Senior contract DevSecOps engineer
Secure Cloud platforms
for AI and data workloads.
25 years in IT, the last seven focused on Microsoft Azure — Terraform, Azure DevOps pipelines, Entra ID, Front Door + WAF, Defender for Cloud — with AWS and GCP work earlier in my career. Available for freelance engagements where security and platform engineering matter from day one.
Featured / Open source
This site, built in the open.
Every Terraform module, every workflow, every WAF rule that runs harvtech.co.uk is in a public GitHub repo. It's a working portfolio piece — and a candid record of trade-offs (cost, SKU choice, accepted-with-reasoning security findings) rather than a polished pretence that everything was right first time.
What's running underneath
- Two Terraform stacks (infra + dns) with state in a dedicated platform RG
- GitHub Actions federated to Azure via OIDC — no long-lived secrets
- Front Door Standard + WAF custom rules; site origin locked down where the SKU permits
- Checkov + Trivy + tflint emitting SARIF to GitHub Code Scanning
- Branch protection with required CI checks; admin bypass logged in audit trail
- Dependabot auto-rebasing weekly across GitHub Actions and Terraform providers
What I do
Platform and security work for teams shipping to the cloud.
Cloud platform engineering
Landing zone design, subscription / account structure, hub-spoke networking, identity foundations, RBAC. CAF-aligned on Azure; equivalent patterns on AWS and GCP.
Terraform at scale
Multi-stack repos, remote state with OIDC-federated CI/CD, cross-stack references via terraform_remote_state, declarative imports for legacy resources.
DevSecOps in CI/CD
IaC security scanning (Checkov, Trivy, tflint) with SARIF flowing into Code Scanning. Dependabot, branch protection, deliberate suppressions with documented reasoning.
Edge security
Azure Front Door with WAF custom rules and managed rule sets, custom-domain TLS, rate limiting, network-rule origin restriction within Standard SKU limits.
Identity and access
Entra ID Conditional Access, Identity Protection (P2), phishing-resistant MFA rollouts, federated credentials for GitHub Actions, workload identities.
Operations and SRE
Diagnostic settings, Log Analytics, Defender for Cloud, alerting, runbooks, on-call. Postmortems that teach the team, not blame the operator.
Engagements
Available for contract work.
Freelance, UK-based, hybrid or fully remote. Recent contracts at Tokio Marine Kiln and Brit Insurance — happy to talk about either, and about where I'd take a similar engagement next.