Smart contract development with a primary focus on security, audits, and risk mitigation in DeFi protocols. DeFi-specific DeFi smart contracts inclu
Aktualisiert am 05.02.2026
Profil
Freiberufler / Selbstständiger
Remote-Arbeit
Verfügbar ab: 05.02.2026
Verfügbar zu: 100%
davon vor Ort: 100%
IT-Security
Spanish
Mother tongue
English
C1
German
B2.2

Einsatzorte

Einsatzorte

Deutschland
möglich

Projekte

Projekte

3 years 10 months
2022-01 - 2025-10

Engineered and implemented a production-grade Zero Trust control plane

Senior Security Engineer
Senior Security Engineer
  • Engineered and implemented a production-grade Zero Trust control plane for ruggedized military-grade maritime container mini data rooms built on VMware and Tanzu, supporting containerised GIS (Geolocation Information System) workloads for ground troops. The implementation specifically addressed adversarial electronic warfare conditions (jamming, interception, signal manipulation) by building secure, independent function for workloads, identity, and system segments even under degraded or disrupted connectivity, ensuring mission continuity and resilient secure situational awareness in battlefield environments.
  • Served as the lead OT security engineer and technical subject matter expert, translating conceptual OT security strategies from IEC 62443, the Purdue Model, and NIST into concrete, operational technical controls. Applied these controls across diverse industrial environments including oil & gas, onboard vehicle systems, railway, power plants, pharma, gas turbines, and nuclear facilities.
  • Coordinated directly with electrical and mechanical engineering team leads to conduct technical asset discovery and identify KBP-critical systems. Subsequently engineered and applied network ringfencing and segmentation policies to logically isolate and protect SCADA, PLC, and HMI assets from corporate IT and threat lateral movement.
  • Worked hands-on with security, IT, and OT teams to build standardized technical workflows, runbooks, and detection use cases for the OT security solutions catalogue. Drove the practical adoption of defence-in-depth and Zero Trust principles in operational technology environments, enabling multidisciplinary teams to operate under a unified security blueprint.
Capgemini, Berlin, Germany
2 years 6 months
2019-08 - 2022-01

Executed the technical migration

Lead Security Engineer
Lead Security Engineer
  • Executed the technical migration from legacy virtual private network (VPN) solutions to a modern Secure Access Service Edge (SASE) platform, building the technical onboarding and lifecycle procedures for Zero Trust Network Access (ZTNA) for operating teams, establishing new patterns for secure remote access.
  • Implemented micro-segmentation and Software-Defined Perimeter (SDP) solutions from two separate providers, integrating them into the existing network fabric. Worked with cross-platform telemetry, threat intelligence, and risk signals, and integrated software-defined networking (SDN) with Zero Trust principles to secure internal workloads.
  • Built security automation and orchestration workflows by developing custom integrations via APIs. Implemented complex scenarios including split-brain policy enforcement point (PEP) logic and integrated these policy enforcement components directly into the Security Orchestration, Automation, and Response (SOAR) platform to automate threat response.
  • Drove automation and orchestration across the threat landscape, connecting threat intelligence, vulnerability management, and detection and response functions. Utilized the MITRE ATT&CK framework extensively with the AttackIQ simulation solution to continuously validate security controls, determine attacker TTPs, and improve defensive posture.
  • Operated and tuned the security monitoring infrastructure, monitoring and analyzing alerts from Microsoft Security Central SIEM to identify and remediate security issues. Investigated security events and incidents, proactively tuning SIEM rules and correlation thresholds to significantly improve alert fidelity and reduce false positives.
  • Applied digital forensics methodologies according to ISO 27035 for security incidents, providing detailed root cause analysis (RCA) reports that directly led to the closure of systemic security gaps.
Sopra Steria, Switzerland
3 years 11 months
2015-09 - 2019-07

Engineered and systematically hardened security controls

Senior Security Engineer
Senior Security Engineer
  • Engineered and systematically hardened security controls across hybrid on-premises and cloud environments.
  • Utilized OpenSCAP, Lynis, and Tripwire to enforce stringent hardening baselines, centralized logging, and privilege control. Applied DISA STIGs and SRGs via automated SCAP audits to ensure platforms remained aligned with required security baselines.
  • Built and operationalized a robust DevSecOps pipeline by integrating Docker-based web application firewalls, Twistlock for runtime application self-protection (RASP), and the Wazuh security monitoring platform with Ansible automation. This embedded automated security checks, vulnerability scanning, and log collection directly into the application deployment pipelines.
  • Implemented data-centric security solutions for cloud storage systems, including encryption, tokenisation, data masking, and data lifecycle controls. Executed the migration from legacy on-premises proxy gateways to cloud-based Data Loss Prevention (DLP) and Cloud Access Security Broker (CASB) services for enhanced data protection.
  • Implemented, configured, and continuously tuned a wide array of network and perimeter security tools including Tufin for security policy management, F5 Application Security Manager (ASM), Barracuda Web Application Firewalls, IBM Guardium for database activity monitoring, and Imperva Web Application Firewalls. Spearheaded the replacement of legacy perimeter setups with modern F5 load balancers, application security modules, and layer-three firewalls, improving both performance and security control over inbound and outbound traffic.
  • Engineered and operated advanced identity and access controls by implementing Authentication, Authorization, and Accounting (AAA) and Privileged Identity Management (PIM) using Cisco Identity Services Engine (ISE) and CyberArk in complex wired and wireless enterprise environments. Deployed Network Access Control (NAC) agent checks to enforce pre-admission compliance policies for antivirus and Endpoint Detection and Response (EDR) status.
  • Conducted offensive security exercises including deep-dive penetration testing on web applications and network infrastructure, executed open-source-intelligence (OSINT) based fraud simulations, tested evasion techniques against web application firewalls, and performed full-scope red team style assessments encompassing physical and infrastructure testing.
Fujitsu, Hamburg, Germany
5 years 5 months
2010-04 - 2015-08

