Cloud Armor WAF for Kubernetes (GKE)
Layer-7 protection for GKE via External HTTP(S) Load Balancer: OWASP WAF rules, rate limiting and geo/IP allow-deny, with Cloud Logging and Terraform IaC.
I design and ship enterprise cloud platforms that stay secure, reliable and cost-efficient — from architecture review to production operations.
Enterprise-grade cloud, security and AI delivery — trusted from architecture to production.
Pick a focus — it pre-fills the contact form.
Selective engagements · DACH & remote · limited availability
I architect and deliver enterprise-grade platforms across AWS, Azure and Google Cloud — scalable across regions, zero-trust secured, observable and cost-optimized. Each diagram below is a real-world reference architecture: landing zones and governance, resilient networking, secure CI/CD, event-driven systems, data platforms and applied AI. Filter by cloud, open any design and zoom in to explore the details.
The collection spans GKE and Kubernetes networking, Cloud Armor WAF, VPC Service Controls, landing zones, disaster-recovery patterns such as pilot light and warm standby, event-driven pipelines and multi-region failover on Google Cloud, AWS and Azure.
Click any diagram to open the viewer and zoom in.
Layer-7 protection for GKE via External HTTP(S) Load Balancer: OWASP WAF rules, rate limiting and geo/IP allow-deny, with Cloud Logging and Terraform IaC.
Highly available GKE across multiple regions, managed with Google Fleet. Config Sync from Git keeps deployments consistent with multi-region failover.
Round-robin load balancing across GKE clusters in different regions via Cross-Regional ILB. NEG-based, highly available, low-latency internal access.
Multi-region backups with S3 Cross-Region Replication, Aurora Global Database and EBS snapshots — data integrity, HA and DR for critical workloads.
A focused selection of engagements across cloud, security and applied AI — from production platforms to proofs of concept and advisory — each taken from architecture to a clear, measurable outcome.

Led a cross-cloud cost review across GCP, AWS and Azure — rightsizing, autoscaling and storage strategy — delivering double-digit savings with SLOs and performance fully intact.

Designed grounded enterprise search on Vertex AI — secure connectors, relevance tuning and full observability — with PII controls that keep every answer compliant and trustworthy.

Built an AI voice & chat platform on Agentspace — smart routing, agent assist and conversation analytics, integrated with telephony and CRM and GDPR / AI Act compliant by design.

Hardened the pipeline with threat-aware CI/CD — SAST / DAST, SBOM, image signing and policy-as-code — cutting critical findings and delivering an audit-ready supply chain.

Ran a EU AI Act & GDPR gap analysis — data mapping, DPIA templates, model inventory and logging controls — and prepared audit-ready artefacts for internal and external reviews.

Shipped LLM guardrails & automated evals — toxicity, hallucination and jailbreak coverage — with production dashboards that turn safety into measurable, continuous quality.
Software I have designed, built and shipped end-to-end — from open-source packages live on public registries to private production services. Post-quantum security, risk analytics, protocol research, cloud automation and developer tooling.

A full encrypted-networking toolkit — AES-256-GCM with a post-quantum hybrid key exchange (ML-KEM-768), TUN VPN, TLS 1.3 camouflage and anti-censorship transport. Shipped to Docker Hub, AUR and GHCR.

A quantitative model that gives leadership measurable visibility into key-person dependency, decision bottlenecks and human control-bypass risk — Bus Factor, Decision Concentration and Bypass Risk in one product. Published to PyPI with a citable DOI.

A pure-Python toolkit implementing the experimental IPv8 protocol (draft-thain-ipv8-02) — 58 modules, 35 CLI commands and 1 827 tests spanning address parsing, packet construction, routing simulation and companion protocols. On PyPI with a DOI and full docs.

A VS Code extension that kills "works on my machine" — one-click snapshot of runtimes, Docker, ports, env vars and git state, diffed against a teammate's and turned into a Markdown fix report with ready-to-run commands. 100% local, no telemetry.

A Chrome & Safari extension that keeps secrets out of AI prompts — it scans messages before they reach ChatGPT, Claude or Gemini using 110+ regex patterns plus Shannon-entropy analysis, then redacts or blocks API keys, tokens and PII. 100% local, zero telemetry.

A Chrome extension that turns everyday browsing into language learning — instant translation across 39 languages, a personal vocabulary and Leitner spaced-repetition flashcards with TTS and a side-panel mode. 100% local storage, no accounts, no tracking.

A Python service running serverless on Cloud Run that continuously reconciles TLS certificate state — detecting drift and upcoming expiry across environments and driving renewals automatically, so nothing silently lapses in production.

A lightweight Go service that probes applications and reports whether they are live — fast, dependency-free health checks with clear up/down signalling, built to slot into any deployment as a self-contained reliability watchdog.