I build and break software. Thirty years shipping production code, a decade hardening it. Now building AI-powered tools that turn threat intel into runbooks developers actually use
Application Security Engineer / Senior Full Stack Developer / AI Security Builder / Founder of Zactonics AI.
Currently translating OWASP ASVS, MITRE ATT&CK, and CVE feeds into browser-native tools that live next to the developer — not on a dashboard they'll never open.
My career started in 1991 building financial systems at Nationwide, then moved through IBM, Unisys, and a decade as an Application Security SME at Micro Focus and Telos — running Fortify SCA, AppScan, and secure-code training for Fortune 500 and federal programs.
Since 2020 I've led full stack and security engineering at Clarity Innovations — embedding threat modeling and SAST/SCA into CI/CD, architecting Keycloak + OIDC identity platforms, and shipping AI platforms with prompt-injection guardrails and RAG access controls aligned to the OWASP Top 10 for LLMs.
In 2024 I founded Zactonics AI to build what I kept wishing existed: tools that read an architecture and a CVE feed and produce something a developer can actually ship — runbooks, remediation plans, regression tests for prompt injection, MCP audit reports.
I mentor engineers. I sit on the board of the Children's Museum of Montgomery. I tutor adult literacy. I led Meta's Developer Circle in Montgomery for five years. The best security work I've done has always been about getting humans and systems to trust each other a little more carefully.
Browser-native, privacy-first tooling. Most run entirely client-side — no server, no telemetry, architecture and CVE data never leave the device.
Full-stack case management demo with geospatial mapping, evidence linking, and chain-of-custody tracking. Built for agencies that need auditable case workflows without another bloated SaaS contract — the kind of platform where access control, audit logging, and PII handling aren't afterthoughts.
Ingests a JSON architecture plus MITRE ATT&CK techniques and CVEs, then generates a tailored resilience plan — RTO/RPO targets, backup/DR posture, monitoring, compensating controls, and full incident runbooks. Entirely browser-native.
Seven-layer reference architecture decomposing the AI agent ecosystem into auditable functional layers. Built for MCP-era threat modeling.
End-to-end enterprise identity documentation: Azure AD as IdP, Keycloak as broker, role- and cell-level authorization, and production hardening checklist.
Visual durable-workflow designer demonstrating Temporal best practices, retry policies, and compensations for resilient enterprise pipelines.
Interactive walkthrough of Zero Trust architecture fundamentals — network segmentation, identity-centric controls, and continuous verification.
Practical playbook for rate limiting patterns — token bucket, sliding window, distributed coordination, and abuse-prevention strategies.
Location-aware document search that bridges physical assets and digital files across multiple sites. Replaces messy folders with a real index.
Tooling that turns unstructured business input into structured, auditable decisions — with explainability and source-traceability baked in.
Visual scaffolder for agentic workflows with a focus on safe tool-calling, guardrails, and containment patterns.
Full-stack demo platform for skills matching, program management, and workforce analytics — built for state and regional workforce agencies.
Drag-and-drop flow charts and state diagrams with auto-layout, snap-to-grid, and PNG / SVG / Mermaid export. Built because every other tool is overkill.
Research-stage builds. Ships when it's useful, not before.
Deepfake & coordinated-attack insurance built for the generative-AI era. Risk scoring + takedown playbook + policy layer.
Turns RFPs into winning proposals — requirement extraction, capability matching, gap analysis, auto-authored response docs.
CI-friendly test harness for LLM apps — catalogued attack patterns, regression runs against OWASP LLM Top 10, results pinned to commits.
Static + runtime analysis of Model Context Protocol servers. Maps exposed tool surfaces, auth posture, and data-egress risk against the OWASP Top 10 for Agentic AI.
Financial systems → enterprise platforms → application security → AI security. The stack changes; the posture doesn't.
Building AI-powered AppSec & resilience tooling. Shipped the Resilience Plan + Runbooks generator; designed stack→ATT&CK→ASVS knowledge packs; architected a fully browser-native pipeline so customer architecture never leaves the device.
Embedded secure SDLC across React/Java/Python services — SAST/SCA in CI/CD, OWASP ASVS enforcement, code review on injection and supply-chain risk. Architected Keycloak + OIDC identity with RBAC/ABAC and mTLS. Built an AI platform with LangChain + ChromaDB + Spark, hardened against the OWASP LLM Top 10. Led and mentored the engineering team.
Application security consulting for Fortune 500. Operationalized Fortify SCA, IBM AppScan, and SCA tooling at enterprise scale. Threat modeling and secure code review across Java, Python, React, C/C++, Kotlin, Ruby, and SAP ABAP codebases.
Federal and enterprise AppSec — Fortify SCA and AppScan for SAST/DAST/remediation triage. Led secure-coding training covering OWASP Top 10, NIST 800-53, and FISMA.
Performance engineering, capacity planning, and business-availability work across Java, C/C++, and Solaris for government and commercial clients — with resilience baked into the SDLC.
Enterprise software engineering across IBM's development org — large-scale distributed applications with strong emphasis on reliability and code quality.
Full-stack development on business-critical financial-services systems. Systems reliability, database engineering, and cross-team delivery — where the craft started.
OWASP Top 10 & ASVS · Threat Modeling · SAST / DAST / SCA / IAST · Secure SDLC · DevSecOps · Fortify SCA · IBM AppScan · Snyk · Semgrep · CodeQL · Burp Suite · SBOM · MITRE ATT&CK · CVE Management · CIS Benchmarks
OWASP Top 10 for LLMs & Agentic AI · Prompt Injection Defense · AI Red Teaming · AI-SPM · Model Context Protocol (MCP) Hardening · RAG Pipeline Security · Vector DB Controls · AI-BOM · LangChain Guardrails · NIST AI RMF · ISO 42001
React · Next.js · Node.js · Angular · JavaScript / TypeScript · HTML5 / CSS3 · Tailwind · Responsive Design
Java / Spring Boot · Python / Flask / FastAPI · Elixir · Go · Rust · C# / .NET · Ruby on Rails
PostgreSQL · MySQL · MongoDB · Redis · ChromaDB · Apache Iceberg · REST · GraphQL · gRPC · WebSockets · Event-Driven Architecture · OAuth 2.0 / OIDC
Docker · Kubernetes · GitHub Actions · Jenkins · Terraform · AWS · Azure · GCP · Secure CI/CD Pipelines · Image Scanning · Signed Artifacts
Keycloak · OAuth 2.0 / OIDC · SAML · RBAC / ABAC · Zero Trust · mTLS · Secrets Management
LangChain · OpenAI / Anthropic / Claude APIs · RAG · Semantic Search · Apache Spark · Multimodal Pipelines · Prompt Engineering
Children's Museum of Montgomery — shaping science, art, and technology programming for kids across central Alabama.
Capital Area Adult Literacy Council — one-on-one reading and GED preparation work.
Designed and delivered workshops, hackathons, and STEAM programs for regional developers.
Community leadership and technical education programming for local developers.
Remote-first. Open to Relocation. Based in Alabama. Looking for senior AppSec, AI Security, or staff-level full stack roles where security is engineering, not paperwork.