Thato Aphane

Thato Aphane

Senior Security Engineer | SecOps, Cloud Security & Data Protection

Email: thaphane@gmail.com | LinkedIn: linkedin.com/in/thato-aphane-a30b514a | HackerOne: hackerone.com/thaphane | GitHub: github.com/thaphane

PROFESSIONAL SUMMARY

Senior security engineer with deep experience across SecOps, cloud security, DevSecOps, offensive operations, and data protection. I run operational security functions end to end - threat hunting and incident response, cloud architecture, SSO/IAM modernisation, vulnerability management, secure SDLC integration, and compliance - across regulated, enterprise, government, fintech, and SaaS environments. My current focus is operating SecOps at scale across a multi-account AWS estate while uplifting detection, secure coding, and developer self-service before a full SIEM stands up.

CORE EXPERTISE

SecOps & Detection: CrowdStrike Falcon (custom IOA authoring, exclusion management, RTR), Cloudflare WAF, Datadog CSM, multi-source daily threat ops, SOC playbook design

Cloud Security: AWS Organisations (SCPs, IDC, IAM, state-role privilege boundaries), Azure Defender / Entra ID, GCP IAM, CSPM, Zero-Trust architecture

DevSecOps: CI/CD security (GitHub Actions, GitLab, Jenkins), Semgrep/TruffleHog/Aikido SAST validation, IaC review (Terraform), container security, secrets management (KMS, SSM, Secrets Manager)

Offensive Security: Red Teaming, Exploit Dev, C2, Purple Team Ops, OSINT, Social Engineering, AI agent adversarial testing

Microsoft Security: Entra ID, Intune, M365 E5, Defender XDR, Purview DLP, Conditional Access

Blue-Team Engineering: SIEM (Sentinel, Splunk, Wazuh eval), EDR, Threat Hunting, DFIR, Incident Response

Governance & Compliance: ISO 27001, PCI DSS, POPIA / GDPR, NIST CSF, CIS Benchmarks, SOC 2 mappings, DPO duties

Professional Experience

SecOps Engineer & Data Protection Manager | Ringier South Africa (Mar 2025 – Present)

Operate the SecOps function across a multi-venture AWS estate while modernising identity, detection, and secure-development tooling. Acting interim SOC until SIEM rollout. Data Protection Manager covering POPIA and group-wide compliance.

  • Architect security across the Ringier SA AWS Organisation (multi-account, multi-venture) - SCPs, Identity Center permission sets, IAM policy bridges, cross-venture state-role chain-assume patterns.
  • Lead AWS SSO/IDC migration program (T2 KR 1.4) replacing long-lived IAM access keys with Identity Center for human users across the org; built auto-detect setup tooling and developer documentation.
  • Falcon Admin: author and deploy custom IOA rules and IOA exclusions; triage detections (HiveCredTheft, UmppcBypassSuspected, MacFalconSensorTamper, AWS-class IOAs); run incident response from initial alert to containment.
  • Built and operate the daily security health check - a Python compensating control aggregating CrowdStrike, CyCognito, GitHub Dependabot/Secret Scanning, AWS GuardDuty, Datadog CSM, and Cloudflare WAF into a single morning sense-making report; surfaces detection gaps and drives ticketed action.
  • Drive shift-left SAST and secret-scanning rollout (Semgrep + TruffleHog pilot on Property team) including FP validation methodology, calibration baselines, and proposed AI-assisted triage layer.
  • Lead incident response for live exposure events (eg AI-agent autoenv .env credential leak): scope, contain, coordinate tiered rotation, author systemic-prevention guidance, and publish post-incident retros.
  • Manage external attack surface (CyCognito across 3 orgs: Ringier SA, ROAM, Imobiliare) and bug bounty engagements (Bug Bounty Switzerland), including 24h acknowledgement SLAs and triage.
  • Own group-wide vulnerability tracking; built and maintain canonical findings tracker (CSV + markdown) per InfoGuard RM4 remediation requirement.
  • Author SOPs, Confluence security docs, and onboarding material; standardise SLAs (Critical 24h, High 7d, Medium 30d, Low 60d) and triage workflows.
  • Stand-in liaison with external Group Security (Switzerland) for InfoGuard audit remediation (RM1-RM6), BIA delivery, and group-wide policy alignment.
  • Data Protection Manager: POPIA breach assessment, data subject rights handling, group privacy alignment, and external Bug Bounty engagement legal-disclosure flow.

