. net-core for service communication. net-ai is air-gapped (internal:true) so AI models cannot reach the internet at runtime. net-monitoring isolates the security stack from service traffic. n8n bridges net-core and net-ai. Event handler bridges net-core and net-monitoring.
Layer 4 // Core Services
◉ PostgreSQL 16 DB
◉ n8n SOAR SOAR
PostgreSQL stores workflow state with encrypted-at-rest storage and daily automated backups. n8n orchestrates 15 SOAR workflows across 16 integrated services: incident response, health monitoring, compliance checks, and operational intelligence.
Layer 5 // AI Pipeline (Air-Gapped)
◉ Ollama LLM
◉ Whisper STT STT
◉ OpenClaw AGENT
AI inference runs on an air-gapped network (net-ai, internal:true). Ollama and Whisper cannot reach the internet at runtime. OpenClaw gateway provides authenticated access to Claude Opus 4.6 with 6 active tool-use skills. Prompt injection defenses and output validation layers enforce AI safety.
Layer 6 // Detection & Response
◉ Falco eBPF
◉ Falcosidekick ROUTER
◉ Event Handler AUDIT
Falco monitors every syscall via eBPF with custom per-container rulesets. Detections route through Falcosidekick to Datadog dashboards and Telegram alerts in under 30 seconds. Event Handler captures all Teleport session recordings for compliance audit trails.
Layer 7 // Observability & Supply Chain
◉ Datadog APM
◉ Fluentd LOGS
◉ Trivy CVE
◉ Semgrep SAST
◉ Gitleaks SECRETS
◉ Cosign/Syft SBOM
Datadog provides full-stack observability with custom SOC dashboards. Fluentd aggregates container logs into a unified pipeline. CI/CD security gates: Trivy scans for CVEs, Semgrep performs SAST, Gitleaks prevents credential leaks, OPA/Rego enforces infrastructure policies, Cosign signs images, and Syft generates SBOMs for supply chain verification.
DigitalOcean s-4vcpu-8gb • Ubuntu 24.04 • Terraform IaC • Docker Compose
Migrated from AWS EC2 (65% cost reduction) • Cloud-agnostic, redeployable in hours
Migrated from AWS EC2 (65% cost reduction) • Cloud-agnostic, redeployable in hours
// Cloud Migration Case Study
Problem
$135/mo
Single AWS EC2 instance. Vendor lock-in risk. NAT Gateway overhead. Underutilized compute.
Solution
Multi-Cloud IaC
Terraform-managed DigitalOcean infrastructure. Cloudflare zero-trust overlay. Full stack in Docker Compose. Cloud-agnostic architecture. Can redeploy to any provider in hours.
Result
$48/mo
Fraction of the cost. Zero downtime migration. Same stack, same security posture. Proves multi-cloud capability.
Zero Trust
4-Layer Security Architecture
STRIDE threat-modeled, then deployed. Cloudflare Tunnel (no exposed ports) + Teleport PAM with JIT access + Keycloak RBAC with 3-tier role separation. Falco eBPF runtime detection feeding Datadog SOC dashboards. Vault for secrets management.
Cost Engineering
65% Infrastructure Cost Reduction
AWS EC2 $135/mo down to DigitalOcean $48/mo. Self-hosted Qwen 3 8B handles local inference at zero marginal cost. Terraform IaC enables cloud-agnostic redeployment.
Automation
15-Workflow SOAR Orchestration
Single webhook-driven control plane integrating 16 services: Google Workspace, Telegram, PostgreSQL, Ollama, Cloudflare, GitHub, Gmail, and more.