Built a Security Operations Center (SOC)

Senior Security / Network Engineer
Senior Security / Network Engineer
  • Built a Security Operations Center (SOC) from the ground up, including the technical recruitment and mentoring of staff, and the development of runbooks, incident response procedures, and SIEM capabilities.
  • Engineered the implementation of Zero Trust and micro-segmentation within the data centre using VMware NSX-T and managed firewall policies via Palo Alto Panorama. Developed and implemented advanced Splunk correlation rules and searches to support business impact analysis-driven security use cases.
  • Developed and enforced enterprise cloud security standards for AWS and Microsoft Azure, covering identity and access management (IAM), encryption key management, and network security groups. Implemented and configured security policies for Office 365, cloud access security broker (CASB) integrations, and data exfiltration prevention controls.
  • Engineered critical network security infrastructure for high-scale environments, including the implementation of a web application firewall in transparent mode with kernel reverse processing for a major financial institution.
  • Deployed and configured an Imperva firewall solution for enterprise collaboration platforms to prevent data exfiltration and manage granular document-sharing approvals at scale.
  • Performed comprehensive vulnerability management using tools including Nessus, Rapid7 Nexpose, AppDetective, Cenzic Hailstorm, WebInspect, Metasploit, and Acunetix. Used findings to drive system hardening and configuration changes. Managed the migration of intrusion prevention systems from McAfee IntruShield to Cisco Firepower.
Computerfutures, Offenbach, Germany
2 years 11 months
2007-05 - 2010-03

Executed the enterprise vulnerability management program

Cybersecurity Engineer
Cybersecurity Engineer
  • Executed the enterprise vulnerability management program, performing recurring vulnerability scans using Qualys, Nessus, Rapid7, Retina, and Burp Suite. Correlated and prioritized vulnerabilities for remediation, tracked progress through formal Plans of Action and Milestones (POA&Ms), and reported on remediation metrics to stakeholders. 
  • Re-engineered the corporate network topology and security, leading an upgrade of the WAF-IDS infrastructure for enhanced threat detection and prevention capabilities. Installed, configured, and managed large-scale, high-availability clusters comprising 200 Database Activity Monitors (DAMs) and 100 Web Application Firewalls (WAFs), integrating all systems with the ArcSight SIEM for centralized monitoring.
  • Performed detailed analysis of web application logs to detect security flaws, misconfigurations, identity issues, and emerging threat patterns. Proposed technical requirements (RFIs/RSIs) for data lake applications to ensure secure data integration practices.
  • Utilized Firemon for comprehensive perimeter security reviews, analyzing firewall rule sets and network flows to propose actionable technical improvements and optimize security policies.
  • Engineered the SIEM for compliance, building multi-layered filtering and data retention policies within ArcSight to ensure adherence to ISP data retention laws. Supported the SOC by defining technical use cases for WAF integration and proposing new detection strategies and retention filters.
Randstad, Stockholm, Sweden
3 years 3 months
2004-02 - 2007-04

Assessed client security engineering implementations

Security Engineer
Security Engineer
  • Assessed client security engineering implementations against NIST 800-53 controls and the Risk Management Framework (RMF). Provided technical recommendations and worked directly with client InfoSec teams to implement changes to close gaps identified during penetration tests and vulnerability scans.
  • Implemented and configured security monitoring solutions using ArcSight SIEM for network behavior analysis (NBA) and integrated deep packet inspection tools like Solera for enhanced network visibility and threat detection.
  • Enforced granular access control policies by deploying and integrating authentication tools with existing IPS, IDS, NAC, and antivirus solutions to create a cohesive network access security posture.
  • Deployed and managed Data Loss Prevention (DLP) solutions using a suite of tools including IronPort, McAfee Webwasher, Bluecoat, GTB, and RSA NetWitness. Analyzed these systems to identify anomalies in data quality and user activity, conducting deep dives into data patterns and security violations.
Ernst & Young, Barcelona, Spain
1 year 8 months
2002-06 - 2004-01

