Where I’ve been.
A quick walk through the jobs that got me here, working back from now to a Navy weather shop in San Diego.
Director, Application Security · Penguin Random House
- Run the AppSec program for PRH globally: roughly 400 apps across six regions, plus the strategy, governance, and vulnerability-management work that comes with that scale.
- Lead our AI security review. I look at new models and tools before they go anywhere near production, set RBAC, define guardrails, and help business teams figure out what's actually safe to plug an LLM into.
- Designed and rolled out our enterprise ASPM on Ox Security. SAST, SCA, IaC, container scans, pen-tests, and manual findings all land in one place with risk scoring and routing baked in.
- Built an AI-assisted security bot for protected-branch merge requests. It runs Snyk SAST and SCA, auto-approves the obvious low-risk stuff, blocks or escalates the rest, and writes the developer a plain-language explanation. Cut MR review wait time by about 80% without losing the four-eyes principle.
- Wrote the security playbook for vibe-coding so non-IT teams can actually build things without spawning shadow apps or compliance fires.
- Set the architecture for our internal MCP servers — auth/authz model, deployment pattern, the works — and validated it across Claude Code, GitHub Copilot, and ChatGPT Enterprise.
- Created our threat-modeling strategy and a custom threat-register MCP server. STRIDE-aligned sessions that used to take half a day now finish in under an hour.
Senior Manager, Application Security · Penguin Random House
- Built our application onboarding and security-by-design program in ServiceNow. Architecture review, threat modeling, risk assessments, code and CI/CD security, logging, pen-tests, and the pre-prod approval gate all live in one workflow.
- Ran STRIDE threat-modeling sessions with 20+ engineering teams and trained them to spot threats early instead of after the fact.
- Wrote a Python tool that automated the integration of new apps into our security stack. Visibility across the portfolio jumped about 60%.
Manager, Application Security · Penguin Random House
- Built an internal ASPM that pulled from 7+ sources, deduped findings, and opened tickets automatically. Hooked it up to OpenAI for prioritization and remediation hints. Triage time dropped about 80%, time-to-fix dropped about 30%.
- Ran technical security training for 135+ developers across the org.
Senior Application Security Engineer · Penguin Random House
- Brought in Snyk SAST and SCA. Library vulnerability counts dropped by 80%.
- Wrote a Python tool to inventory and scan 100+ WordPress sites and their plugins through WPScan, with the results piped into PowerBI. (This is the project that eventually became WordPresser.)
Application Security Engineer · The Aaron's Company, Inc.
- Wrote our cloud security standards for containerized apps so Docker and Kubernetes deployments stayed consistent.
- Built a Python tool that turned Checkmarx SAST/DAST findings into Slack alerts for 50+ apps, so engineers actually saw them.
Application Security Analyst · The Aaron's Company, Inc.
- Triaged 3,000+ findings from Checkmarx and WebInspect across C#, JavaScript, .NET apps and APIs, working with 10 different engineering teams.
Senior Aviation Meteorologist · United States Navy
- Briefed Navy pilots around the world on aviation weather, in any timezone you can name.
BBA, Information Security & Assurance · Kennesaw State University
- Bachelor of Business Administration, with a major in Information Security and Assurance.