IT Operations & Cybersecurity Engineer

Securing Systems and People

Brandan Grossi

Explore Portfolio

About Me

Cybersecurity professional specializing in vulnerability management, endpoint security, and secure development practices. I focus on building resilient systems through comprehensive security architecture, incident response, and proactive threat mitigation. My expertise spans from secure coding and API development to network segmentation and cloud security implementations.

Security Operations

  • Vulnerability Management
  • Endpoint Security
  • Security Architecture
  • Incident Response
  • Data Protection

Development & Code

  • Secure Coding Practices
  • Python & PowerShell
  • Secure Web Applications
  • Secure Code Review
  • API Security

Infrastructure & Network

  • Cloud Security
  • Network Segmentation
  • Firewall Configuration
  • Virtualized Security
  • Network Security

Career Timeline

Helpdesk Technician

Care Central VNA & Hospice Inc. Nov 2021 - Nov 2022

Entry-level IT support role providing helpdesk services and learning foundational IT skills.

IT Manager / Systems Administrator

Care Central VNA & Hospice Inc. Nov 2022 - Aug 2023

Managed IT operations across multiple locations with focus on infrastructure and security.

  • Managed critical infrastructure outages and maintained SLAs
  • Built department budget based on expenditure analysis and future deployments
  • Provided comprehensive IT support across 4 offices remotely and in-person
  • Triaged and managed threat alerts through Sophos EDR, MS Defender, and KnowBe4 PhishER

Service Desk Engineer (P1 - P3)

Commonwealth Fusion Systems Aug 2023 - Present

Progressive service desk role with increasing responsibilities, automation focus, and project leadership.

  • Closed over 4,500 tickets ranging from all levels of service desk tiers
  • Introduced and expanded automations for FreshService, Okta workflows, and GitHub Actions
  • Acted as escalation point for team members and actively mentored junior members
  • Led long-term projects including software deployments, custom automations, and Okta integrations
  • Deployed custom asset decommissioning tool for better inventory management
  • Rebuilt Intune update rings for improved Windows patching
  • Deployed Winget-AutoUpdate, patching 8,000+ vulnerabilities across endpoints

Cybersecurity Liaison

Commonwealth Fusion Systems Jan 2024 - Present

Leading cybersecurity operations with focus on threat detection, vulnerability management, and security automation.

  • Closed over 2,000 cybersecurity tickets across EDR findings, email security, and ASM alerts
  • Removed over 30,000 vulnerabilities via automation in a single month
  • Introduced automation to PhishER platform using KnowBe4 Rules and Actions
  • Investigated and remediated hundreds of high/critical cloud IOMs with Rapid7 and CrowdStrike
  • Developed custom Powershell script for vulnerability management auditing

Certificates & Education

Bachelor's in Cybersecurity & Information Assurance

In Progress

Comprehensive program covering information security, network defense, digital forensics, and secure software development. 2 classes remaining.

2023 - 2025

Associate's Degree in Computer Information Systems

Completed

Foundation in computer systems, networking, and information technology fundamentals that form the basis for cybersecurity expertise.

2020 - 2022

SSCP (Systems Security Certified Practitioner)

(ISC)²

Intermediate-level security certification covering access controls, cryptography, network security, and incident response.

2025

CySA+ (Cybersecurity Analyst+)

CompTIA

Advanced cybersecurity certification focusing on threat detection, vulnerability management, and security analytics.

2025

CompTIA Security Analytics Professional (CSAP)

CompTIA

Specialized certification in security analytics, threat intelligence, and advanced security monitoring techniques.

2025

CompTIA Project+

CompTIA

Project management certification covering project lifecycle, risk management, and stakeholder communication.

2024

CompTIA Security+

CompTIA

Foundational cybersecurity certification covering threat management, cryptography, identity management, and risk assessment.

2024

CompTIA Secure Infrastructure Specialist (CSIS)

CompTIA

Specialized certification combining Security+ and Network+ knowledge for secure infrastructure management.