TERRAFORM // compute.tf
resource "digitalocean_droplet" "cd_alpha" { name = var.do_droplet_name region = var.do_region size = var.do_droplet_size image = var.do_image vpc_uuid = digitalocean_vpc.default.id ssh_keys = [digitalocean_ssh_key.coredirective.id] tags = var.do_tags lifecycle { prevent_destroy = true ignore_changes = [image, ssh_keys] } }
DOCKER // docker-compose.yaml
services: tunnel-cyber-squire: image: cloudflare/cloudflared:latest command: tunnel run network_mode: host restart: unless-stopped security_opt: - no-new-privileges:true read_only: true environment: - TUNNEL_TOKEN=${CD_TUNNEL_TOKEN} svc-automation: image: n8nio/n8n:latest security_opt: - no-new-privileges:true networks: - cd-internal # isolated bridge
OPA/REGO // enforce_vpc.rego
package terraform.digitalocean deny[msg] { resource := input.resource_changes[_] resource.type == "digitalocean_droplet" not resource.change.after.vpc_uuid msg := "Droplet must be in a VPC" } deny[msg] { resource := input.resource_changes[_] resource.type == "digitalocean_droplet" not contains_tag(resource, "managed-by:terraform") msg := "All resources must be tagged" }
// Security Engineering
Security Engineering
JUMP TO SUBSECTION ▼
This is not generic threat modeling. This is adversarial analysis of an autonomous AI agent with tool-use capabilities: an LLM that can browse the web, execute code, query databases, trigger SOAR workflows, and push to GitHub. One compromised prompt can chain through 6 active skills into 16 downstream service integrations.
Every threat below was identified through STRIDE decomposition of the full agentic pipeline, then cross-referenced against MITRE ATT&CK/ATLAS, OWASP LLM Top 10, NIST 800-53, and ISO 42001. The result: 29 categorized threats, 4 mapped kill chains, and a clear picture of where the controls hold and where the gaps remain.
29
STRIDE Threats
10
AI Threats
4
Attack Paths
7
Trust Boundaries
30+
Data Flows
6
Frameworks
Agentic AI Threat Surface // Tool-Use Risk Map
Click any skill node to expand abuse scenarios and control mappings
CLAUDE OPUS 4.6 // AGENTIC GATEWAY
Autonomous AI agent with 6 active tool-use skills · Telegram-facing · No human-in-the-loop
Tavily Search
Real-time web search, content extraction
Indirect prompt injection via fetched content, data exfiltration through crafted queries
ChainSearch result → context poisoning → behavioral override
ATLASAML.T0051 (LLM Prompt Injection)
ControlOutput filtering, domain allowlist
Browser
Navigate websites, extract content, fill forms
SSRF to internal services, credential harvesting via phishing pages, JS execution
ChainBrowse → discover internal endpoints → exfiltrate data
ATLASAML.T0040 (ML Supply Chain Compromise)
ControlURL allowlisting, no localhost access, content sanitization
Python Interpreter
Execute arbitrary Python, file I/O, network calls
Remote code execution, filesystem traversal, reverse shell, crypto mining
ChainCode exec → filesystem access → credential theft → lateral movement
ATLASAML.T0043 (Craft Adversarial Data)
ControlSandboxed execution, no network by default, file path restrictions
GitHub
Create repos, push code, manage issues, read source
Malicious code injection, supply chain poisoning, secret extraction from repos
ChainRead source → identify secrets → push backdoored code
ATLASAML.T0042 (Verify Attack)
ControlToken scope limitation, branch protection, Gitleaks scanning
Notion
Create/read pages and databases, content management
Data exfiltration to external workspace, PII harvesting, social engineering content creation
ChainRead sensitive docs → exfiltrate via new page → cover tracks
ATLASAML.T0048.002 (Exfiltration via ML Inference API)
ControlWorkspace isolation, API token scope, audit logging
Gemini
Cross-model inference, content generation, analysis
Model-to-model prompt injection relay, response manipulation, oracle attacks
ChainQuery Gemini with poisoned context → use response to manipulate primary agent
ATLASAML.T0051 (LLM Prompt Injection)
ControlModel output validation, response filtering
COMPOUND RISK: 6 skills × 16 service integrations = 96 potential chain paths. A single prompt injection doesn’t compromise one tool. It compromises every tool the agent can reach. The attack surface isn’t additive. It’s multiplicative.