Stack: AWS Organisations, IAM Identity Center, Okta, CrowdStrike Falcon, Cloudflare, Datadog, CyCognito, Aikido, Semgrep, TruffleHog, Confluence/Jira APIs, Terraform, Python, GitHub Actions.

Senior Infrastructure and Security Engineer | Netsurit (Nov 2023 – Feb 2025)

Designed and implemented secure network and cloud architectures, integrated security into engineering workflows, and led incident response and compliance activities for enterprise clients.

  • Designed and implemented secure network architectures (firewalls, IDS/IPS, micro-segmentation) and SIEM solutions.
  • Integrated automated security testing into CI/CD pipelines (Jenkins, GitLab CI, GitHub Actions) including SAST, DAST and dependency scanning.
  • Led incident response, forensic analysis, and remediation while minimising business impact.
  • Managed IAM systems and conditional access policies to enforce least-privilege and strong authentication.
  • Ensured compliance with POPIA, PCI DSS and ISO 27001; developed policies and ran internal audits.
  • Azure expertise: Security Center/Defender for Cloud policies, Key Vault, NSGs, conditional access, and M365 security (Exchange, SharePoint, Teams).

Senior Cloud Security Analyst / Pen Tester | Jinjer.co.za (May 2021 – Oct 2023)

Led penetration testing and security assessments for infrastructure, applications, and physical security, with focus on automation and methodology improvement.

  • Executed network, web and mobile penetration tests, social engineering and physical security reviews.
  • Developed custom exploits, scripts and automation to support continuous security assessments.
  • Authored rules of engagement, security standards and automation for repeatable testing.
  • Performed code reviews and worked with developers to validate and remediate vulnerabilities.
  • Technologies: Metasploit, Burp Suite, Nessus, Wireshark, Kali Linux, Python, Bash.

IT Security Specialist | Johannesburg City Parks & Zoo (Aug 2017 – Mar 2023)

Implemented and administered enterprise security solutions across on-prem and cloud environments, with focus on IAM, compliance, and security operations.

  • Designed and administered identity platforms (Active Directory, Azure AD), group policy and IAM tooling.
  • Performed ethical hacking and managed EDR/anti-malware and SIEM solutions.
  • Implemented security controls including PKI, RADIUS, LDAP, SAML/OAuth, MFA, PAM and Zero Trust.
  • Azure/M365: Defender for Cloud, Key Vault, NSGs, conditional access, Exchange Online Protection, Teams security.

IT Senior Analyst | Webhelp SA Outsourcing (Mar 2014 – May 2017)

Day-to-day monitoring, investigation and response to cybersecurity alerts; automation of processes and vulnerability management.

  • Operated anti-malware and vulnerability management tooling (McAfee, Symantec, Nessus, Qualys).
  • Managed incident response, access reviews and security awareness initiatives.
  • Supported penetration testing, policy enforcement and security standards.

Systems Administrator | LDS Church Corporate (Dec 2008 – Mar 2012)

Managed systems administration including configuration, performance tuning, and ITIL-based processes.

  • Windows Server, Cisco networking and VMware administration; supported ITIL processes.
  • Network device configuration and developer workstation optimization.

KEY PROJECTS & CASE STUDIES

AWS Identity Center Migration & State-Role Privilege Boundary

Outcome: replaced long-lived IAM access keys with SSO for human users across a multi-venture AWS organisation; introduced a state-role privilege boundary so cross-venture Terraform state reads chain-assume cleanly without weakening least-privilege. Designed the IDC permission-set / IAM customer-managed-policy bridge, built an auto-detect Python setup script that generates per-developer `~/.aws/config` against actual entitlements, and ran the full migration program including IAM credential reports, stale-key disable waves, and developer documentation across Confluence and a public RingierIMU GitHub repo.