Managed Managed Security Services

Security Network Engineer
Security Network Engineer
  • Managed Managed Security Services (MSS) for major banking clients in Spain, with direct hands-on responsibility for implementing and operating anti-phishing solutions and managing perimeter security defenses.
  • Provided operational support and analysis for the Verisign Teraguard SIEM system, gaining deep hands-on experience in real-time log analysis, security event correlation, and incident triage.
  • Maintained operational support for a large-scale government corporate network for the Andalusia government, encompassing over 7,000 network points running on complex ATM and MPLS technologies. Performed large-scale troubleshooting and preventive maintenance.
  • Gained deep technical exposure to transmission and wireless technologies including SDH, PDL, and DWDM, and handled network hardware from multiple vendors including Lucent, Alcatel, Cisco, Pirelli, Ericsson, Motorola, and Juniper.
  • Provided dedicated Level 2 technical support for VIP customers, requiring rapid incident resolution and a high degree of technical accuracy in a high-pressure environment.
Accenture, Madrid, Spain

Aus- und Weiterbildung

Aus- und Weiterbildung

1999 - 2003

University of Madrid - B.Sc. in

Telecommunications Engineering


Global Certifications in 23 years

  • CISSP Certified Information Systems Security Professional (2009)
  • CCSK Cloud Security (2018)
  • CSP Cloud Security Professional (2019)
  • AWS Certified Security ? Specialty (2019)
  • CISA Information Security Auditor (2018)
  • EC Security Analyst (2017)
  • EC Certified Ethical Hacker (2010)
  • ISO 27001 and ISO 20000 Lead Auditor (2009 to 2011)
  • ITIL Foundations (2007)
  • EC Forensic Investigator (2010)


Security Products Certifications in 23 years

  • AWS Certified Security ? Specialty (2019)
  • Palo Alto Networks ? Security Engineer (2015)
  • Palo Alto Networks Prisma Cloud - Essentials (2019)
  • Zscaler Cloud DLP (2019)
  • CrowdStrike EDR (2018)
  • Carbon Black Protection / Response (EDR) (2019)
  • Fortinet Network Security Expert (NSE) (2012)
  • IBM QRadar - Administration (2018)
  • AlgoSec - Administrator (2016)
  • Imperva SecureSphere - WAF, DAM, FIM, SharePoint (2015)
  • FireEye Helix - Administration (2015)

Kompetenzen

Kompetenzen

Top-Skills

IT-Security

Produkte / Standards / Erfahrungen / Methoden

Summary

Senior Security Engineer with 20+ years of hands-on experience designing and implementing security controls across cloud, on-prem, network, and ICS/OT environments. Expert in translating security standards (NIST, IEC 62443, etc.) into practical technical implementations. Specializes in building and automating secure infrastructures using Zero Trust, SASE, and micro-segmentation. Proficient in the full stack of security technologies, including cloud security platforms (CNAPP/CSPM), SIEM, EDR, firewalls, and identity management, with a strong focus on DevSecOps and automation.


Why do I change companies every three years?

Before COVID, many roles were fixed term engagements with a defined end date. After COVID, the market shifted strongly toward body leasing and body shopping contracts. In these engagements, the contract typically ends when the project or delivery phase ends. 


Policies, Procedures & Awareness

  • ISO 20000, ISO 22301, ISO 27005, ISO 27014, ISO 27017-19, ISO 27031, ISO 27032, ISO 27034, ISO 27035, ISO 27036, ISO 27037, ISO 27040, ISO 27041, ISO 27042, ISO 27043, ISO 27050, ISO 27018, ISO 27701, ISO 29100, ISO 31000, ISO 31010, ISO 31700, ISO 21434, IEC 62443, ISO 27001, Safety ISOs 50000, 60000
  • NIST Cybersecurity Framework 2.0, NIST SP 800 30, NIST SP 800 37, NIST SP 800 39, NIST SP 800 53, NIST SP 800 61, NIST SP 800 82, NIST SP 800 171, NIST SP 800 207 Zero Trust, NIST SP 800 184, NIST SP 800 115, NIST SP 800 137
  • CRA, GDPR, DORA, NIS2, eIDAS, TISAX, BSI IT Grundschutz, KRITIS, MaRisk, BAIT, VAIT, KAIT
  • SOX, PCI DSS, PCI SSF, HIPAA, NERC CIP, CSA CCM, COBIT, CIS Controls v8, ISM3, COSO
  • Software and product security governance: OWASP SAMM, BSIMM, SAFECode, SSDF NIST, OWASP ASVS
  • Supplier and third party : ISO 27036, SIG Shared Assessments, TPMR Third Party Risk Management practices


Enterprise and Solution Architecture:

LeanIX EAM, ArchiMate, ADM , draw io, Miro, Whimsical, Graphviz, Jira, Azure DevOps Boards, Confluence, ServiceNow Secops, Log4brains, IBM DOORS, OpenControl, Compliance Masonry, AWS Audit Manager, Azure Policy, Open Policy Agent Rego, Auth0 Attack Protection playbooks, Varonis DatAdvantage maps, Purview data lineage, Syft, Grype, CycloneDX, SPDX, Dependency Track, Renovate, Dependabot, Archi plus ArchiMate, Structurizr C4 or PlantUML, IriusRisk, Jira plus Confluence with ADRs, Terraform plus Checkov plus OPA, Prowler or ScoutSuite, Syft plus Dependency Track, OpenTelemetry plus Grafana plus Loki, AWS Well Architected or Azure Advisor reviews 


Threat modeling and attack simulation:

Microsoft Threat Modeling Tool, IriusRisk, OWASP Threat Dragon, securiCAD, PASTA, ThreatSpec, PyTM, MITRE ATT , Fence Tool EBIOS, FAIR, OCTAVE, MEHARI, MAGERIT, CWE Top 25, CAPEC


Perimeter IT Network Security and micro segmentation:

Guardicore, Claroty CTD and SRA, Armis, Vectra, Nozomi Networks, NanoLock, Verve Industrial, Microsoft Defender for IoT, Tenable OT, Prisma Cloud, RSA NetWitness, Imperva WAF, Fortinet, Juniper, Palo Alto Networks NGFW, DNS sinkholing, DNS behavior analysis, Microsoft Defender stack, Darktrace


Endpoint Security:

CrowdStrike, Carbon Black, Red Cloak, Microsoft Defender for Endpoint, Wazuh and ELK, THOR or Loki, HIPS or FIM Windows or Unix, sandboxing or detonation, recovery tooling, OllyDbg, IDA Pro


Database Security:

IBM Guardium, Imperva DB Firewall, Check Point CloudGuard, Trend Micro Cloud One


Identity & Access Management:

Okta, PingID, Microsoft Entra ID, Active Directory, Cisco ISE, TACACS, RADIUS, NAC, MFA, Conditional.


Logging & Forensics:

RSA enVision, Splunk Enterprise Security, Wazuh and ELK, Netwrix, Microsoft Defender XDR, Microsoft Sentinel, QRadar, Maltego, InsightIDR TI, Volatility, Autopsy, Helix, FTK, SANS SIFT


Threat Intelligence:

MISP, Maltego, SpiderFoot HX, BitSight, ZeroFox, SecurityScorecard, CyCognito, Faraday, Recorded Future, Insight TI, Censys, SpyCloud, data or API discovery


Data Leak Prevention:

Microsoft Purview DLP, GTB DLP, Forcepoint DLP, Netskope DLP, Fidelis DLP, Trellix DLP, Zscaler DLP, Symantec DLP, Mimecast DLP


Cloud Security:

  • CNAPP Microsoft Defender for Cloud, Prisma Cloud, Aqua Security, Wiz, Check Point CloudGuard
  • CSPM: CrowdStrike Cloud, Tenable Cloud Security, Qualys CloudView, Rapid7 InsightCloudSec
  • CWPP: Sysdig Secure, CrowdStrike Falcon Cloud Security, VMware Carbon Black Cloud
  • CIEM: Microsoft Entra Permissions Management, CyberArk, Saviynt, Prisma Cloud IAM
  • EASM: Censys, CyCognito, BitSight, SecurityScorecard, Rapid7 TI, Hadrian
  • CASB: Microsoft Defender for Cloud Apps, Netskope, Zscaler CASB, Skyhigh
  • SSPM: Obsidian, Adaptive Shield, Grip Security
  • PIAM PIM PUAM PAM Cloud Identity and Access Security: Microsoft Entra ID, Okta Workforce Identity Cloud, Ping Identity,
  • CyberArk Identity, BeyondTrust, SailPoint
  • IaC Security: Tenable Cloud Security, Aqua Trivy
  • Container and Kubernetes Security: Sysdig, Aqua, Falco, Anchore
  • Key Management: AWS KMS, Cloud HSM, Azure Key Vault, Thales CipherTrust, HashiCorp Vault


Vulnerability Management:

Nozomi, Qualys, Nessus, Tenable, Rapid7, Greenbone, Retina, CoreImpact, Intune Defender ASR. 


Secure Software Development and Application Security:

Black Duck, Veracode, Checkmarx, SonarQube, Burp Suite Pro, Invicti, Netsparker, Acunetix, Qualys Web App Scanning, Rapid7 AppSpider, Nmap, Nikto, Greenbone OpenVAS, Vega, Metasploit or Metasploit Pro, Core Impact, Invicti Enterprise, GitLab Secure, Jenkins Security Plugins, CircleCI pipelines with SAST, DAST, regression and smoke security testing. Microsoft Defender for DevOps, Aqua Trivy, Tenable Web App Scanning, Selenium, Postman, TestRail, Katalon, BrowserStack, container image scanning, dependency and license compliance checks, manual and automated penetration testing, continuous security gate enforcement across CI or CD. 

