Portfolio: Platform, Security & AI

Portfolio & Projects

Portfolio

I design and ship enterprise cloud platforms that stay secure, reliable and cost-efficient — from architecture review to production operations.

Google CloudAmbassador
GCP Professional Certified
25Reference Architectures
3Clouds — AWS · Azure · GCP

Enterprise-grade cloud, security and AI delivery — trusted from architecture to production.

Designed & delivered on
Google CloudAWSAzureKubernetesTerraform
Cloud Architecture & Reliability
Design and reviews for scalable, multi-region, high-availability systems.
DevSecOps & Cloud Security
Security baked into every pipeline: threat-aware CI/CD, IAM, secrets, policy-as-code and audit-ready SBOMs.
LLM/AI in Production
RAG, chatbots, guardrails, observability, SLOs — from PoC to reliable ops.
FinOps Optimization
Practical cost control for GPU/CPU, storage, egress and environments.
Legacy-to-Cloud Migration
Risk-controlled re-platforming to GCP/AWS/Azure with IaC and zero-downtime cutover.
Compliance by Design
AI Act / GDPR / ISO readiness built into architecture and processes.

Pick a focus — it pre-fills the contact form.

Selective engagements · DACH & remote · limited availability

Reference Architectures

Architectural Designs

I architect and deliver enterprise-grade platforms across AWS, Azure and Google Cloud — scalable across regions, zero-trust secured, observable and cost-optimized. Each diagram below is a real-world reference architecture: landing zones and governance, resilient networking, secure CI/CD, event-driven systems, data platforms and applied AI. Filter by cloud, open any design and zoom in to explore the details.

The collection spans GKE and Kubernetes networking, Cloud Armor WAF, VPC Service Controls, landing zones, disaster-recovery patterns such as pilot light and warm standby, event-driven pipelines and multi-region failover on Google Cloud, AWS and Azure.

25 reference architectures

Click any diagram to open the viewer and zoom in.

Cloud Armor WAF for Kubernetes (GKE)

Layer-7 protection for GKE via External HTTP(S) Load Balancer: OWASP WAF rules, rate limiting and geo/IP allow-deny, with Cloud Logging and Terraform IaC.

Google CloudCloud ArmorWAFGKEHTTP(S) LBDevSecOps

Multi-Region GKE Cluster with GitOps & Fleet

Highly available GKE across multiple regions, managed with Google Fleet. Config Sync from Git keeps deployments consistent with multi-region failover.

Google CloudGKEMulti-RegionFleetGitOpsConfig Sync

Cross-Regional Internal Load Balancer for GKE

Round-robin load balancing across GKE clusters in different regions via Cross-Regional ILB. NEG-based, highly available, low-latency internal access.

Google CloudGKEInternal Load BalancerCross-RegionalNEGFleet

Backup and Restore

Multi-region backups with S3 Cross-Region Replication, Aurora Global Database and EBS snapshots — data integrity, HA and DR for critical workloads.

AWSS3AuroraEBSDisaster Recovery
Selected Engagements

Delivered Solutions

A focused selection of engagements across cloud, security and applied AI — from production platforms to proofs of concept and advisory — each taken from architecture to a clear, measurable outcome.

ProductionEnterprise · regulated EUFinOps Cost Optimization

FinOps Cost Optimization

Led a cross-cloud cost review across GCP, AWS and Azure — rightsizing, autoscaling and storage strategy — delivering double-digit savings with SLOs and performance fully intact.

FinOpsGCP · AWS · AzureAutoscalingCost Governance
ProductionEnterprise · regulated EUIntelligent Search with Vertex AI Search

Intelligent Search & Grounded RAG

Designed grounded enterprise search on Vertex AI — secure connectors, relevance tuning and full observability — with PII controls that keep every answer compliant and trustworthy.

Vertex AI SearchRAGGroundingRelevanceBigQueryPII
PoCEnterprise · regulated EUAI Contact Center with Agentspace

AI Contact Center (Voice & Chat)

Built an AI voice & chat platform on Agentspace — smart routing, agent assist and conversation analytics, integrated with telephony and CRM and GDPR / AI Act compliant by design.

