Technology Consulting
Automate the tedious. Secure what matters.
I'm a systems and security engineer who automates the tedious and hardens what matters. For a major university I've built 90+ production automation scripts and a 600-function PowerShell library that run security and infrastructure operations across more than a dozen platforms — from privileged access and endpoint fleets to detection & response, virtual desktops, and certificate lifecycles. I bring that same playbook to teams and businesses that want to do more with far less manual effort.
Privileged Access & Identity
Least-privilege done right — privileged accounts, joiner/mover/leaver automation, and fast compromised-account response. CyberArk, BeyondTrust, Delinea, Active Directory, Entra ID, and Duo MFA.
Endpoint & Device Management
Fleet management that scales — Intune, JAMF, SCCM, and Autopilot across Windows, Mac, and Linux, with full enrollment, imaging, and app-deployment workflows.
Detection & Incident Response
Faster containment when it counts. CrowdStrike Falcon triage, host isolation, and IOC management, wired into automated remediation playbooks so response is push-button.
Microsoft 365 & Email Security
Exchange, Teams, and SharePoint administration plus email-threat response — phishing and forwarding-rule remediation, Proofpoint, and mailbox & data recovery at scale.
Infrastructure Automation
Replace manual toil with version-controlled automation — a 600-function PowerShell library, CI/CD pipelines, and ServiceNow-driven provisioning that runs from ticket to done.
Virtual Desktops & Server Lifecycle
End-to-end VMware Horizon VDI and server pipelines — provisioning, golden-image updates, and clean decommissioning, from vCenter to Active Directory.
Monitoring & Network Ops
See problems before users do. Zabbix and SolarWinds monitoring — including large switch-fleet migrations — plus automated DNS and DHCP across Windows and Linux.
Certificates & PKI
Automated certificate enrollment and renewal so nothing expires unexpectedly — Sectigo / InCommon, CSR to deployment, fully unattended.
Compliance, Audit & eDiscovery
Access reviews, permission audits, and audit-ready reporting — plus Microsoft Purview eDiscovery, legal hold, and retention support when it's needed.
Platforms I work across
Selected work
Some of what I've built — with the client-specific details left out:
Patch Tuesday that runs itself
Every month Microsoft ships security patches on the second Tuesday — and every month, someone used to do the date math and babysit the rollout across hundreds of servers. I replaced that with a single script that works out the calendar on its own and cascades the patches through staged rings: a pilot group first, then progressively wider tiers a few days apart, each with its own maintenance window so nothing reboots at a bad time. It builds every deployment rule, server group, and schedule, opens a change ticket per tier, and pauses monitoring during each window so on-call doesn't get paged for planned reboots.
It's fully calendar-aware — no dates are ever hard-coded — so the same script just works in January as it does in December, across a thousand-plus-server estate, with zero manual scheduling.
Building Linux servers from a Windows script
One PowerShell script stands up a complete Linux server end to end — clones it in VMware, sets its IP, hostname, and DNS, carves up and mounts its storage, installs its packages, enrolls it in configuration management and the patch catalog, and registers it with monitoring and ticketing. The catch: PowerShell doesn't speak Linux. So it drives the entire build by running bash inside the guest through the hypervisor's tools channel — partitioning with LVM, configuring the network, joining the domain, bootstrapping the Puppet agent, and registering with Red Hat Satellite, all from the outside in.
That cross-platform bridge is the genuinely hard part — escaping commands cleanly through three layers (PowerShell, to the guest channel, to bash), making sense of output that comes back without proper error streams, and handling every way a fresh Linux box can misbehave on first boot. The payoff: a server goes from bare template to fully configured and monitored in about thirty minutes, without anyone ever opening an SSH session.
A 24/7 service desk that resets passwords — without ever holding a key
A third-party, AI-assisted help desk needed to verify callers and reset their passwords around the clock — but you can't hand an outside vendor the keys to your directory. So I built the backend as a set of locked-down automation jobs the vendor triggers through an automation platform's API: it submits the caller's answers, the job scores them, and only on a clean pass — after a rate-limit check that runs first, so guessing just burns the quota — does it perform the reset. It can step up to a push approval and flag anything that looks like fraud.
Here's what makes it safe: the vendor never touches a single credential. Every secret — directory, identity provider, MFA — lives in the platform's vault and is injected only at runtime, inside jobs the vendor can't see into. And the vendor can only launch the exact, vetted playbooks we've authorized — a fixed allowlist of named jobs. They can't run an arbitrary command, can't reach a diagnostic tool, can't invent their own action; anything sensitive is locked to internal staff at the platform's permission layer. The vendor passes structured inputs and gets structured results back — nothing more.
Automation my fellow engineers actually use
A sampling of the internal tools I've built to take the tedium out of security and infrastructure work — specifics genericized:
When an account is compromised, a single command runs the whole playbook — disable the account and reset the password, revoke active sessions, hunt down and remove malicious mail-forwarding rules, audit MFA and sign-in history for lateral movement, open the ticket, and (if needed) isolate the endpoint and block the attacker's IP. What was 20–30 minutes of frantic clicking across eight systems is now near-instant and fully logged.
Hundreds of certificates across Apache, Nginx, Tomcat, IIS, and F5 load balancers — issued, deployed, and renewed automatically, with a nightly reconciliation that checks what the authority issued against what's actually live on each server and flags any drift before it becomes a 2 a.m. outage.
A request comes in through the ticketing system and the automation carries it end to end: it clones and sizes the golden image, creates the directory accounts and security groups, joins the domain, installs and patches the remote-desktop agent, optimizes and snapshots the image, then stands up the Horizon desktop pool and wires in its access — a live pool users can log into. Hours of manual vCenter, AD, and Horizon clicking become one guided, repeatable run.
When someone leaves, one action shuts the door everywhere — disables the account, revokes every active session, removes their MFA devices, hands off their mailbox and files, and closes the ticket. It's even smart enough to pause if they're mid-call, so it never cuts someone off in the middle of a meeting.
When the 2024 CrowdStrike update crashed Windows machines worldwide, I built a bootable USB recovery tool that fixed them automatically — detecting whether the drive was encrypted, booting safely, clearing the bad driver, and walking non-technical staff through their own recovery. It was rolled out across the organization on dozens of USB sticks.
I wrote the enrollment tooling a new hire runs on their own machine — a simple guided setup where they confirm who they are and pick their department, and the script handles the rest: creating their account, installing the right software for their role, turning on disk encryption, and tagging the device to the correct team for inventory. It turns a tech's hour of manual imaging into a few taps the employee makes themselves.
Every DNS and DHCP change runs through tooling that does the paperwork for you — it opens the change ticket, makes the edit across the DNS and DHCP servers, verifies the result with a live lookup, then writes the outcome back and closes the ticket. Built-in checks catch conflicts and validate that an address actually fits its subnet, so a bad entry never lands. It scales to the big jobs, too: a network switch migration's worth of DNS records — hundreds at a time — driven straight from a spreadsheet, each one its own tracked, pre-approved change.
Onboarding a new hire or covering a role change used to mean hand-comparing two people's permissions and clicking through Active Directory one group at a time. I built a toolkit that exports anyone's access to a file, compares it against a coworker's, and copies over exactly what's missing — one person to another, or a whole spreadsheet of people at once — with an approve-each-group option and a full log of every change. A careful hour of work becomes a minute, and nothing slips through or gets over-granted.