Shift Smart, Not Just Left
Security bolted to a sprint is a tax. Built into the platform it’s invisible — and teams ship faster because of it. The paved road must be the secure road.
// secure-by-default · zero-trust · evidence-driven · active
Anshumaan Singh
I engineer security the same way high-scale teams engineer reliability — as a system property designed, enforced, and continuously verified. Production behavior must remain predictable even under adversarial pressure.
Information Security Analyst (IC-2) at ZEE Entertainment, building security control planes across CI/CD, artifact supply chains, Kubernetes runtime, and GCP cloud governance — securing 350+ microservices so that insecure paths become operationally hard and secure delivery is the default.
0+
Microservices secured
0+
CI/CD security gates
0
Pro certifications
0+
Years in security
Anshumaan Singh
Security Systems Engineer
@ ZEE Entertainment
CKS
CKA
GCP
TF
GitHub Actions
Trivy
SBOM
kubeaudit
OWASP ZAP
Terraform
About Me
Most security teams react. Watch alerts. Triage tickets. Ship reports. I build systems where the dangerous path is operationally hard before anyone notices it exists.
At ZEE Entertainment I secured 350+ microservices from code commit to production — not by reviewing more, but by making insecure releases structurally impossible. No bypass paths. No rebuilds in prod. No “we’ll fix it next sprint.”
I treat security the way reliability engineers treat uptime: with invariants. If a control can be bypassed — it isn’t one. If a gate produces noise — it erodes trust. If evidence doesn’t travel with the release — it doesn’t exist. That’s the philosophy behind everything I ship.
350+
microservices in scope
6
industry certifications
2+
years at ZEE
3
cloud platforms secured
Engineering Philosophy
Six principles tested under production pressure — not borrowed from a framework.
Identity is the Control Plane
Network perimeters trust the packet. I trust the identity. Short-lived, OIDC-federated, cryptographically verifiable — unforgeable by design.
Guardrails over Gates
Gates block. Guardrails guide. One kills velocity — the other multiplies it. Build systems where the safe path is also the easiest path.
Detection as Code
An alert no one acts on is just log noise with extra steps. Every detection I ship maps to a playbook and a decision — not a Slack ping.
Evidence over Assertions
Don’t tell auditors you’re secure — show them. SBOM linked to commit. Scan output signed. Promotion gate logged. Theater out. Evidence in.
Risk-based, Not Fear-based
Not every critical CVE is worth blocking. Not every low is safe to ship. CVSS + EPSS + reachability = one decision: block, allow with evidence, or accept with expiry.
What I Built
Real pipelines. Real enforcement. Built for 350+ services — not a conference slide.
CI/CD Security Control Plane
- Multi-stage DevSecOps pipelines: build → scan → deploy → post-deploy validate.
- PR-only merges + CODEOWNERS + branch protections to eliminate bypass paths.
- Dependency ordering: verify → build → tag → scan → push → deploy → notify.
- Slack release telemetry with commit/build metadata + scan artifact retention.
Supply Chain Integrity + SBOM
- Immutable image versioning — removed latest tags to eliminate deployment drift.
- Build once → promote: Dev → UAT → Prod without rebuilds in production.
- Evidence chain: scan outputs + approvals + image digest tracking per release.
- Only scanned + approved digests via registry path enforcement.
Kubernetes Runtime Guardrails
- kubeaudit to detect risky workload patterns and enforce baseline hygiene.
- Secure deployment baseline: healthchecks, limits, safe defaults, namespace patterns.
- Prevented privileged workloads and unsafe configurations at admission time.
AppSec + Secrets Remediation
- Led response for hardcoded Azure storage keys, OAuth secrets, leaked tokens.
- Coordinated safe rotation workflows with zero production impact.
- Web / API / Mobile penetration testing with actionable remediation guidance.
System Design
I don’t patch systems. I design them to hold under pressure — where invariants replace assumptions and every control is structural, not procedural.
Core Security Invariants
- Identity is the control plane — short-lived, least privilege.
- Verification is deterministic — non-bypassable CI gates + evidence.
- Artifacts are immutable — digests + controlled promotion paths.
- Runtime is constrained — policy + RBAC + secure contexts.
- Everything is auditable — logs + scan outputs + approvals.
Design Principles
- Guardrails over manual reviews — automate the safety net.
- Secure paved roads enable engineering velocity.
- Risk-based gating — severity + exploitability + probability.