Interactive // STRIDE Threat Decomposition
Click any category to expand findings · 29 threats identified across 14 services
S
Spoofing
5 threats identified
Identity forgery across Telegram, webhooks, and API endpoints. Includes AI model identity spoofing.
Top ThreatTelegram identity spoofing via forged chat_id
AI ExtensionModel impersonation. Compromised gateway returning attacker-controlled responses
ControlsTelegram token auth, Cloudflare WAF, API key rotation, mTLS
NIST 800-53IA-2, IA-5, IA-8, SC-8
Risk LevelMEDIUM
T
Tampering
5 threats identified
Data and model integrity attacks targeting Docker images, database records, model weights, and audit logs.
Top ThreatDocker image manipulation via compromised registry pull
AI ExtensionOllama model weight alteration. Poisoned model producing backdoored outputs
ControlsCosign image signing, Trivy scanning, model hash verification, net-ai air gap
NIST 800-53SI-7, CM-3, CM-5, SA-12
Risk LevelMEDIUM
R
Repudiation
4 threats identified
Action denial and non-attribution in workflows, AI outputs, and audit trails.
Top ThreatAI-triggered workflow actions with no human attribution
AI ExtensionAI output non-attribution. No traceable link from AI decision to action taken
ControlsTeleport session recording, Fluentd log shipping, Datadog audit trails
NIST 800-53AU-2, AU-3, AU-6, AU-12
Risk LevelLOW
I
Information Disclosure
6 threats identified
Data leakage through AI inference, prompt exfiltration, credential exposure, and cross-zone data bleed.
Top ThreatPrompt leakage. Operational context sent to Anthropic API in inference requests
AI ExtensionPII in AI responses, system prompt extraction, side-channel inference attacks
ControlsPrompt sanitization, output filtering, local inference fallback, Vault secret isolation
NIST 800-53SC-8, SC-13, SC-28, SI-4
Risk LevelHIGH
D
Denial of Service
4 threats identified
Resource exhaustion targeting API budgets, GPU/CPU inference, container limits, and tunnel throughput.
Top ThreatAPI budget exhaustion. Adversary triggers expensive Claude API calls via crafted prompts
AI ExtensionContext window stuffing, model loading attacks against Ollama
ControlsRate limiting, API budget caps, container resource limits, Cloudflare DDoS protection
NIST 800-53SC-5, SI-4, CP-2, AU-6
Risk LevelMEDIUM
E
Elevation of Privilege
5 threats identified
Container escape, AI excessive agency, role escalation via Keycloak, Vault token abuse, n8n code execution.
Top ThreatAI excessive agency. Agent chains skills to execute unintended infrastructure actions
AI ExtensionPrompt injection → skill chaining → n8n workflow trigger → unauthorized DB/infra actions
ControlsSkill allowlisting, n8n workflow approval, Falco runtime detection, least privilege
NIST 800-53AC-6, CM-7, SI-3, SC-7
Risk LevelHIGH
Click any card to expand • Data sourced from THREAT_MODEL_STRIDE.md (629 lines)
Attack Tree // AI Pipeline Kill Chains
Path 1: Prompt Injection via External Messaging
HIGH PROB
Telegram→
Cloudflare Tunnel→
OpenClaw Gateway→
Override System Instructions
Technique: Craft adversarial prompts to override system instructions or exploit multi-turn context drift. Includes encoding-based evasion (base64, unicode) and indirect injection via fetched web content (Tavily search results).
Controls: Input validation, system prompt hardening, behavioral monitoring via Datadog, conversation length limits, output validation before workflow triggers.
Gap: No automated prompt injection detection at the gateway level. Recommended: implement input classifier before LLM processing.
Controls: Input validation, system prompt hardening, behavioral monitoring via Datadog, conversation length limits, output validation before workflow triggers.