AI-Agent Credential Exposure Incident Response & Custom IOA Authoring

Outcome: contained a live .env credential exposure caused by autoenv firing inside an AI coding agent's shell; built durable detection so it cannot recur silently. Investigated the autoenv + Claude Code interaction, scoped exposure across local and provider retention, drove a tiered rotation of 27 secrets, and authored a 3-rule CrowdStrike Custom IOA group ("AI Agent Env File Detection") attached to the Best-Practice prevention policy. Also deployed 4 IOA exclusions for Electron / Chromium / ripgrep false-positive patterns surfaced during triage.

Daily Security Health Check - Operational Compensating Control

Outcome: a multi-source SecOps morning routine that surfaces real findings, FP classes, and silent detection gaps - acting as interim SOC visibility while a SIEM stands up. Built and operates a Python aggregator pulling CrowdStrike Falcon, CyCognito (3 orgs), GitHub Dependabot + Secret Scanning, AWS GuardDuty, Datadog Cloud Security Management, and Cloudflare WAF (GraphQL) into a single dated markdown + HTML report with sense-making narrative and Jira ticket integration. Pattern surfaced previously-invisible exposures including a 0-GuardDuty-detectors gap, Datadog CSPM disabled, legacy phpMyAdmin exposure, and Ubuntu 18.04 EOL drift.

Shift-Left SAST: Semgrep + TruffleHog Pilot with AI-Assisted FP Triage

Outcome: validated end-to-end exploitability on a 12-finding SAST batch (zero true positives) to establish the Property team's FP baseline; proposed a Claude-API-backed triage layer to scale shift-left without drowning developers in noise. Performed manual consumer tracing on each finding to confirm reachability, designed the per-rule calibration methodology, and drafted a Phase-2 plan for an AI triage step that filters Semgrep output against Ringier project conventions (env() patterns, config overrides, tenant boundaries) before reaching human review.

Azure Zero-Trust Enterprise Rollout

Outcome: Blocked 80% of identity attacks, boosted MFA adoption to 98%. Deployed a Zero-Trust identity & access model using Conditional Access, MFA, and Identity Governance. Integrated Defender for Cloud with a Sentinel SOC.

Multi-Cloud Red Team Engagement

Outcome: Discovered a critical privilege escalation chain in a fintech environment. Executed a phishing simulation to gain an EntraID foothold, exploited misconfigured IAM for lateral movement, and established cloud persistence.

CI/CD Security Automation Framework

Outcome: Cut vulnerability remediation cycle by 60%. Automated SAST, DAST, IaC scanning, and secrets detection within GitHub and GitLab pipelines.

AI-Assisted Threat Detection Lab

Outcome: Prototyped an LLM-augmented SOC for advanced threat detection. Researched and developed methods for automated intelligence parsing and adversarial prompt protection.

Credentials

Current Certifications

  • ✅ OSCP — Offensive Security Certified Professional
  • ✅ CISSP — Certified Information Systems Security Professional
  • ✅ AZ-500 — Azure Security Engineer Associate
  • ✅ Certified Ethical Hacker (CEH)
  • ✅ Microsoft 365 Certified: Security Administrator Associate
  • ✅ Microsoft Certified: Azure Administrator Associate
  • ✅ CompTIA Security+, Network+, A+, Linux+, Python+
  • ✅ ITIL Foundation

Planned / Roadmap

  • 🎯 CRTO I/II — Certified Red Team Operator
  • 🎯 CRTP — Certified Red Team Professional
  • 🎯 CCSP — Certified Cloud Security Professional
  • 🎯 AWS Certified Security - Specialty
  • 🎯 GIAC (GPEN, GXPN)

Elite-Track Mastery

  • 🚀 OSEP, OSWE, CRTE