- Policy as code, evidence as artifacts, everything traceable.
- Commit → build → digest → deployment end-to-end traceability.
Reference Architecture
Source to prod. No untrusted artifact reaches runtime. Every transition has a gate and a receipt.
Pipeline Evidence Snapshot
SBOM / Attestation / Scan pipeline output
Proof-of-implementation artifact — real pipeline output, not a diagram.
// Every release is trustworthy — or it doesn't ship.
Source Governance
- Pre-commit + signed commits + PR-only merges
- CODEOWNERS + branch protection + required checks
- Main branch as single source of truth
CI Verification
- Ephemeral runners + deterministic security gates
- SAST + SCA + Secrets + IaC enforced at build time
- Quality gate: pass/fail with evidence artifacts retained
Supply Chain
- Build once → scan → SBOM → provenance signed
- Image digest tracking + immutability
- Evidence travels with release Dev→UAT→Prod
Runtime Enforcement
- Admission policy blocks unsafe workloads
- RBAC + namespaces + securityContext reduces blast radius
- Audit logs + SIEM + IR playbooks
Case Studies
Not hypotheticals. Not labs. These happened — here’s what I did.
Secrets Leakage Response
- Detected hardcoded Azure Storage keys + OAuth secrets — validated exposure scope.
- Coordinated secure rotation without production downtime.
- Implemented prevention: secret scanning + branch protections + audit evidence.
✓ Reduced recurrence through enforcement + governance
Scanner Inconsistency Analysis
- Prisma returned zero CVEs for known-vulnerable images — root-caused the gap.
- Cross-validated with Trivy + public CVE refs to confirm true risk exposure.
- Improved pipeline trust: scan evidence retention + multi-scanner validation.
✓ Fewer failures from scanner inconsistency
Controlled Promotions
- "Build once, promote many" — no rebuilds in prod, no drift.
- Approval gates + registry path enforcement block unauthorized deployments.
- Digest-level traceability across all environments.
✓ Full commit-to-production traceability
OWASP ZAP DAST + K8s
- Automated DAST via kubectl runtime service discovery for real endpoints.
- Post-deploy checks reflecting production-like behavior (not assumptions).
- Integrated into CI/CD with blocking thresholds and evidence retention.
✓ Improved coverage beyond static analysis
Threat Model
I model threats the way attackers think — not the way auditors check boxes. Kill-chain mapped. Response-ready. No theoretical vectors that can’t be exploited.
Primary Threat Vectors
- Credential theft — tokens, OAuth secrets, cloud keys
- Pipeline compromise — runner persistence, secret exposure
- Dependency compromise — typosquatting, malicious packages
- Container base image vulnerabilities + drift via mutable tags
- Kubernetes privilege escalation — privileged pods, host mounts
- Lateral movement — east-west traffic abuse
- Data exfiltration — egress misuse, weak PII boundaries
Kill Chain Defense Mapping
- Recon → WAF + rate limiting + minimal exposure
- Initial Access → secrets scanning + SAST + admission deny
- Privilege Escalation → RBAC + securityContext hardening
- Lateral Movement → segmentation + NetworkPolicy + mTLS
- Exfiltration → egress restrictions + PII boundaries
- Impact → SIEM detections + IR containment playbooks
Evidence
Saying you ran the scan isn’t evidence. Here’s what real pipeline evidence looks like.
Evidence Pack Includes
- SAST, SCA, Secrets, IaC, Image scan, DAST reports per build
- Build metadata: workflow run ID, commit SHA, branch, actor
- Artifact metadata: image digest, tags, registry path
- Promotion approvals: QA gates / policy decisions per stage
- All artifacts retained per pipeline for compliance and RCA
SBOM Snapshot — Real Output
Real pipeline artifact attached to a release. Not mocked.
Risk Engine
Not every critical CVE should block a release. Not every low-severity is safe to ignore. This is how I separate signal from noise and keep engineering teams moving.
Risk Scoring Inputs
- CVSS → technical severity baseline
- EPSS → likelihood of exploitation in the wild
- Exploit maturity → public exploit availability
- Reachability → exposed surface + runtime path analysis
- Compensating controls → RBAC, WAF, egress restrictions
Policy Gate Outcomes
- Block — exploitable criticals or active policy violations
- Allow + evidence — low risk with full traceability
- Exception + expiry — tracked risk acceptance
- Auto-promote — clean evidence + approved digest
Experience
Two years. One team. One mission: make insecure releases structurally impossible across 350+ microservices.
