Skip to content

About Pharns

GRC engineer, cloud security practitioner, and AAM cybersecurity specialist. I build and secure systems end-to-end: cloud governance frameworks, compliance automation, endpoint hardening, detection tuning, and evidence-ready workflows.

Core proof (7-second scan): - Built and secured production infrastructure for a drone logistics startup; CIS v8 (IG1-IG2) mapped to NIST CSF/SOC 2 - Delivered client compliance wins in healthcare, financial services, and legal services (HIPAA, SOC 2, PCI-DSS) - AAM/UAS depth with patents and operational experience; FAA Part 107, RF/SDR research

Credentials: WGU B.S. Cybersecurity (Feb 2026) · Security+/Net+/A+ · ITIL4 · ISC² CC/SSCP (Assoc.) · LPI · FAA Part 107 · HAM/GMRS
Earned (Feb 2026): CySA+ · CSAP · Pending: PenTest+ · Planned: AWS CP/CCSP (Q1 2026)

Links: Patents · GitHub · Credly

Professional experience

AAM Cyber — Founder/Operator

2024 – Present · GRC Consulting

Security consulting practice focused on compliance automation and GRC engineering for SMBs:

  • Healthcare MSP — HIPAA + SOC 2 readiness assessment, 12 control gaps identified, 90-day remediation roadmap
  • Financial Services — PCI-DSS Windows 11 endpoint hardening, 47 controls mapped, <48-hour delivery
  • Law Firm — Comprehensive security assessment, high-volume vulnerability remediation, M365 hardening
  • Mortgage Company — Windows 11 baseline hardening for regulatory compliance

Built GIAP™ governance automation platform (CISO Assistant + n8n + Nextcloud) for scalable client delivery.

USOG — CEO & Systems Administrator

2018 – 2025 · Drone Logistics & Operations (Winding Down)

Led $5.6M revenue drone logistics company with 18 employees. As a startup, served as both executive and hands-on sysadmin — built the entire IT security infrastructure from a single email address to production-grade systems:

  • Built enterprise infrastructure from scratch — Self-hosted email, file storage (Nextcloud), remote access, backup systems, and security monitoring
  • Implemented CIS Controls v8 (IG1-IG2) — Mapped security baseline to NIST CSF and SOC 2 trust criteria
  • Managed vulnerability remediation — 15,000+ issues identified and resolved across multi-year infrastructure
  • Deployed security stack — Dark web monitoring, threat intelligence feeds, endpoint protection, access controls
  • Maintained compliance posture — Documentation, evidence collection, and audit-ready configurations

This wasn't delegated — I architected, deployed, hardened, and maintained every system. Real-world GRC implementation at scale.

Currently winding down operations; transitioning fully to cybersecurity.

United States Air Force — Aeromedical Evacuation Technician

1990 – 2007 · Military Career

Flight nurse with mission-critical operations experience:

  • High-pressure medical operations with strict protocols and documentation
  • Security clearance experience (eligible for reinstatement)
  • Disciplined execution in life-safety environments
  • Service-disabled veteran status

MiraCosta College — Adjunct Educator

UAS/Drone Technology

Taught drone technology courses, demonstrating communication skills and subject matter expertise in aviation systems.

Career journey: Mission-critical → Builder → Defender

Each phase built capabilities that compound in cybersecurity:

Phase Role What I Learned How It Applies
USAF (career) Aeromedical Evacuation Mission-critical operations, protocols, documentation, clearance experience Disciplined execution, compliance mindset, audit culture
USOG (7 years) CEO + Sysadmin Built IT infrastructure for $5.6M company from scratch Hands-on implementation, vulnerability management, production security
AAM Cyber (current) GRC Consultant Client delivery across HIPAA, PCI-DSS, SOC 2 Framework expertise, evidence pipelines, compliance automation

The thread: I've operated in environments where failure has consequences — medical missions, business operations, client compliance. That operational discipline carries into how I approach security: systematic, documented, evidence-ready.

What this means for hiring managers: I'm not learning on the job. I've managed production systems, delivered under deadlines, and maintained compliance across years of operations. The cybersecurity certifications formalize experience I already have.