AgentspaceVoiceChatAgent AssistCRMTelephony
ProductionEnterprise · regulated EUDevSecOps Hardening & Supply Chain

DevSecOps Hardening & Supply Chain

Hardened the pipeline with threat-aware CI/CD — SAST / DAST, SBOM, image signing and policy-as-code — cutting critical findings and delivering an audit-ready supply chain.

DevSecOpsSBOMPolicy as CodeSupply ChainCI/CD
AdvisoryEnterprise · regulated EUAI Compliance Readiness

AI Compliance Readiness

Ran a EU AI Act & GDPR gap analysis — data mapping, DPIA templates, model inventory and logging controls — and prepared audit-ready artefacts for internal and external reviews.

EU AI ActGDPRDPIAGovernanceAudit
ProductionEnterprise · regulated EULLM Guardrails & Evaluation

LLM Guardrails & Evaluation

Shipped LLM guardrails & automated evals — toxicity, hallucination and jailbreak coverage — with production dashboards that turn safety into measurable, continuous quality.

LLMGuardrailsEvalsObservabilitySafety
Also delivered
  • RAG data pipelines
  • GitLab CI/CD & ArgoCD
  • Helm & Kubernetes
  • Centralized log analytics
  • ETL & data platforms
  • ServiceNow / ITSM
Shipped & Published

Products & Open Source

Software I have designed, built and shipped end-to-end — from open-source packages live on public registries to private production services. Post-quantum security, risk analytics, protocol research, cloud automation and developer tooling.

ClawSec
Encrypted Networking2025

ClawSec

A full encrypted-networking toolkit — AES-256-GCM with a post-quantum hybrid key exchange (ML-KEM-768), TUN VPN, TLS 1.3 camouflage and anti-censorship transport. Shipped to Docker Hub, AUR and GHCR.

CC++OpenSSLPost-QuantumVPNDocker
Human Risk Graph
Risk Analytics2026

Human Risk Graph

A quantitative model that gives leadership measurable visibility into key-person dependency, decision bottlenecks and human control-bypass risk — Bus Factor, Decision Concentration and Bypass Risk in one product. Published to PyPI with a citable DOI.

PythonNetworkXRisk ModelingCLIResearch
Open-IPv8-Lab
Protocol Lab2026

Open-IPv8-Lab

A pure-Python toolkit implementing the experimental IPv8 protocol (draft-thain-ipv8-02) — 58 modules, 35 CLI commands and 1 827 tests spanning address parsing, packet construction, routing simulation and companion protocols. On PyPI with a DOI and full docs.

PythonNetworkingProtocol ResearchSimulationDocker
Dev Env Diff & Flight Recorder
Developer Tooling2026

Dev Env Diff & Flight Recorder

A VS Code extension that kills "works on my machine" — one-click snapshot of runtimes, Docker, ports, env vars and git state, diffed against a teammate's and turned into a Markdown fix report with ready-to-run commands. 100% local, no telemetry.

TypeScriptVS Code ExtensionDevOpsGitDocker
Prompt Seal
AI Prompt Security2026

Prompt Seal

A Chrome & Safari extension that keeps secrets out of AI prompts — it scans messages before they reach ChatGPT, Claude or Gemini using 110+ regex patterns plus Shannon-entropy analysis, then redacts or blocks API keys, tokens and PII. 100% local, zero telemetry.

JavaScriptChrome ExtensionSafari ExtensionSecurityPrivacy
Worta
Language Learning2026

Worta

A Chrome extension that turns everyday browsing into language learning — instant translation across 39 languages, a personal vocabulary and Leitner spaced-repetition flashcards with TTS and a side-panel mode. 100% local storage, no accounts, no tracking.

JavaScriptChrome ExtensionSpaced Repetitioni18nTTS
Certificate Reconciler
Certificate Automation2026

Certificate Reconciler

A Python service running serverless on Cloud Run that continuously reconciles TLS certificate state — detecting drift and upcoming expiry across environments and driving renewals automatically, so nothing silently lapses in production.

PythonCloud RunGoogle CloudTLSAutomation
Private production service
App Checker
Uptime Monitoring2026

App Checker

A lightweight Go service that probes applications and reports whether they are live — fast, dependency-free health checks with clear up/down signalling, built to slot into any deployment as a self-contained reliability watchdog.

GoHealth ChecksMonitoringReliabilityBackend
Private production service