Einsatzorte

Einsatzorte

Deutschland
möglich

Projekte

Projekte

3 years 10 months
2022-01 - 2025-10

Engineered and implemented a production-grade Zero Trust control plane

Senior Security Engineer
Senior Security Engineer
  • Engineered and implemented a production-grade Zero Trust control plane for ruggedized military-grade maritime container mini data rooms built on VMware and Tanzu, supporting containerised GIS (Geolocation Information System) workloads for ground troops. The implementation specifically addressed adversarial electronic warfare conditions (jamming, interception, signal manipulation) by building secure, independent function for workloads, identity, and system segments even under degraded or disrupted connectivity, ensuring mission continuity and resilient secure situational awareness in battlefield environments.
  • Served as the lead OT security engineer and technical subject matter expert, translating conceptual OT security strategies from IEC 62443, the Purdue Model, and NIST into concrete, operational technical controls. Applied these controls across diverse industrial environments including oil & gas, onboard vehicle systems, railway, power plants, pharma, gas turbines, and nuclear facilities.
  • Coordinated directly with electrical and mechanical engineering team leads to conduct technical asset discovery and identify KBP-critical systems. Subsequently engineered and applied network ringfencing and segmentation policies to logically isolate and protect SCADA, PLC, and HMI assets from corporate IT and threat lateral movement.
  • Worked hands-on with security, IT, and OT teams to build standardized technical workflows, runbooks, and detection use cases for the OT security solutions catalogue. Drove the practical adoption of defence-in-depth and Zero Trust principles in operational technology environments, enabling multidisciplinary teams to operate under a unified security blueprint.
Capgemini, Berlin, Germany
2 years 6 months
2019-08 - 2022-01

Executed the technical migration

Lead Security Engineer
Lead Security Engineer
  • Executed the technical migration from legacy virtual private network (VPN) solutions to a modern Secure Access Service Edge (SASE) platform, building the technical onboarding and lifecycle procedures for Zero Trust Network Access (ZTNA) for operating teams, establishing new patterns for secure remote access.
  • Implemented micro-segmentation and Software-Defined Perimeter (SDP) solutions from two separate providers, integrating them into the existing network fabric. Worked with cross-platform telemetry, threat intelligence, and risk signals, and integrated software-defined networking (SDN) with Zero Trust principles to secure internal workloads.
  • Built security automation and orchestration workflows by developing custom integrations via APIs. Implemented complex scenarios including split-brain policy enforcement point (PEP) logic and integrated these policy enforcement components directly into the Security Orchestration, Automation, and Response (SOAR) platform to automate threat response.
  • Drove automation and orchestration across the threat landscape, connecting threat intelligence, vulnerability management, and detection and response functions. Utilized the MITRE ATT&CK framework extensively with the AttackIQ simulation solution to continuously validate security controls, determine attacker TTPs, and improve defensive posture.
  • Operated and tuned the security monitoring infrastructure, monitoring and analyzing alerts from Microsoft Security Central SIEM to identify and remediate security issues. Investigated security events and incidents, proactively tuning SIEM rules and correlation thresholds to significantly improve alert fidelity and reduce false positives.
  • Applied digital forensics methodologies according to ISO 27035 for security incidents, providing detailed root cause analysis (RCA) reports that directly led to the closure of systemic security gaps.
Sopra Steria, Switzerland
3 years 11 months
2015-09 - 2019-07

Engineered and systematically hardened security controls

Senior Security Engineer
Senior Security Engineer
  • Engineered and systematically hardened security controls across hybrid on-premises and cloud environments.
  • Utilized OpenSCAP, Lynis, and Tripwire to enforce stringent hardening baselines, centralized logging, and privilege control. Applied DISA STIGs and SRGs via automated SCAP audits to ensure platforms remained aligned with required security baselines.
  • Built and operationalized a robust DevSecOps pipeline by integrating Docker-based web application firewalls, Twistlock for runtime application self-protection (RASP), and the Wazuh security monitoring platform with Ansible automation. This embedded automated security checks, vulnerability scanning, and log collection directly into the application deployment pipelines.
  • Implemented data-centric security solutions for cloud storage systems, including encryption, tokenisation, data masking, and data lifecycle controls. Executed the migration from legacy on-premises proxy gateways to cloud-based Data Loss Prevention (DLP) and Cloud Access Security Broker (CASB) services for enhanced data protection.
  • Implemented, configured, and continuously tuned a wide array of network and perimeter security tools including Tufin for security policy management, F5 Application Security Manager (ASM), Barracuda Web Application Firewalls, IBM Guardium for database activity monitoring, and Imperva Web Application Firewalls. Spearheaded the replacement of legacy perimeter setups with modern F5 load balancers, application security modules, and layer-three firewalls, improving both performance and security control over inbound and outbound traffic.
  • Engineered and operated advanced identity and access controls by implementing Authentication, Authorization, and Accounting (AAA) and Privileged Identity Management (PIM) using Cisco Identity Services Engine (ISE) and CyberArk in complex wired and wireless enterprise environments. Deployed Network Access Control (NAC) agent checks to enforce pre-admission compliance policies for antivirus and Endpoint Detection and Response (EDR) status.
  • Conducted offensive security exercises including deep-dive penetration testing on web applications and network infrastructure, executed open-source-intelligence (OSINT) based fraud simulations, tested evasion techniques against web application firewalls, and performed full-scope red team style assessments encompassing physical and infrastructure testing.
Fujitsu, Hamburg, Germany
5 years 5 months
2010-04 - 2015-08