Gap: No automated prompt injection detection at the gateway level. Recommended: implement input classifier before LLM processing.
Path 2: Credential Theft via AI Agent
HIGH IMPACT
Prompt Injection→
Credential Disclosure→
n8n Workflows→
Lateral Movement
Technique: Chain prompt injection with credential extraction to trick the AI into revealing API keys, database credentials, or Vault tokens through its tool-use capabilities. Use exposed credentials to pivot to n8n workflows or database.
Controls: N8N_RESTRICT_ENVIRONMENT_VARIABLES_ACCESS=true (deployed), Vault dynamic secrets, credential scoping, Falco detection rules for unusual credential access patterns.
Mitigated: Environment variable restriction closes the primary credential theft vector through n8n.
Controls: N8N_RESTRICT_ENVIRONMENT_VARIABLES_ACCESS=true (deployed), Vault dynamic secrets, credential scoping, Falco detection rules for unusual credential access patterns.
Mitigated: Environment variable restriction closes the primary credential theft vector through n8n.
Path 3: AI-Triggered Workflow Abuse
HIGH IMPACT
Excessive Agency→
Skill Chaining→
n8n SOAR Trigger→
Unauthorized Actions
Technique: Exploit the AI agent's tool-use capabilities to chain actions across browser, GitHub, and n8n. 16 service integrations in the SOAR platform create a wide action surface. Attacker crafts prompts that cause the AI to trigger destructive workflows.
Controls: Skill allowlisting, workflow-level approval gates, Falco detection for unexpected n8n execution patterns, action audit logging in PostgreSQL.
Gap: No human-in-the-loop gate for sensitive workflow triggers (database operations, infrastructure changes).
Controls: Skill allowlisting, workflow-level approval gates, Falco detection for unexpected n8n execution patterns, action audit logging in PostgreSQL.
Gap: No human-in-the-loop gate for sensitive workflow triggers (database operations, infrastructure changes).
Path 4: Model Supply Chain Compromise
MED PROB
Ollama Registry→
Poisoned Model Pull→
Backdoored Inference→
Manipulated Outputs
Technique: Compromise the Ollama model registry or intercept model pull to inject a backdoored model. GGUF format manipulation allows subtle behavioral changes that evade basic testing. No model signing by default in Ollama ecosystem.
Controls: net-ai air gap (no runtime internet), SHA256 hash verification at pull, periodic model integrity checks, behavioral baseline testing.
Gap: No automated model signing verification. Ollama registry lacks Sigstore/Cosign integration. Manual hash comparison only.
Controls: net-ai air gap (no runtime internet), SHA256 hash verification at pull, periodic model integrity checks, behavioral baseline testing.
Gap: No automated model signing verification. Ollama registry lacks Sigstore/Cosign integration. Manual hash comparison only.
Full decomposition in ATTACK_TREE_AI_PIPELINE.md (344 lines)
Red Team Walkthrough // Prompt Injection → Skill Chain → Infrastructure Impact
Step through the highest-probability attack path. Click each phase to see detection status and control gaps.
Phase 01 // Reconnaissance
Target Identification
Attacker identifies public-facing AI agent with tool-use capabilities via messaging platform
Attacker discovers bot via platform search, sends benign queries to map capabilities, identifies skill set through response patterns. Passive reconnaissance reveals the agent’s available tools and behavioral boundaries.
PARTIAL // Platform metadata logged but no anomaly detection on reconnaissance patterns
▼
Phase 02 // Initial Access
Crafted Prompt Delivery
Adversarial prompt designed to override system instructions using encoding evasion techniques
Base64/unicode encoded prompt injection bypasses basic input filters. Multi-turn conversation builds trust context before injection payload. Technique: jailbreak + context manipulation.
