GRC Analyst & Cybersecurity Professional
Cyber insurance underwriting background meets hands-on governance, risk, and compliance — bridging risk quantification with real security outcomes.
A complete, end-to-end TPRM simulation — from vendor intake through executive reporting — with a live interactive dashboard.
This lab walks through the full vendor risk management lifecycle for a fictional SaaS HR platform handling employee PII, payroll data, and HR records. The assessment identified 3 critical control gaps, resulting in a Conditional Approval with a medium residual risk rating and a structured remediation plan.
Live risk scoring engine, vendor assessment tool, framework compliance tracking, and exportable risk reports — deployed on GitHub Pages.
Every finding mapped to NIST CSF 2.0 functions (Govern, Identify, Protect, Detect, Respond, Recover) and ISO 27001:2022 Annex A controls.
Quantified risk scoring with likelihood/impact matrices, remediation milestones, and ownership assignments.
Board-ready summary with conditional approval recommendation, key findings, and strategic remediation roadmap.
Three interactive IR scenarios at the same vendor — ransomware, phishing/breach, and insider threat — with decision points, real log evidence, and framework mapping.
The perspective flips: instead of assessing CloudSync as a vendor, you're on their IR team responding to live incidents. Walk through three realistic tabletop scenarios step-by-step, make critical decisions at each phase, review actual SIEM alerts and forensic evidence, and generate communication templates — all mapped to NIST CSF 2.0, ISO 27035, and MITRE ATT&CK.
Friday 2:47 AM — 3 file servers encrypted, $2.5M ransom demand. Compromised VPN credentials, no MFA. Full containment-to-recovery walkthrough.
Finance employee clicks spearphishing link. Impossible travel alert, mail forwarding rule, 12,847 employee records exfiltrated. Breach notification exercise.
Departing IT Manager bulk downloads customer database via USB and Google Drive. DLP alert triggers forensic investigation and legal hold.
Interactive choices at each phase with best-practice analysis. Realistic Sentinel KQL output, email headers, DLP alerts, and communication templates.
Hands-on labs and tools spanning GRC, vulnerability management, automation, and threat intelligence.
Interactive, self-scoring 40-question VSQ covering Labor, Forced Labor (UFLPA), Environmental, Quality, Cybersecurity, and Ethics. Auto-scores and returns Approved / Conditional / Declined with action items.
4 Python scripts automating the full TPRM lifecycle — inherent risk scoring, NIST CSF 2.0 gap analysis, ISO 27001 control gap detection, and vendor POA&M tracking with color-coded HTML dashboards.
End-to-end vulnerability management on Azure Windows 10 VM — baseline, post-misconfiguration, and post-remediation scan cycles with STIG tables and PowerShell remediation scripts.
Custom ATT&CK maps built from real-world threat intelligence scenarios, visualizing adversary tactics, techniques, and procedures for incident analysis.
Automation tool for streamlining LinkedIn and Indeed job applications, reducing manual effort in the application process.
Core competencies across GRC, security operations, and cloud platforms.
| Domain | Tools & Frameworks |
|---|---|
| GRC Frameworks | NIST CSF 2.0 · ISO 27001:2022 · NIST RMF · SOC 2 |
| Risk Management | TPRM · Vendor Risk · Risk Register · POA&M |
| Incident Response | IR Planning · Tabletop Exercises · ISO 27035 · MITRE ATT&CK |
| Compliance | PCI DSS · HIPAA · CIS Controls · GDPR |
| SIEM / Detection | Microsoft Sentinel · KQL · Defender XDR |
| Vuln Management | Tenable Nessus · Qualys VMDR |
| Cloud | Microsoft Azure · Entra ID |
| Scripting | PowerShell · Python |
Industry-recognized certifications validating security and compliance expertise.
Earned
Earned
Earned
Earned
Earned
In Progress
Open to GRC Analyst, TPRM, and cybersecurity compliance roles. Based in Denver, CO.