Built a Security Operations Center (SOC)

Senior Security / Network Engineer
Senior Security / Network Engineer
  • Built a Security Operations Center (SOC) from the ground up, including the technical recruitment and mentoring of staff, and the development of runbooks, incident response procedures, and SIEM capabilities.
  • Engineered the implementation of Zero Trust and micro-segmentation within the data centre using VMware NSX-T and managed firewall policies via Palo Alto Panorama. Developed and implemented advanced Splunk correlation rules and searches to support business impact analysis-driven security use cases.
  • Developed and enforced enterprise cloud security standards for AWS and Microsoft Azure, covering identity and access management (IAM), encryption key management, and network security groups. Implemented and configured security policies for Office 365, cloud access security broker (CASB) integrations, and data exfiltration prevention controls.
  • Engineered critical network security infrastructure for high-scale environments, including the implementation of a web application firewall in transparent mode with kernel reverse processing for a major financial institution.
  • Deployed and configured an Imperva firewall solution for enterprise collaboration platforms to prevent data exfiltration and manage granular document-sharing approvals at scale.
  • Performed comprehensive vulnerability management using tools including Nessus, Rapid7 Nexpose, AppDetective, Cenzic Hailstorm, WebInspect, Metasploit, and Acunetix. Used findings to drive system hardening and configuration changes. Managed the migration of intrusion prevention systems from McAfee IntruShield to Cisco Firepower.
Computerfutures, Offenbach, Germany
2 years 11 months
2007-05 - 2010-03

Executed the enterprise vulnerability management program

Cybersecurity Engineer
Cybersecurity Engineer
  • Executed the enterprise vulnerability management program, performing recurring vulnerability scans using Qualys, Nessus, Rapid7, Retina, and Burp Suite. Correlated and prioritized vulnerabilities for remediation, tracked progress through formal Plans of Action and Milestones (POA&Ms), and reported on remediation metrics to stakeholders. 
  • Re-engineered the corporate network topology and security, leading an upgrade of the WAF-IDS infrastructure for enhanced threat detection and prevention capabilities. Installed, configured, and managed large-scale, high-availability clusters comprising 200 Database Activity Monitors (DAMs) and 100 Web Application Firewalls (WAFs), integrating all systems with the ArcSight SIEM for centralized monitoring.
  • Performed detailed analysis of web application logs to detect security flaws, misconfigurations, identity issues, and emerging threat patterns. Proposed technical requirements (RFIs/RSIs) for data lake applications to ensure secure data integration practices.
  • Utilized Firemon for comprehensive perimeter security reviews, analyzing firewall rule sets and network flows to propose actionable technical improvements and optimize security policies.
  • Engineered the SIEM for compliance, building multi-layered filtering and data retention policies within ArcSight to ensure adherence to ISP data retention laws. Supported the SOC by defining technical use cases for WAF integration and proposing new detection strategies and retention filters.
Randstad, Stockholm, Sweden
3 years 3 months
2004-02 - 2007-04

Assessed client security engineering implementations

Security Engineer
Security Engineer
  • Assessed client security engineering implementations against NIST 800-53 controls and the Risk Management Framework (RMF). Provided technical recommendations and worked directly with client InfoSec teams to implement changes to close gaps identified during penetration tests and vulnerability scans.
  • Implemented and configured security monitoring solutions using ArcSight SIEM for network behavior analysis (NBA) and integrated deep packet inspection tools like Solera for enhanced network visibility and threat detection.
  • Enforced granular access control policies by deploying and integrating authentication tools with existing IPS, IDS, NAC, and antivirus solutions to create a cohesive network access security posture.
  • Deployed and managed Data Loss Prevention (DLP) solutions using a suite of tools including IronPort, McAfee Webwasher, Bluecoat, GTB, and RSA NetWitness. Analyzed these systems to identify anomalies in data quality and user activity, conducting deep dives into data patterns and security violations.
Ernst & Young, Barcelona, Spain
1 year 8 months
2002-06 - 2004-01