PARTIAL // WAF active, no prompt-specific classifier at gateway
▼
Phase 03 // Execution
System Instruction Override
AI agent’s behavioral constraints bypassed. Attacker gains indirect control of tool-use capabilities
Agent now executes attacker-directed actions. System prompt integrity compromised. The agent believes it’s following legitimate instructions. No human-in-the-loop gate between prompt and action.
GAP // No runtime behavioral anomaly detection
▼
Phase 04 // Discovery
Internal Reconnaissance via Skill Chain
Compromised agent uses browser + GitHub skills to enumerate internal infrastructure and source code
Agent browses internal documentation, reads repositories for architecture details, identifies credentials in environment variables, maps orchestration workflow endpoints.
COVERED // Repository audit log + Falco runtime detection for unusual read patterns
▼
Phase 05 // Collection
Data Staging via Knowledge Base
Sensitive data aggregated into workspace pages for exfiltration staging
Agent creates new pages, copies credentials, infrastructure details, and PII from internal sources. Uses legitimate API. Looks like normal operations.
PARTIAL // API audit logged, no content classification on outbound data
▼
Phase 06 // Impact
SOAR Workflow Trigger
Agent triggers orchestration platform to execute unauthorized infrastructure actions
POST to master orchestrator webhook with valid format. 16 available service actions. Agent executes database queries, sends messages, modifies cloud infrastructure via API.
GAP // No human-in-the-loop approval for SOAR webhook triggers
▼
Phase 07 // Persistence
Backdoor via Code Push
Agent pushes modified workflow code to public repo, establishing persistent access independent of AI agent
Code management skill creates new branch, modifies CI/CD pipeline to include attacker payload, opens PR. If auto-merge enabled, backdoor persists even after AI agent is revoked.
COVERED // Branch protection + Gitleaks pre-commit + Cosign image signing
BLAST RADIUS:
16 service integrations compromised • Database access (PostgreSQL) • Cloud infrastructure (CDN, DNS) • Communication channels (messaging, email) • Code repositories • Knowledge bases
16 service integrations compromised • Database access (PostgreSQL) • Cloud infrastructure (CDN, DNS) • Communication channels (messaging, email) • Code repositories • Knowledge bases
Framework Coverage Matrix
How each framework maps to STRIDE threat categories
S
T
R
I
D
E
NIST 800-53
OWASP LLM
MITRE ATLAS
NIST AI RMF
ISO 42001
CIS Benchmark
Full Coverage
Partial
Not Applicable
Threat Modeling Deliverables
STRIDE Threat Model
29 threats • 14 services • 7 trust boundaries • AI extensions
View on GitHub →
Attack Tree // AI Pipeline
4 kill chains • MITRE ATLAS • OWASP LLM mapping
View on GitHub →
AI Threat Catalog
10 AI threats • 4 frameworks cross-referenced
View on GitHub →
Data Flow Diagram
30+ data flows • 7 trust boundaries • NIST SP 800-154
View on GitHub →
AI Supply Chain Risk Assessment
ML-BOM • Model provenance • Integrity verification
View on GitHub →
AI Red Team Plan
Adversarial testing • OWASP LLM Top 10 test cases
View on GitHub →
AI Incident Response Playbook
4 scenarios • Prompt injection • Excessive agency • Supply chain
View on GitHub →
Application Security // Assessments & Pipeline
Vulnerability research, secure SDLC, code review, and IAM governance. Click any card for full documentation.
CI/CD Security Pipeline
PR ▶ fmt ▶ validate ▶ TFLint ▶ Checkov ▶ plan ▶ OPA ✓ 7 gates
MERGE ▶ Gitleaks ▶ Trivy ▶ Semgrep ▶ Cosign ▶ SBOM ✓ 5 gates
VULNERABILITY ASSESSMENT
SOAR Credential Exposure
CVSS 8.1 HIGH
CWE-200
44 secrets exposed via process.env. Manual discovery. Remediated same day.
