I'm a cybersecurity student at Gannon University (graduating May 2026), passionate about breaking things to understand how to protect them better. My interests lie at the intersection of penetration testing, governance, risk, and compliance (GRC), and AI.
When I'm not in class, you'll find me:
- 🔍 Testing web apps for vulnerabilities
- 🤖 Building AI agents to automate security tasks
- ☁️ Exploring cloud security across AWS and Azure environments
- 📚 Learning about compliance frameworks, HIPAA, and risk management
🔐 Security & Pentesting
- Web application penetration testing (SQL injection, XSS, CSRF, auth bypass, JWT abuse)
- API attack surface enumeration with Arjun and Burp Suite
- Cryptographic protocols and encryption — including AES-256-GCM implementation and key management
- Network enumeration, vulnerability assessment, and threat modeling
- SAST pipeline integration with Semgrep (TypeScript, Node.js, JWT, SQL injection, secrets patterns)
- Traffic analysis, packet inspection, and exploit development fundamentals
- Security references: TCM Security curriculum, h4cker (The Art of Hacking), OWASP offensive security checklists
☁️ Cloud & Infrastructure
- AWS: Cognito (MFA enforcement, TOTP, token rotation), S3 (KMS-only upload policy, presigned URLs, blocked public access), RDS PostgreSQL (SSL enforced, encrypted at rest, deletion protection), IAM least-privilege, CloudWatch logging
- Cloudflare: DNS proxying (hides origin IPs), WAF rules, DDoS protection, SSL/TLS Full mode, CNAME management for multi-service routing
- Railway: Full-stack deployment (frontend Next.js + backend Express) with environment isolation and service-level networking
- Azure security services, NSGs, virtual networks, firewalls, and cloud-native security controls
- Linux/Windows system administration, hardening, and network security architecture
- CI/CD pipeline security: GitHub Actions with
npm audit,tsc, Jest, Semgrep SAST on every push/PR
💻 Programming & Automation
- Security automation and scripting; AI agent design and workflow engineering
- Full-stack development: Express + TypeScript backend, Next.js 16 App Router frontend
- Parameterized SQL with explicit column lists and dual-scope query enforcement
- Zod schema validation at all system boundaries; API rate limiting and middleware design
- AI pipeline integration: Google Gemini 2.5 Flash, Groq Llama 3.3-70B fallback, Pinecone vector search
📋 GRC & Compliance
- HIPAA implementation: 45 CFR §164.312(b) audit logging — 100+ PHI field keys masked, UUID path segments scrubbed, JTI SHA-256 hashed; BAA enforcement with AssemblyAI for transcription; PHI encryption using AES-256-GCM with authenticated wire format
- Dual-scope data isolation: every PHI query enforces both
organization_idANDclinician_id— no cross-tenant exposure - Security monitoring: brute force detection (5 failed auths/5 min → 15-min IP block), SQL/XSS regex pattern blocking, 404 scanning detection (20/5 min → block)
- JWT security: httpOnly cookies only (never localStorage), JTI replay protection via active session DB lookup, mandatory TOTP MFA at AWS Cognito User Pool level
- NIST, ISO 27001 concepts; risk assessment, security policy fundamentals; Scout2 cloud security assessment framework
- Awareness of algorithmic bias in AI-assisted clinical tools and ethical obligations in healthcare technology
RevClear is an AI-assisted medical claims platform I built as my senior capstone at Gannon University, live at revclear.tech. The source code is publicly available on GitHub. It automates the full clinical billing pipeline: audio recording → SOAP note generation → ICD-10/CPT code matching → EDI 837 claim file.
Patient Audio
|
v
AssemblyAI (HIPAA BAA, presigned S3 URL, 120s TTL)
|
v
AWS S3 (KMS-only upload, blocked public access)
|
v
Google Gemini 2.5 Flash (SOAP generation)
-- fallback --> Groq Llama 3.3-70B
|
v
Pinecone Vector DB (ICD-10 + CPT namespace search)
|
v
Async Job Pattern (202 + polling, 10-min TTL → prevents 504)
|
v
EDI 837 Claim File
|
v
Railway Backend (Express + TypeScript) <-- Cloudflare WAF/DNS
|
v
Railway Frontend (Next.js 16 App Router)
Built to the Eight Golden Rules of Interface Design (Shneiderman): consistency across all views, shortcuts for power users, informative error messages, error prevention through Zod validation at all boundaries, and clear visual hierarchy via consistent component patterns throughout the dashboard.
Building intelligent AI agents for security automation — from instruction engineering to workflow optimization. Exploring how LLMs can assist in security operations.
Hands-on Azure security implementation: NSGs, Virtual Networks, firewalls, and cloud-native security controls.
Working on projects involving web app pentesting, threat hunting, and security orchestration.
current_focus = {
"penetration_testing": ["Web app security", "CTF challenges", "JWT abuse", "API enumeration"],
"grc": ["HIPAA implementation", "Risk assessment", "Compliance frameworks"],
"automation": ["AI agent workflows", "Security orchestration", "Semgrep SAST pipelines"],
"cloud_security": ["AWS security services", "Cloudflare WAF", "Cloud compliance"],
}I'm always open to connecting with fellow security enthusiasts, discussing projects, or just chatting about cybersecurity!
📧 Email Me • 💼 LinkedIn • 🐙 GitHub