ZEE Entertainment Enterprises Ltd
Information Security Analyst (IC-2)
350+ microservices
CI/CD gates
SBOM
K8s guardrails
Scope
Security engineering across cloud-native delivery for 350+ microservices from
code → pipeline → registry → Kubernetes runtime.
CI/CD Security Control Plane
- Engineered CI/CD Security Control Plane: deterministic enforcement across build, scan, deploy, and post-deploy validation.
- PR-only merge governance: CODEOWNERS + branch protections + required checks to eliminate main-bypass risk.
- Multi-language SAST + SCA for Maven/Node with policy thresholds blocking high-risk dependencies.
- Organization-wide secret scanning: OAuth secrets, cloud keys, hardcoded tokens across all repositories.
- Container scanning: Prisma Cloud (twistcli) + Trivy cross-validation to reduce scanner trust failures.
- IaC scanning to prevent insecure K8s manifests/cloud misconfigs from reaching runtime.
- OWASP ZAP DAST with kubectl dynamic URL extraction for post-deploy validation coverage.
- Pipeline order: verify → build → tag → scan → push → deploy → validate → notify.
- Evidence retention: scan outputs, logs, approvals, digests per pipeline for compliance and RCA.
- Slack release telemetry with commit/build/actor metadata to reduce release ambiguity.
- Parallel scanning stages: improved velocity while preserving enforcement integrity.
Supply Chain Security + SBOM
- Controlled artifact promotion: QA promotes images separately for UAT/Prod — no rebuilds in production.
- Immutable versioning (v1.0) prevents deployment drift caused by mutable latest tags.
- Only scanned + approved images eligible for deployment via digest-level validation.
- Evidence model: scan results + approvals + digest tracking = attestation-ready delivery.
- Traceability: commit → build → image digest → deployment across all environments.
- Promotion gates to block images not present in approved registry paths.
Kubernetes Security Engineering
- kubeaudit to detect risky cluster/workload configurations at scale.
- Baseline enforcement: secure probes, resource limits, safe defaults, namespace isolation.
- Privileged workload prevention and unsafe pattern blocking via admission enforcement.
- Kubernetes cluster setup + validation with kubeadm (v1.28.1).
- Blast radius control through workload boundaries and least-privilege patterns.
- Achieved 100% CIS Kubernetes Benchmark (v1.5.1) compliance across production clusters.
- Achieved 93% OWASP Top 10 (2022) coverage across application security scope.
Cloud Governance + Migration Security
- Secure cloud governance strategy across environments and teams.
- Secure IAM and access boundary design to reduce cloud attack surface.
- GCP migration security design for HIPI project.
- Posture improvements aligned with production delivery requirements.
- Governance as guardrails (policy-as-code) not documentation-only controls.
- Strengthened GitHub Enterprise security with org-level controls, audit logging, and SIEM detections.
- Built Golden Image pipeline for CIS-compliant Linux images with automated OS hardening.
- Enforced perimeter security using Conditional Access + IP restrictions + service controls.
AppSec + Secrets Remediation
- Web, API, and mobile penetration testing across application security scope.
- Auth, access control, API misuse, and misconfiguration validation.
- Secure design review and remediation guidance for engineering teams.
- Led response for hardcoded Azure Storage Account keys and OAuth credentials in source control.
- Coordinated secret rotation safely, zero production impact.
- Bridge between AppSec + DevOps + QA + Engineering for secure releases at scale.
Education
M.Tech — Software Systems (Cybersecurity)
Work-integrated postgraduate: secure software engineering, applied security architecture, cloud security, IAM, and assurance across SDLC.
Vellore Institute of Technology, Chennai
B.Tech — Electronics & Communication Engineering
Engineering foundations: systems, networks, embedded systems, signal processing, and computing fundamentals.
Projects
Code I wrote. Problems I solved. You can see the commits.
Netflix Clone — Secure CI/CD from Scratch
- CI/CD: SAST, SCA, secrets scanning, Trivy image scan, controlled deployment.
- Slack notifications with build + commit metadata for full visibility.
- Immutable image tags (v1.0) + evidence retention per pipeline run.
Trivy
SAST
SCA
Secrets Scan
Kubernetes Security Validation Toolkit
- kubeaudit + cluster checks for misconfiguration detection.
- Baseline enforcement for risky workload patterns across namespaces.