AC-6
OWASP A01
REMEDIATED
View on GitHub →
SECURE SDLC
CI/CD Security Pipeline
7 PR GATES
5 MERGE GATES
Gitleaks, Trivy, Semgrep, Checkov, OPA, Cosign, SBOM. 8 custom Rego policies.
SA-11
SA-15
CM-3
View on GitHub →
CODE REVIEW
Manual Security Assessment
1 HIGH
3 MEDIUM
1 LOW
5 findings from manual infrastructure code review. Logic flaws no scanner catches.
SA-11
CM-4
View on GitHub →
DAST METHODOLOGY
Dynamic Application Security Testing
OWASP ZAP
Testing Guide v4.2
Zero exposed ports. All traffic through Cloudflare Tunnel. Quarterly assessment cadence.
RA-5
CA-8
View on GitHub →
CLOUD IAM ASSESSMENT
Google Cloud IAM Governance
OAuth 2.0
7 APIs
Org Policy
Least-privilege IAM, credential lifecycle, cross-domain identity federation, org policy governance.
AC-2
AC-6
IA-2
View on GitHub →
OWASP TOP 10 (2025)
A01: Broken Access Control✓
A02: Security Misconfiguration✓
A03: Supply Chain Failures✓
A04: Insecure Design✓
A05: Injection✓
A06: Vulnerable Components✓
A07: Auth Failures✓
A08: Data Integrity Failures✓
A09: Logging & Alerting✓
A10: Exceptional Conditions✓
// AI Security & Governance
AI Security & Governance
Aligned to three frameworks: ISO 42001 · ISO 27701 · NIST AI RMF
AI Governance Policy aligned to three international frameworks, governing 3 deployed AI systems with documented risk profiles, prompt injection defenses, and behavioral monitoring.
Framework 1
ISO 42001
AI Management System
AI system inventory, risk classification, responsible AI principles, lifecycle management, human oversight requirements, and continuous monitoring controls.
View Policy on GitHub →
Framework 2
ISO 27701
Privacy Information Management
Data protection in AI pipelines, PII handling controls, consent management, data retention policies, privacy impact assessments for AI systems.
View Policy on GitHub →
Framework 3
NIST AI RMF
AI Risk Management Framework
Govern, Map, Measure, Manage functions applied to 3 deployed AI systems. Risk tiering, bias evaluation, performance monitoring, and incident response procedures.
View Policy on GitHub →
Deployed AI System Inventory
Ollama / Qwen 3 8B
Risk: LOW // Local inference
Self-hosted LLM. No data leaves server. Quantized for efficiency. Used for security analysis and automation tasks.
OpenClaw / Claude Opus 4.6
Risk: MEDIUM // External API
Authenticated gateway. Rate-limited. API key rotation enforced. Prompt injection defenses. Output validation layer.
Whisper STT
Risk: LOW // Local processing
On-premise voice transcription. Privacy-first: no audio leaves the server. No PII retention. Used for content workflows.
Key Controls: Prompt injection defense • Output validation • Behavioral monitoring • Data retention policies • Human oversight requirements
// Runtime Detection // Falco Custom Rule
falco-rules/n8n-outbound.yaml
PRODUCTION RULE
- rule: Unexpected outbound connection from n8n desc: Detects n8n container making connections to non-whitelisted IPs condition: > container.name = "svc-automation" and evt.type in (connect) and fd.typechar = "4" and not fd.rip in (rfc_1918_addresses) output: > Suspicious outbound connection from n8n (connection=%fd.name container=%container.name image=%container.image.repository) priority: WARNING tags: [network, n8n, lateral_movement]
Rule Breakdown
condition
Scopes the rule to the svc-automation container only. Prevents false positives from other services. Monitors connect() syscalls caught by Falco eBPF.
fd.typechar
Filters for IPv4 connections only ("4"). Combined with not fd.rip in rfc_1918_addresses. Any connection leaving the private network space triggers the alert.
output
Structured output captures connection tuple, container name, and image. Shipped through Falcosidekick to Datadog dashboards and Telegram alerts for real-time SOC visibility.
tags
Tagged lateral_movement. Aligns with MITRE ATT&CK T1571 (Non-Standard Port) and T1041 (Exfiltration Over C2). Enables automated correlation in Datadog SIEM.
