IT Systems & Security Engineer
15+ years of building, breaking, and fixing infrastructure that companies actually run on. When something fails at 2 AM and nobody knows whose problem it is, I’m usually the one who picks up the phone.
My work covers the whole stack: datacenter hardware, enterprise networking, identity and access management, cloud migrations, compliance. I don’t own one narrow slice. I’m the person you call when a ticket doesn’t belong to any single team.
What I do
Network security — Juniper (JunOS + Mist), Fortinet, Palo Alto, 802.1x NAC, Cisco Umbrella for DNS, east/west segmentation across multi-site environments.
Identity and access — Active Directory, Azure AD / Entra ID, SAML/SSO (SafeNet/Thales), PKI infrastructure, MFA, RADIUS. Done full Okta rollouts as the sole identity provider.
Systems and cloud — Windows Server (2008–2022), Linux (Ubuntu/CentOS), VMware vSphere, Hyper-V, Microsoft 365, Azure networking, SCCM/MECM, Intune, Exchange Online migrations.
Automation — PowerShell modules, scripting between Juniper APIs and Windows environments, Jira-driven onboarding/offboarding, HR system integrations.
Compliance — CMMC/NIST implementation that scored near-perfect in an external audit, Carbon Black App Control, Rapid7 vulnerability management, Kolide for endpoint posture.
CMMC & Defense Compliance
Currently the primary network security engineer at Crane Aerospace & Electronics, a defense contractor with operations across the US, Europe, and Taiwan. Led the CMMC/NIST 800-171 implementation end-to-end — gap analysis, technical control deployment, policy documentation, and external audit preparation. Near-perfect score from external auditors.
Solutions deployed to meet CMMC requirements:
- Juniper Mist NAC with 802.1X enforcement — device authentication and access control across wired and wireless
- Carbon Black App Control in High Enforcement mode across all enterprise endpoints
- Cisco Umbrella — DNS-layer security and threat intelligence, enterprise-wide deployment
- PKI / AD Certificate Services — certificate-based authentication and full lifecycle management
- RADIUS — authentication backend for wired and wireless policy enforcement
- Rapid7 — vulnerability management, scanning, and compliance reporting
- SOP and policy documentation — built the organization’s full documentation library from scratch
Where I’ve worked
| Role | Company | Dates |
|---|
| Network Security Engineer | Crane Aerospace & Electronics | Apr 2021 – Present |
| Network Systems Analyst | Charlie’s Produce | Jan 2019 – Apr 2021 |
| Service Desk Tech II / Sysadmin | NAES Corporation | Oct 2017 – Jan 2019 |
| Infrastructure Consultant | Affirma Consulting | May 2016 – Oct 2017 |
| Corporal (25N) – Nodal Network Operator | US Army | May 2011 – May 2016 |
Before any of that, I was a US Army Corporal running mobile network operations centers for 3,000+ personnel in tactical environments. It’s where I learned that infrastructure either works or it doesn’t, and “close enough” isn’t an answer.
Outside of work
My homelab has been running for close to a decade. Proxmox clusters, TrueNAS, Kubernetes, Ansible, full Unifi networking — Linux everywhere. It’s where I try things I wouldn’t put near production.
Also a lifelong gamer. Started on the N64 with Pokemon and Starfox, ended up managing enterprise networks. Make of that what you will.
Check out my posts for project write-ups, or experience for the full work history.
Decommissioning on-premise Active Directory and going all the way to Okta as the sole identity provider is one of those projects that sounds clean in a meeting and gets complicated fast once you’re inside the actual environment.
The org had built everything on AD. Authentication, Group Policy, endpoint management, manual account provisioning. It worked well enough for a while. Then the company started growing and the cracks showed. Cloud apps were piling up. The workforce was increasingly distributed. Manual provisioning was eating time that nobody had. And defending an on-prem-anchored identity environment against threats that don’t care about your physical network perimeter gets harder the more distributed you become.
I inherited FortiNAC in a broken state. The engineer who set it up was no longer with the company, and from what I gathered, the chaos of that original deployment was a significant reason for their departure. What they left behind was a NAC system that technically functioned but created constant friction: inconsistent enforcement, poor compatibility with Juniper’s commit structure, and a wireless problem nobody could pin down.
That last one took the longest to crack.
Active Directory at Charlie’s Produce had nothing useful in it. No titles, no manager fields, no department information. There was a separate company directory that HR maintained by hand, and if something in AD actually needed updating, someone had to open a Help Desk ticket and wait. That was the system. It had worked that way for as long as anyone could remember.
I had searched that directory hundreds of times and never thought much about it. Then one day it was being slow, and I finally lost it. I was going to fix this, and I was going to fix it in a way where I would never have to think about it again.
There’s a detail that makes this project a little unusual: I had deployed Charlie’s Produce’s SCCM environment years earlier as a consultant at Affirma. Ozzy, who would eventually hire me full-time, was the person I had originally built it for. Two years after that engagement ended, he called and offered me the job.
So when I showed up and found the SCCM environment largely unchanged from when I’d left it, I wasn’t surprised. I knew exactly what I was working with. And I knew what it would take to push a Windows 10 migration through it for about 3,000 people across multiple sites.
NAES was acquiring companies in the energy services space when I joined. Each acquisition brought its own IT environment — separate AD forests, separate O365 tenants, whatever endpoint management the acquired company happened to be running. My job was to sort it out.
AD forest consolidations aren’t exciting work, but they’re the thing that everything else depends on. Identity has to work before anything else can be unified. If you skip it or half-do it, you end up with users carrying multiple accounts, shared resources that nobody can cleanly access, and security gaps across trust relationships that you can barely see, let alone audit. It’s the kind of debt that compounds.
Consulting at Affirma meant touching about 20 different client environments over 18 months. Some were in decent shape and just needed specific work done. Others hadn’t had anyone look at the fundamentals in years and needed triage before anything else.
The most interesting engagement was an internal penetration test against a client’s Active Directory environment. Old AD environments accumulate problems over time: stale accounts that never got removed, service accounts with more permissions than anyone remembers why, Kerberoastable SPNs sitting there waiting, NTLM relay opportunities that exist because the environment predates the mitigations. This one had all of it. The test surfaced issues across authentication protocols, privileged account management, and network segmentation.