- Findings mapped to remediation playbooks for engineering teams.
kubeaudit
RBAC
OPA
NetworkPolicy
Explorer — What's Next
What I’m actively pulling apart, rebuilding, and planning to ship next.
Secure Build Provenance
- Extending provenance metadata to include environment and runner identity.
- Attestation improvements for artifact traceability Dev→UAT→Prod.
Policy as Code Expansion
- Strengthening policy gates for Kubernetes workload hardening at scale.
- Registry path enforcement + digest allowlisting per environment.
Risk-based Security Gates
- Reducing false positives by aligning severity with exploitability + EPSS.
- Tracked risk acceptance with expiry-based policy exceptions.
Security Metrics + KPIs
- Gate pass rate, MTTR, recurrence tracking for secrets leakage.
- Dashboards for release integrity and evidence coverage across teams.
Skills
Tools I’ve shipped in production. Not a wish list.
DevSecOps + CI/CD
SAST
SCA
DAST
Application Security
kubeaudit
OPA
Kubernetes Security
Cloud + Infrastructure
Trivy
Syft
Cosign
SBOM
Supply Chain Security
SIEM
Falco
SOAR
CVSS
EPSS
Detection + Response
Certifications
Six industry exams. All passed. Click any to verify.
CKS
Certified Kubernetes Security Specialist
Verify on Credly ↗
CKA
Certified Kubernetes Administrator
Verify on Credly ↗
GCP Security
Professional Cloud Security Engineer
Verify on Credly ↗
GCP PCA
Professional Cloud Architect
Verify on Credly ↗
Terraform
Terraform Associate
Verify on Credly ↗
GCP ACE
Associate Cloud Engineer
Verify on Credly ↗
Google Cloud Skills Boost: View Profile ↗
Achievements
Recognition & Honours
- Promoted to IC-2 with Top Performance Rating 5-A — FY 2024–25.
- ZeeOlympics Best Performer Award — FY 2023–24 and FY 2024–25 (back-to-back winner).
- Winner — GitHub Tech After Dark Security Quiz.
- Multiple Google Cloud Skills Boost achievements across security and architecture tracks.
- 221 Medium followers · 700+ claps across 10+ published security engineering articles.
Engineering Outcomes
- Security enforcement framework across 350+ microservices — code → pipeline → registry → runtime.
- 100% CIS Kubernetes Benchmark (v1.5.1) compliance across production clusters.
- 93% OWASP Top 10 (2022) coverage across application security scope.
- Zero production downtime across all secret rotation and incident response events.
- Built Golden Image pipeline for CIS-compliant Linux images with automated OS hardening.
Writing & Publications
221 followers
/
700+ claps
/
10+ articles published
/
Security engineering depth — written for practitioners, not marketing
Runtime Security
👏 115
Most Read
CrowdStrike Falcon
Kubernetes Runtime Security: Deploying CrowdStrike Falcon Sensor via Helm Charts
Production-grade deployment of CrowdStrike Falcon sensor across Kubernetes clusters — runtime threat detection, DaemonSet topology, and Helm-managed rollouts.
DevSecOps
👏 106
Security CLI
Log Analysis
100 Essential Linux Commands for Security & DevSecOps Professionals
A curated reference every security engineer must master — file inspection, network forensics, process analysis, log investigation, and system hardening from the terminal.
Cloud Security
👏 104
IAM
Cloud Armor
SCC
VPC SC
Mastering Google Cloud Security: Best Practices for a Resilient GCP Infrastructure
IAM hardening, Cloud Armor WAF, Security Command Center, VPC Service Controls, and posture management for enterprise GCP environments.
Compliance
👏 101
ISO 27001
SOC 2
HIPAA
PCI DSS
A Deep Dive into Security Compliance: ISO 27001, SOC 2, HIPAA, PCI DSS & More
What each major compliance framework actually requires, where they overlap, and a pragmatic plan for implementation across engineering and security teams.
Multi-Cloud
👏 50
Latest
Cloud Security That Actually Prevents Incidents: Lessons from Production
Real lessons from implementing cloud security across AWS, GCP, and Azure in production — what actually prevents incidents versus what is security theater.
221 Medium followers
·
700+ total claps
·
10+ published articles
View all on Medium ↗
View all on Medium ↗
Connect
If you’re building security that has to hold under pressure — or breaking systems to find out what doesn’t — I want to hear from you.