IT Operations & Cybersecurity Engineer

Securing Systems and People

Brandan Grossi

Explore Portfolio

About Me

Cybersecurity professional specializing in vulnerability management, endpoint security, and secure development practices. I focus on building resilient systems through comprehensive security architecture, incident response, and proactive threat mitigation. My expertise spans from secure coding and API development to network segmentation and cloud security implementations.

Security Operations

  • Vulnerability Management
  • Endpoint Security
  • Security Architecture
  • Incident Response
  • Data Protection

Development & Code

  • Secure Coding Practices
  • Python & PowerShell
  • Secure Web Applications
  • Secure Code Review
  • API Security

Infrastructure & Network

  • Cloud Security
  • Network Segmentation
  • Firewall Configuration
  • Virtualized Security
  • Network Security

Career Timeline

Helpdesk Technician

Care Central VNA & Hospice Inc. Nov 2021 - Nov 2022

Entry-level IT support role providing helpdesk services and learning foundational IT skills.

IT Manager / Systems Administrator

Care Central VNA & Hospice Inc. Nov 2022 - Aug 2023

Managed IT operations across multiple locations with focus on infrastructure and security.

  • Managed critical infrastructure outages and maintained SLAs
  • Built department budget based on expenditure analysis and future deployments
  • Provided comprehensive IT support across 4 offices remotely and in-person
  • Triaged and managed threat alerts through Sophos EDR, MS Defender, and KnowBe4 PhishER

Service Desk Engineer (P1 - P3)

Commonwealth Fusion Systems Aug 2023 - Present

Progressive service desk role with increasing responsibilities, automation focus, and project leadership.

  • Closed over 4,500 tickets ranging from all levels of service desk tiers
  • Introduced and expanded automations for FreshService, Okta workflows, and GitHub Actions
  • Acted as escalation point for team members and actively mentored junior members
  • Led long-term projects including software deployments, custom automations, and Okta integrations
  • Deployed custom asset decommissioning tool for better inventory management
  • Rebuilt Intune update rings for improved Windows patching
  • Deployed Winget-AutoUpdate, patching 8,000+ vulnerabilities across endpoints

Cybersecurity Liaison

Commonwealth Fusion Systems Jan 2024 - Present

Leading cybersecurity operations with focus on threat detection, vulnerability management, and security automation.

  • Closed over 2,000 cybersecurity tickets across EDR findings, email security, and ASM alerts
  • Removed over 30,000 vulnerabilities via automation in a single month
  • Introduced automation to PhishER platform using KnowBe4 Rules and Actions
  • Investigated and remediated hundreds of high/critical cloud IOMs with Rapid7 and CrowdStrike
  • Developed custom Python script for vulnerability management platform deduplication

Certificates & Education

Bachelor's in Cybersecurity & Information Assurance

In Progress

Comprehensive program covering information security, network defense, digital forensics, and secure software development. 2 classes remaining.

2023 - 2025

Associate's Degree in Computer Information Systems

Completed

Foundation in computer systems, networking, and information technology fundamentals that form the basis for cybersecurity expertise.

2020 - 2022

SSCP (Systems Security Certified Practitioner)

(ISC)²

Intermediate-level security certification covering access controls, cryptography, network security, and incident response.

2025

CySA+ (Cybersecurity Analyst+)

CompTIA

Advanced cybersecurity certification focusing on threat detection, vulnerability management, and security analytics.

2025

CompTIA Security Analytics Professional (CSAP)

CompTIA

Specialized certification in security analytics, threat intelligence, and advanced security monitoring techniques.

2025

CompTIA Project+

CompTIA

Project management certification covering project lifecycle, risk management, and stakeholder communication.

2024

CompTIA Security+

CompTIA

Foundational cybersecurity certification covering threat management, cryptography, identity management, and risk assessment.

2024

CompTIA Secure Infrastructure Specialist (CSIS)

CompTIA

Specialized certification combining Security+, Network+, and Server+ knowledge for secure infrastructure management.

2024

CompTIA Network+

CompTIA

Network infrastructure certification covering network design, implementation, troubleshooting, and security.

2024

CompTIA A+

CompTIA

Entry-level IT certification covering hardware, software, troubleshooting, and basic security concepts.

2023

Professional Projects

Endpoint & Server Vulnerability Management

Security Operations

Comprehensive vulnerability management program focusing on automated patching and endpoint security improvements across the organization.