Managed Managed Security Services

Security Network Engineer
Security Network Engineer
  • Managed Managed Security Services (MSS) for major banking clients in Spain, with direct hands-on responsibility for implementing and operating anti-phishing solutions and managing perimeter security defenses.
  • Provided operational support and analysis for the Verisign Teraguard SIEM system, gaining deep hands-on experience in real-time log analysis, security event correlation, and incident triage.
  • Maintained operational support for a large-scale government corporate network for the Andalusia government, encompassing over 7,000 network points running on complex ATM and MPLS technologies. Performed large-scale troubleshooting and preventive maintenance.
  • Gained deep technical exposure to transmission and wireless technologies including SDH, PDL, and DWDM, and handled network hardware from multiple vendors including Lucent, Alcatel, Cisco, Pirelli, Ericsson, Motorola, and Juniper.
  • Provided dedicated Level 2 technical support for VIP customers, requiring rapid incident resolution and a high degree of technical accuracy in a high-pressure environment.
Accenture, Madrid, Spain

Aus- und Weiterbildung

Aus- und Weiterbildung

1999 - 2003

University of Madrid - B.Sc. in

Telecommunications Engineering


Global Certifications in 23 years

  • CISSP Certified Information Systems Security Professional (2009)
  • CCSK Cloud Security (2018)
  • CSP Cloud Security Professional (2019)
  • AWS Certified Security ? Specialty (2019)
  • CISA Information Security Auditor (2018)
  • EC Security Analyst (2017)
  • EC Certified Ethical Hacker (2010)
  • ISO 27001 and ISO 20000 Lead Auditor (2009 to 2011)
  • ITIL Foundations (2007)
  • EC Forensic Investigator (2010)


Security Products Certifications in 23 years

  • AWS Certified Security ? Specialty (2019)
  • Palo Alto Networks ? Security Engineer (2015)
  • Palo Alto Networks Prisma Cloud - Essentials (2019)
  • Zscaler Cloud DLP (2019)
  • CrowdStrike EDR (2018)
  • Carbon Black Protection / Response (EDR) (2019)
  • Fortinet Network Security Expert (NSE) (2012)
  • IBM QRadar - Administration (2018)
  • AlgoSec - Administrator (2016)
  • Imperva SecureSphere - WAF, DAM, FIM, SharePoint (2015)
  • FireEye Helix - Administration (2015)

Kompetenzen

Kompetenzen

Top-Skills

IT-Security

Produkte / Standards / Erfahrungen / Methoden

Summary

Senior Security Engineer with 20+ years of hands-on experience designing and implementing security controls across cloud, on-prem, network, and ICS/OT environments. Expert in translating security standards (NIST, IEC 62443, etc.) into practical technical implementations. Specializes in building and automating secure infrastructures using Zero Trust, SASE, and micro-segmentation. Proficient in the full stack of security technologies, including cloud security platforms (CNAPP/CSPM), SIEM, EDR, firewalls, and identity management, with a strong focus on DevSecOps and automation.


Why do I change companies every three years?

Before COVID, many roles were fixed term engagements with a defined end date. After COVID, the market shifted strongly toward body leasing and body shopping contracts. In these engagements, the contract typically ends when the project or delivery phase ends. 


Policies, Procedures & Awareness

  • ISO 20000, ISO 22301, ISO 27005, ISO 27014, ISO 27017-19, ISO 27031, ISO 27032, ISO 27034, ISO 27035, ISO 27036, ISO 27037, ISO 27040, ISO 27041, ISO 27042, ISO 27043, ISO 27050, ISO 27018, ISO 27701, ISO 29100, ISO 31000, ISO 31010, ISO 31700, ISO 21434, IEC 62443, ISO 27001, Safety ISOs 50000, 60000
  • NIST Cybersecurity Framework 2.0, NIST SP 800 30, NIST SP 800 37, NIST SP 800 39, NIST SP 800 53, NIST SP 800 61, NIST SP 800 82, NIST SP 800 171, NIST SP 800 207 Zero Trust, NIST SP 800 184, NIST SP 800 115, NIST SP 800 137
  • CRA, GDPR, DORA, NIS2, eIDAS, TISAX, BSI IT Grundschutz, KRITIS, MaRisk, BAIT, VAIT, KAIT
  • SOX, PCI DSS, PCI SSF, HIPAA, NERC CIP, CSA CCM, COBIT, CIS Controls v8, ISM3, COSO
  • Software and product security governance: OWASP SAMM, BSIMM, SAFECode, SSDF NIST, OWASP ASVS
  • Supplier and third party : ISO 27036, SIG Shared Assessments, TPMR Third Party Risk Management practices


Enterprise and Solution Architecture:

LeanIX EAM, ArchiMate, ADM , draw io, Miro, Whimsical, Graphviz, Jira, Azure DevOps Boards, Confluence, ServiceNow Secops, Log4brains, IBM DOORS, OpenControl, Compliance Masonry, AWS Audit Manager, Azure Policy, Open Policy Agent Rego, Auth0 Attack Protection playbooks, Varonis DatAdvantage maps, Purview data lineage, Syft, Grype, CycloneDX, SPDX, Dependency Track, Renovate, Dependabot, Archi plus ArchiMate, Structurizr C4 or PlantUML, IriusRisk, Jira plus Confluence with ADRs, Terraform plus Checkov plus OPA, Prowler or ScoutSuite, Syft plus Dependency Track, OpenTelemetry plus Grafana plus Loki, AWS Well Architected or Azure Advisor reviews 