Interactive // AI Deployment Decision Tree
Based on the AI Governance Policy (ISO 42001 • ISO 27701 • NIST AI RMF)
Does the AI system process, store, or have access to personal data (PII)?
// Governance, Risk & Compliance
GRC at a Glance
37 Documents
~20,000 lines of compliance documentation
NIST SP 800-53
MAPPED • 133 controls / 16 families
CIS Controls
MAPPED • Risk Register
ISO 42001 / 27701
MAPPED • AI Governance
NIST AI RMF
MAPPED • Risk Management
Self-assessed against NIST SP 800-53 Rev 5 Moderate baseline
▶ View GRC Library on GitHub →
Control Implementation Status
0%
Implementation Coverage
NIST 800-53 Coverage by Family
AC
Access Control
AU
Audit & Accountability
IA
Identification & Auth
IR
Incident Response
CM
Config Management
RA
Risk Assessment
SC
System & Comms
SI
System & Info Integrity
CA
Assessment & Authorization
CP
Contingency Planning
SA
System & Services Acq
PL
Planning
PE
Physical & Environmental
PS
Personnel Security
MP
Media Protection
MA
Maintenance
High (>80%)
Medium (40–80%)
Low (<40%)
Key Deliverables
System Security Plan (SSP)
NIST 800-53 • 133 controls • 16 families
View on GitHub →
POA&M + Risk Assessment
27 entries • 17 threats • MITRE ATT&CK mapped
View on GitHub →
10 Security Policies
Including AI Governance (ISO 42001 + 27701 + NIST AI RMF)
View on GitHub →
5 IR Playbooks + Tabletop Exercise
Compromised container, DDoS, leaked credential, unauthorized access, AI system compromise
View on GitHub →
8 OPA/Rego Policies
Infrastructure enforcement • CI pipeline • Pre-commit hooks
View on GitHub →
IR Playbook // Compromised Container
TRIGGER
Container anomaly detected by Falco
Falco eBPF detects syscall anomaly or unexpected outbound connection. Alert routed via Falcosidekick to Datadog and Telegram within seconds. Incident timer starts.
▼
DECISION
Is the container internet-facing?
Check Cloudflare Tunnel routing table and Docker network config. Internet-facing: any container with tunnel ingress or exposed port. Non-internet-facing: internal bridge network only.
▼
YES // Isolate
ACTION
Isolate immediately (network disconnect)
Docker network disconnect to cut external access. Block Cloudflare tunnel route. Preserve container state. Do NOT stop or remove. Log isolation timestamp for SLA tracking.
NO // Assess
ACTION
Assess blast radius
Review Docker network topology. Identify containers on same bridge network. Check shared volumes. Assess if internal service credentials are in scope. Correlate with Datadog alerts.
▼
FORENSICS
Capture snapshot + analyze Falco audit logs
Docker export for filesystem snapshot. Teleport session recordings capture any interactive access. Pull Falco audit trail from Datadog. Preserve evidence before remediation.
▼
REMEDIATION
Rebuild from clean image
Pull fresh image from registry. Redeploy via Docker Compose with clean volume mount. Rotate any secrets that may have been exposed (Vault credential rotation). Verify all services healthy.
▼
CLOSE
Update detection rules • Document lessons learned
Post-incident review within 48 hours. Update Falco rules to close detection gap. Document in POA&M. File entry in GRC risk register. Close incident ticket with RCA summary.
Click any node to expand details
// Connect
Contact
Current Status
OPEN TO OPPORTUNITIES
LOCATION
Atlanta, GA
Open to relocation
CLEARANCE
Eligible
Download Resume