Skills snapshot

GRC & Compliance: Risk Assessment · Vendor Risk Management · Privacy Policy Analysis · Security Architecture · Compliance Audit · Control Implementation · Evidence Collection · Policy Development · Third-Party Risk · Compliance Exception Management

Frameworks: NIST CSF · CIS Controls v8 · PCI-DSS v4.0 · SOC 2 · ISO 27001 · FedRAMP (foundational) · IoT/PropTech Privacy

Cloud Security: AWS (IAM, GuardDuty, CloudTrail, S3) · Cloud Governance · Secure Defaults · Logging Pipelines

Detection & IR: SIEM Tuning · Incident Response · Detection Engineering · Log Analysis · Threat Hunting · RF/Wireless Security

Tools: Security Onion · TheHive/Cortex · Nessus · Terraform · n8n · Proxmox · Nextcloud · HackRF · RTL-SDR

What I deliver

Cloud governance & control implementation: - AWS Control Pack: S3 default-deny, GuardDuty findings export with scoped IAM, CIS/NIST mapping — architecture designed, implementation Q1 2026. - IAM least privilege, logging foundations, secure defaults with audit trails.

Compliance automation & evidence: - GIAP™ governance automation: structured intake workflows with consent management, retention policies, and control mapping. - Windows 11 PCI-DSS hardening with evidence pack delivered in under 48 hours. - Baseline Evidence Drop: agentless Windows evidence collector with hashes and manifest.

Detection engineering & systems: - Detection/IR lab with Security Onion, TheHive/Cortex, custom SIEM rules, and authored detections. - TraceLock™ RF/SDR telemetry pipeline: evidence-grade wireless surveillance detection with logging architecture. - Built and secured multi-component stacks (Proxmox, Nextcloud, Nginx reverse proxy, SuiteCRM + remote MySQL, SMTP/DNS/certs) with hardened access.

AI-assisted delivery: - LLM workflows for policy drafting, control mapping, detection tuning, and documentation generation - Faster turnaround on complex projects with thorough human review and validation

Open to roles

Primary focus:

  • GRC Engineer (technical implementation)
  • Cloud Security Engineer (compliance/governance focus)
  • Security Controls Implementation Specialist
  • Detection Engineer

Specialized depth:

  • AAM/UAV Security — hands-on drone engineering + security
  • RF/Wireless Security — SDR, spectrum analysis, TraceLock™
  • Cyber-Physical Systems — hardware + software security integration

Growth trajectory:

  • Penetration Testing · Offensive Security (active lab, CySA+ earned Feb 2026, PenTest+ pending)

Actively seeking international opportunities. Remote-first with async collaboration experience across US/EU/LatAm time zones. Contractor/consulting available for non-US companies; visa sponsorship required for relocation.

AI-assisted GRC workflows

Traditional GRC work is documentation-heavy: control matrices, policy drafting, evidence collection, runbooks. I use LLM tools to accelerate delivery:

  • Draft policy and control mapping faster with thorough human review
  • Generate structured evidence documentation from logs and screenshots
  • Produce audit-ready runbooks with consistent formatting
  • Maintain living documentation that evolves with infrastructure

Result: Same rigor and quality as traditional approaches, with faster turnaround. More time for high-value work: architecture, implementation, and validation.

Rare combination

Where most GRC engineers stop at policy, I continue through implementation: - GRC discipline: Frameworks (NIST, CIS, PCI-DSS), evidence collection, control matrices - Cloud security: AWS IAM/GuardDuty/CloudTrail, secure defaults, logging pipelines - Systems engineering: Endpoint hardening, network segmentation, access controls - Detection & telemetry: SIEM tuning, RF/wireless detection, evidence logging - AI acceleration: Multi-agent workflows for compliance content generation

This combination enables me to audit, design, implement, and document security controls — not just check boxes.

AAM cybersecurity: from builder to defender

I don't just study drone security — I've designed, built, and fielded operational UAV systems.

Hands-on engineering background:

  • Designed and deployed small UAS (SUAS) for real-world missions, including beyond-visual-line-of-sight (BVLOS) operations
  • Developed swarm-deployable payload systems with custom avionics integration
  • Authored USPTO patents for UAV delivery and payload mechanisms
  • Built RF telemetry and command/control systems from the ground up

Why this matters for cybersecurity:

When I assess drone security, I understand the attack surface from the inside: firmware vulnerabilities, RF link exploitation, GPS spoofing vectors, and payload tampering. This operational experience — combined with SDR/RF research (TraceLock™) and FAA Part 107 certification — positions me to secure the systems I once built.

Advanced Air Mobility (AAM) is an emerging domain where few practitioners have both engineering depth and security discipline. I bring both.

Connect: LinkedIn | View Resume | Contact