Threat modeling and attack simulation:

Microsoft Threat Modeling Tool, IriusRisk, OWASP Threat Dragon, securiCAD, PASTA, ThreatSpec, PyTM, MITRE ATT , Fence Tool EBIOS, FAIR, OCTAVE, MEHARI, MAGERIT, CWE Top 25, CAPEC


Perimeter IT Network Security and micro segmentation:

Guardicore, Claroty CTD and SRA, Armis, Vectra, Nozomi Networks, NanoLock, Verve Industrial, Microsoft Defender for IoT, Tenable OT, Prisma Cloud, RSA NetWitness, Imperva WAF, Fortinet, Juniper, Palo Alto Networks NGFW, DNS sinkholing, DNS behavior analysis, Microsoft Defender stack, Darktrace


Endpoint Security:

CrowdStrike, Carbon Black, Red Cloak, Microsoft Defender for Endpoint, Wazuh and ELK, THOR or Loki, HIPS or FIM Windows or Unix, sandboxing or detonation, recovery tooling, OllyDbg, IDA Pro


Database Security:

IBM Guardium, Imperva DB Firewall, Check Point CloudGuard, Trend Micro Cloud One


Identity & Access Management:

Okta, PingID, Microsoft Entra ID, Active Directory, Cisco ISE, TACACS, RADIUS, NAC, MFA, Conditional.


Logging & Forensics:

RSA enVision, Splunk Enterprise Security, Wazuh and ELK, Netwrix, Microsoft Defender XDR, Microsoft Sentinel, QRadar, Maltego, InsightIDR TI, Volatility, Autopsy, Helix, FTK, SANS SIFT


Threat Intelligence:

MISP, Maltego, SpiderFoot HX, BitSight, ZeroFox, SecurityScorecard, CyCognito, Faraday, Recorded Future, Insight TI, Censys, SpyCloud, data or API discovery


Data Leak Prevention:

Microsoft Purview DLP, GTB DLP, Forcepoint DLP, Netskope DLP, Fidelis DLP, Trellix DLP, Zscaler DLP, Symantec DLP, Mimecast DLP


Cloud Security:

  • CNAPP Microsoft Defender for Cloud, Prisma Cloud, Aqua Security, Wiz, Check Point CloudGuard
  • CSPM: CrowdStrike Cloud, Tenable Cloud Security, Qualys CloudView, Rapid7 InsightCloudSec
  • CWPP: Sysdig Secure, CrowdStrike Falcon Cloud Security, VMware Carbon Black Cloud
  • CIEM: Microsoft Entra Permissions Management, CyberArk, Saviynt, Prisma Cloud IAM
  • EASM: Censys, CyCognito, BitSight, SecurityScorecard, Rapid7 TI, Hadrian
  • CASB: Microsoft Defender for Cloud Apps, Netskope, Zscaler CASB, Skyhigh
  • SSPM: Obsidian, Adaptive Shield, Grip Security
  • PIAM PIM PUAM PAM Cloud Identity and Access Security: Microsoft Entra ID, Okta Workforce Identity Cloud, Ping Identity,
  • CyberArk Identity, BeyondTrust, SailPoint
  • IaC Security: Tenable Cloud Security, Aqua Trivy
  • Container and Kubernetes Security: Sysdig, Aqua, Falco, Anchore
  • Key Management: AWS KMS, Cloud HSM, Azure Key Vault, Thales CipherTrust, HashiCorp Vault


Vulnerability Management:

Nozomi, Qualys, Nessus, Tenable, Rapid7, Greenbone, Retina, CoreImpact, Intune Defender ASR. 


Secure Software Development and Application Security:

Black Duck, Veracode, Checkmarx, SonarQube, Burp Suite Pro, Invicti, Netsparker, Acunetix, Qualys Web App Scanning, Rapid7 AppSpider, Nmap, Nikto, Greenbone OpenVAS, Vega, Metasploit or Metasploit Pro, Core Impact, Invicti Enterprise, GitLab Secure, Jenkins Security Plugins, CircleCI pipelines with SAST, DAST, regression and smoke security testing. Microsoft Defender for DevOps, Aqua Trivy, Tenable Web App Scanning, Selenium, Postman, TestRail, Katalon, BrowserStack, container image scanning, dependency and license compliance checks, manual and automated penetration testing, continuous security gate enforcement across CI or CD. 

Vertrauen Sie auf Randstad

Im Bereich Freelancing
Im Bereich Arbeitnehmerüberlassung / Personalvermittlung

Fragen?

Rufen Sie uns an +49 89 500316-300 oder schreiben Sie uns:

Das Freelancer-Portal

Direktester geht's nicht! Ganz einfach Freelancer finden und direkt Kontakt aufnehmen.