  • Introduced Update rings in Intune for OS patch availability
  • Revamped RMM processes to install patches on endpoints
  • Worked with stakeholders to implement automated server patch schedules
  • Deployed Winget update tool to all Windows endpoints
  • Developed custom Python script with GitHub Actions for CrowdStrike device auditing

Rapid7 Cloud Misconfiguration Analysis

Cloud Security

Implemented automated cloud security monitoring and remediation processes to reduce cloud infrastructure risks and improve security posture.

  • Built and deployed Rapid7 bots for automated cloud security monitoring
  • Configured alerts for new accounts/projects and specific port openings
  • Analyzed and remediated findings with cross-functional teams
  • Reduced public visibility of S3 buckets

CIS Benchmark Implementation

Security Controls

Implemented CIS benchmark controls for critical applications to enhance security posture while maintaining operational efficiency.

  • Implemented CIS benchmark controls for Chrome browser
  • Collaborated with teams for slow rollout testing
  • Ensured minimal service disruption during security control implementation

IT Ops Development Environment

DevOps & Security

Modernizing IT operations by transitioning from local development to centralized development environments with enhanced security controls.

  • Transitioning IT Ops processes to centralized development environment
  • Improving API key management and reducing security risks
  • Eliminating potential access method vulnerabilities (leaked API keys, .env files)
  • Deployed new GAM project in Google Cloud
  • Removing endpoint access to GAM with increased logging and SSH/SDM access

Homelab Infrastructure

My homelab demonstrates enterprise-grade security architecture with network segmentation, virtualization, and comprehensive monitoring. Built around a UDM Pro gateway with VLAN-based security zones, it showcases real-world security implementations and defensive strategies.

Network Architecture

UDM Pro Main Gateway & Firewall
Core Switch VLAN Management
Proxmox 1 DNS & Authentik SSO
Proxmox 2 Dev Environment & Services
pfSense VM DMZ Firewall
Linux VM Docker Services
Wazuh SIEM Security Monitoring
Windows DC Domain Controller
Docker Stack Reverse Proxy & Services
Guest Network Isolated Access
IoT Network Device Management
Management Admin Access

Infrastructure Components

Network Segmentation

VLAN-based security zones with UDM Pro gateway and pfSense DMZ

Virtualization

Dual Proxmox hypervisors for high availability and resource management

Container Orchestration

Docker containers with Portainer management and reverse proxy

Security Monitoring

Wazuh SIEM for centralized logging and threat detection

Identity Management

Authentik SSO for centralized authentication and authorization

Cloud Integration

Cloudflare tunnels for secure external access to internal services

Project Infrastructure

This project demonstrates enterprise-grade network architecture with multi-layer security, network segmentation, and advanced traffic routing. Built to showcase real-world infrastructure design principles and security implementations.

Frontend

HTML5 Semantic markup with security considerations
CSS3 Dark theme with security-focused design
JavaScript Minimal JS for enhanced security

Backend

Python Flask Lightweight WSGI framework
Security Headers CSP, HSTS, X-Frame-Options
Template Engine Jinja2 with auto-escaping

Infrastructure Architecture

UDM Pro Main gateway with VLAN segmentation
pfSense DMZ Isolated firewall on dedicated NIC
Proxmox Virtualization host with network isolation
Linux VM Docker host with MACVLAN networking
Docker Containers Cloudflared, NPM, Flask app

Traffic Flow Architecture

Internet External Traffic
Cloudflare CNAME Records
Cloudflare Tunnel Cloudflared Container
NPM Reverse Proxy Manager
SSL Termination Certificate Management
Flask App Docker Container

Network Path: UDM Pro VLAN → pfSense DMZ → Proxmox → Linux VM → Docker Containers
Traffic Routing: MACVLAN + IP Routes for direct Docker network traffic, with other traffic deferred to different endpoints

Network Security Features

Network Segmentation

  • UDM Pro VLAN isolation
  • pfSense DMZ on dedicated NIC
  • MACVLAN for Docker networking
  • IP routing for traffic control
  • Restricted MGMT Network Access

Traffic Management

  • Cloudflare tunnel encryption
  • NPM SSL certificate handling
  • www redirect enforcement
  • Docker network isolation
  • Cloudflare DoS protection