Senior Security Engineer | SecOps, Cloud Security & Data Protection
Email: thaphane@gmail.com | LinkedIn: linkedin.com/in/thato-aphane-a30b514a | HackerOne: hackerone.com/thaphane | GitHub: github.com/thaphane
Senior security engineer with deep experience across SecOps, cloud security, DevSecOps, offensive operations, and data protection. I run operational security functions end to end - threat hunting and incident response, cloud architecture, SSO/IAM modernisation, vulnerability management, secure SDLC integration, and compliance - across regulated, enterprise, government, fintech, and SaaS environments. My current focus is operating SecOps at scale across a multi-account AWS estate while uplifting detection, secure coding, and developer self-service before a full SIEM stands up.
SecOps & Detection: CrowdStrike Falcon (custom IOA authoring, exclusion management, RTR), Cloudflare WAF, Datadog CSM, multi-source daily threat ops, SOC playbook design
Cloud Security: AWS Organisations (SCPs, IDC, IAM, state-role privilege boundaries), Azure Defender / Entra ID, GCP IAM, CSPM, Zero-Trust architecture
DevSecOps: CI/CD security (GitHub Actions, GitLab, Jenkins), Semgrep/TruffleHog/Aikido SAST validation, IaC review (Terraform), container security, secrets management (KMS, SSM, Secrets Manager)
Offensive Security: Red Teaming, Exploit Dev, C2, Purple Team Ops, OSINT, Social Engineering, AI agent adversarial testing
Microsoft Security: Entra ID, Intune, M365 E5, Defender XDR, Purview DLP, Conditional Access
Blue-Team Engineering: SIEM (Sentinel, Splunk, Wazuh eval), EDR, Threat Hunting, DFIR, Incident Response
Governance & Compliance: ISO 27001, PCI DSS, POPIA / GDPR, NIST CSF, CIS Benchmarks, SOC 2 mappings, DPO duties
Operate the SecOps function across a multi-venture AWS estate while modernising identity, detection, and secure-development tooling. Acting interim SOC until SIEM rollout. Data Protection Manager covering POPIA and group-wide compliance.
Stack: AWS Organisations, IAM Identity Center, Okta, CrowdStrike Falcon, Cloudflare, Datadog, CyCognito, Aikido, Semgrep, TruffleHog, Confluence/Jira APIs, Terraform, Python, GitHub Actions.
Designed and implemented secure network and cloud architectures, integrated security into engineering workflows, and led incident response and compliance activities for enterprise clients.
Led penetration testing and security assessments for infrastructure, applications, and physical security, with focus on automation and methodology improvement.
Implemented and administered enterprise security solutions across on-prem and cloud environments, with focus on IAM, compliance, and security operations.
Day-to-day monitoring, investigation and response to cybersecurity alerts; automation of processes and vulnerability management.
Managed systems administration including configuration, performance tuning, and ITIL-based processes.
Outcome: replaced long-lived IAM access keys with SSO for human users across a multi-venture AWS organisation; introduced a state-role privilege boundary so cross-venture Terraform state reads chain-assume cleanly without weakening least-privilege. Designed the IDC permission-set / IAM customer-managed-policy bridge, built an auto-detect Python setup script that generates per-developer `~/.aws/config` against actual entitlements, and ran the full migration program including IAM credential reports, stale-key disable waves, and developer documentation across Confluence and a public RingierIMU GitHub repo.
Outcome: contained a live .env credential exposure caused by autoenv firing inside an AI coding agent's shell; built durable detection so it cannot recur silently. Investigated the autoenv + Claude Code interaction, scoped exposure across local and provider retention, drove a tiered rotation of 27 secrets, and authored a 3-rule CrowdStrike Custom IOA group ("AI Agent Env File Detection") attached to the Best-Practice prevention policy. Also deployed 4 IOA exclusions for Electron / Chromium / ripgrep false-positive patterns surfaced during triage.
Outcome: a multi-source SecOps morning routine that surfaces real findings, FP classes, and silent detection gaps - acting as interim SOC visibility while a SIEM stands up. Built and operates a Python aggregator pulling CrowdStrike Falcon, CyCognito (3 orgs), GitHub Dependabot + Secret Scanning, AWS GuardDuty, Datadog Cloud Security Management, and Cloudflare WAF (GraphQL) into a single dated markdown + HTML report with sense-making narrative and Jira ticket integration. Pattern surfaced previously-invisible exposures including a 0-GuardDuty-detectors gap, Datadog CSPM disabled, legacy phpMyAdmin exposure, and Ubuntu 18.04 EOL drift.
Outcome: validated end-to-end exploitability on a 12-finding SAST batch (zero true positives) to establish the Property team's FP baseline; proposed a Claude-API-backed triage layer to scale shift-left without drowning developers in noise. Performed manual consumer tracing on each finding to confirm reachability, designed the per-rule calibration methodology, and drafted a Phase-2 plan for an AI triage step that filters Semgrep output against Ringier project conventions (env() patterns, config overrides, tenant boundaries) before reaching human review.
Outcome: Blocked 80% of identity attacks, boosted MFA adoption to 98%. Deployed a Zero-Trust identity & access model using Conditional Access, MFA, and Identity Governance. Integrated Defender for Cloud with a Sentinel SOC.
Outcome: Discovered a critical privilege escalation chain in a fintech environment. Executed a phishing simulation to gain an EntraID foothold, exploited misconfigured IAM for lateral movement, and established cloud persistence.
Outcome: Cut vulnerability remediation cycle by 60%. Automated SAST, DAST, IaC scanning, and secrets detection within GitHub and GitLab pipelines.
Outcome: Prototyped an LLM-augmented SOC for advanced threat detection. Researched and developed methods for automated intelligence parsing and adversarial prompt protection.