2024

CompTIA Network+

CompTIA

Network infrastructure certification covering network design, implementation, troubleshooting, and security.

2024

CompTIA A+

CompTIA

Entry-level IT certification covering hardware, software, troubleshooting, and basic security concepts.

2023

Professional Projects

Endpoint & Server Vulnerability Management

Security Operations

Comprehensive vulnerability management program focusing on automated patching and endpoint security improvements across the organization.

  • Introduced Update rings in Intune for OS patch availability
  • Revamped RMM processes to install patches on endpoints
  • Worked with stakeholders to implement automated server patch schedules
  • Deployed Winget update tool to all Windows endpoints
  • Developed custom Powershell script with GitHub Actions for CrowdStrike device auditing

Rapid7 Cloud Misconfiguration Analysis

Cloud Security

Implemented automated cloud security monitoring and remediation processes to reduce cloud infrastructure risks and improve security posture.

  • Built and deployed Rapid7 bots for automated cloud security monitoring
  • Configured alerts for new accounts/projects and specific port openings
  • Analyzed and remediated findings with cross-functional teams
  • Reduced public visibility of S3 buckets

CIS Benchmark Implementation

Security Controls

Implemented CIS benchmark controls for critical applications to enhance security posture while maintaining operational efficiency.

  • Implemented CIS benchmark controls for Chrome browser
  • Collaborated with teams for slow rollout testing
  • Ensured minimal service disruption during security control implementation

IT Ops Development Environment

DevOps & Security

Modernizing IT operations by transitioning from local development to centralized development environments with enhanced security controls.

  • Transitioning IT Ops processes to centralized development environment
  • Improving API key management and reducing security risks
  • Eliminating potential access method vulnerabilities (leaked API keys, .env files)
  • Deployed new GAM project in Google Cloud
  • Removing endpoint access to GAM with increased logging and SSH/SDM access

Homelab Infrastructure

My homelab demonstrates enterprise-grade security architecture with network segmentation, virtualization, and comprehensive monitoring. Built around a UDM Pro gateway with VLAN-based security zones, it showcases real-world security implementations and defensive strategies.

Network Architecture

UDM Pro Main Gateway & Firewall
Core Switch VLAN Management
Proxmox 1 DNS & Authentik SSO
Proxmox 2 Dev Environment & Services
pfSense VM DMZ Firewall
Linux VM Docker Services
Wazuh SIEM Security Monitoring
Windows DC Domain Controller
Docker Stack Reverse Proxy & Services
Guest Network Isolated Access
DMZ Network Public Facing Services
Management Admin Access

Infrastructure Components

Network Segmentation

VLAN-based security zones with UDM Pro gateway and pfSense DMZ

Virtualization

Dual Proxmox hypervisors for high availability and resource management

Container Orchestration

Docker containers with Portainer management and reverse proxy

Security Monitoring

Wazuh SIEM for centralized logging and threat detection

Identity Management

Authentik SSO for centralized authentication and authorization

Cloud Integration

Cloudflare tunnels for secure external access to internal services

Project Infrastructure

This project demonstrates enterprise-grade network architecture with multi-layer security, network segmentation, and advanced traffic routing. Built to showcase real-world infrastructure design principles and security implementations.

Frontend

HTML5 Semantic markup with security considerations
CSS3 Dark theme with security-focused design
JavaScript Minimal JS for enhanced security

Backend

Python Flask Lightweight WSGI framework
Security Headers CSP, HSTS, X-Frame-Options
Template Engine Jinja2 with auto-escaping

Infrastructure Architecture

UDM Pro Main gateway with VLAN segmentation
pfSense DMZ Isolated firewall on dedicated NIC
Proxmox Virtualization host with network isolation
Linux VM Docker host with MACVLAN networking
Docker Containers Cloudflared, NPM, Flask app

Traffic Flow Architecture

%%{init: {"theme": "dark", "themeVariables": { "background": "transparent", "clusterBkg": "transparent", "clusterBorder": "transparent", "primaryColor": "#00ff88", "secondaryColor": "#00d4ff", "tertiaryColor": "#ff6b35", "lineColor": "#00ff88", "textColor": "#ffffff", "labelBackground": "transparent", "edgeLabelBackground": "transparent" }, "flowchart": {"diagramPadding": 32, "useMaxWidth": false, "htmlLabels": false}}}%% graph TD %% Theme-aligned styles (match site dark theme) classDef Cloud fill:#1a1a1a,stroke:#00d4ff,color:#ffffff,stroke-width:2px,rx:8px,ry:8px; classDef Host fill:#1a1a1a,stroke:#00ff88,color:#ffffff,stroke-width:2px,rx:8px,ry:8px; classDef App fill:#1a1a1a,stroke:#ff6b35,color:#ffffff,stroke-width:2px,rx:8px,ry:8px; classDef Proxy fill:#1a1a1a,stroke:#00ff88,color:#ffffff,stroke-width:2px,rx:8px,ry:8px; classDef Firewall fill:#1a1a1a,stroke:#ff4757,color:#ffffff,stroke-width:2px,rx:50%; classDef Egress fill:#1a1a1a,stroke:#ffaa00,color:#ffffff,stroke-width:2px,rx:8px,ry:8px; classDef User fill:#1a1a1a,stroke:#00ff88,color:#ffffff,stroke-width:2px,rx:50%; %% -------------------- INBOUND APPLICATION FLOW -------------------- A["User Initiated Traffic"]:::User B["Cloudflare CNAMEs / DNS"]:::Cloud C["Cloudflare Tunnel Service"]:::Cloud D{"Linux Host (Local Network)"}:::Host E["Mac VLAN Routing"]:::Host F("Cloudflared Container"):::Cloud G["Reverse Proxy"]:::Proxy H(("Flask App Docker Container")):::App A -- "HTTPS Request" --> B B -- "Routed to CF Edge" --> C C -- "Established Tunnel" --> D D -- "Route Traffic" --> E E -- "Routing" --> F F -- "Proxy Request" --> G G -- "Proxy" --> H %% -------------------- OUTBOUND EGRESS / INTERNET FLOW -------------------- subgraph "Internal" direction LR J["PFSense Firewall"]:::Firewall K["Isolated NIC"]:::Egress L["UDM Pro DMZ Vlan"]:::Egress M("Internet"):::User D -- "Route Egress Traffic" --> J J -- "Secure Forwarding" --> K K -- "Physical Connection" --> L L -- "WAN Uplink" --> M end %% -------------------- App Stack to Egress Path -------------------- H -- "External Resource Fetch" --> D %% Link styling for egress routes (dashed, blue) linkStyle 7 stroke-dasharray: 5 5, stroke: #00d4ff, stroke-width: 2px; linkStyle 8 stroke-dasharray: 5 5, stroke: #00d4ff, stroke-width: 2px; linkStyle 9 stroke-dasharray: 5 5, stroke: #00d4ff, stroke-width: 2px; linkStyle 10 stroke-dasharray: 5 5, stroke: #00d4ff, stroke-width: 2px; linkStyle 11 stroke-dasharray: 5 5, stroke: #00d4ff, stroke-width: 2px;

Project Security Features

Network Segmentation

  • UDM Pro VLAN isolation
  • pfSense DMZ on dedicated NIC
  • MACVLAN for Docker networking
  • IP routing for traffic control
  • Restricted MGMT Network Access

Traffic Management

  • Cloudflare tunnel encryption
  • NPM SSL certificate handling
  • www redirect enforcement
  • Docker network isolation
  • Cloudflare DoS protection

Application Security

  • Secure coding practices
  • Security headers
  • Restrictive CSP policies for JS imports with nonce tokens for inline scripts
  • Reduced attack surface by using non-root user for container services