Skip to content

About Pharns

GRC engineer, cloud security practitioner, and AAM cybersecurity specialist. I build and secure systems end-to-end: cloud governance frameworks, compliance automation, endpoint hardening, detection tuning, and evidence-ready workflows.

Evidence-first methodology (controls, logs, screenshots), plain-English reporting, AI-assisted with human review, rapid iterations and clear handoffs.

Credentials: WGU B.S. Cybersecurity (Feb 2026) · Security+/Net+/A+ · ITIL4 · ISC² CC/SSCP (Assoc.) · LPI · FAA Part 107 · HAM/GMRS Scheduled: CySA+/PenTest+ (Jan 2026) · AWS CP/CCSP (Q1 2026)

  • Service-disabled veteran (USAF) — security clearance eligible
  • Patent holder in UAV systems — View patents
  • Active GitHub with public repos — View code
  • Credly-verified certifications — View badges

Professional experience

AAM Cyber, LLC — Founder/Operator

2024 – Present · GRC Consulting

Security consulting practice focused on compliance automation and GRC engineering for SMBs:

  • Healthcare MSP — HIPAA + SOC 2 readiness assessment, 12 control gaps identified, 90-day remediation roadmap
  • Financial Services — PCI-DSS Windows 11 endpoint hardening, 47 controls mapped, <48-hour delivery
  • Law Firm — Comprehensive security assessment, 15,000+ vulnerabilities remediated, M365 hardening
  • Mortgage Company — Windows 11 baseline hardening for regulatory compliance

Built GIAP™ governance automation platform (CISO Assistant + n8n + Nextcloud) for scalable client delivery.

USOG — CEO & Systems Administrator

2018 – 2025 · Drone Logistics & Operations (Winding Down)

Led $5.6M revenue drone logistics company with 18 employees. As a startup, served as both executive and hands-on sysadmin — built the entire IT security infrastructure from a single email address to production-grade systems:

  • Built enterprise infrastructure from scratch — Self-hosted email, file storage (Nextcloud), remote access, backup systems, and security monitoring
  • Implemented CIS Controls v8 (IG1-IG2) — Mapped security baseline to NIST CSF and SOC 2 trust criteria
  • Managed vulnerability remediation — 15,000+ issues identified and resolved across infrastructure
  • Deployed security stack — Dark web monitoring, threat intelligence feeds, endpoint protection, access controls
  • Maintained compliance posture — Documentation, evidence collection, and audit-ready configurations

This wasn't delegated — I architected, deployed, hardened, and maintained every system. Real-world GRC implementation at scale.

Currently winding down operations; transitioning fully to cybersecurity.

United States Air Force — Aeromedical Evacuation Technician

1990 – 2007 · 18 Years Active Duty

Flight nurse with mission-critical operations experience:

  • High-pressure medical operations with strict protocols and documentation
  • Security clearance experience (eligible for reinstatement)
  • Disciplined execution in life-safety environments
  • Service-disabled veteran status

MiraCosta College — Adjunct Educator

UAS/Drone Technology

Taught drone technology courses, demonstrating communication skills and subject matter expertise in aviation systems.

Skills snapshot (ATS keywords)

GRC & Compliance: Risk Assessment · Vendor Risk Management · Privacy Policy Analysis · Security Architecture · Compliance Audit · Control Implementation · Evidence Collection · Policy Development · Third-Party Risk · Compliance Exception Management

Frameworks: NIST CSF · CIS Controls v8 · PCI-DSS v4.0 · SOC 2 · ISO 27001 · FedRAMP (foundational) · IoT/PropTech Privacy

Cloud Security: AWS (IAM, GuardDuty, CloudTrail, S3) · Cloud Governance · Secure Defaults · Logging Pipelines

Detection & IR: SIEM Tuning · Incident Response · Detection Engineering · Log Analysis · Threat Hunting · RF/Wireless Security

Tools: Security Onion · TheHive/Cortex · Nessus · Terraform · n8n · Proxmox · Nextcloud · HackRF · RTL-SDR

What I deliver (GRC focus)

Cloud governance & control implementation: - AWS Control Pack: S3 default-deny, GuardDuty findings export with scoped IAM, CIS/NIST mapping — architecture designed, implementation Q1 2026. - IAM least privilege, logging foundations, secure defaults with audit trails.

Compliance automation & evidence: - GIAP™ governance automation: structured intake workflows with consent management, retention policies, and control mapping. - Windows 11 PCI-DSS hardening with evidence pack delivered in under 48 hours. - Baseline Evidence Drop: agentless Windows evidence collector with hashes and manifest.

Detection engineering & systems: - Detection/IR lab with Security Onion, TheHive/Cortex, custom SIEM rules, and authored detections. - TraceLock™ RF/SDR telemetry pipeline: evidence-grade wireless surveillance detection with logging architecture. - Built and secured multi-component stacks (Proxmox, Nextcloud, Nginx reverse proxy, SuiteCRM + remote MySQL, SMTP/DNS/certs) with hardened access.

AI-assisted delivery: - LLM workflows for policy drafting, control mapping, detection tuning, and documentation generation - Faster turnaround on complex projects with thorough human review and validation

Open to roles

Primary focus (what I'm targeting):

  • GRC Engineer (technical implementation)
  • Cloud Security Engineer (compliance/governance focus)
  • Security Controls Implementation Specialist
  • Detection Engineer

Specialized depth (differentiators, not distractions):

  • AAM/UAV Security — hands-on drone engineering + security
  • RF/Wireless Security — SDR, spectrum analysis, TraceLock™
  • Cyber-Physical Systems — hardware + software security integration

Growth trajectory:

  • Penetration Testing · Offensive Security (active lab, CySA+/PenTest+ Jan 2026)

Remote-first; open to international collaboration (US/EU/LatAm time zones) and relocation for the right opportunity.

AI-assisted GRC workflows

Traditional GRC work is documentation-heavy: control matrices, policy drafting, evidence collection, runbooks. I use LLM tools to accelerate delivery:

  • Draft policy and control mapping faster with thorough human review
  • Generate structured evidence documentation from logs and screenshots
  • Produce audit-ready runbooks with consistent formatting
  • Maintain living documentation that evolves with infrastructure

Result: Same rigor and quality as traditional approaches, with faster turnaround. More time for high-value work: architecture, implementation, and validation.

Rare combination

Most GRC engineers focus on policy and documentation. I implement the technical controls being documented: - GRC discipline: Frameworks (NIST, CIS, PCI-DSS), evidence collection, control matrices - Cloud security: AWS IAM/GuardDuty/CloudTrail, secure defaults, logging pipelines - Systems engineering: Endpoint hardening, network segmentation, access controls - Detection & telemetry: SIEM tuning, RF/wireless detection, evidence logging - AI acceleration: Multi-agent workflows for compliance content generation

This combination enables me to audit, design, implement, and document security controls — not just check boxes.

AAM cybersecurity: from builder to defender

I don't just study drone security — I've designed, built, and fielded operational UAV systems.

Hands-on engineering background:

  • Designed and deployed small UAS (SUAS) for real-world missions, including beyond-line-of-sight (BLOS) operations
  • Developed swarm-deployable payload systems with custom avionics integration
  • Authored USPTO patents for UAV delivery and payload mechanisms
  • Built RF telemetry and command/control systems from the ground up

Why this matters for cybersecurity:

When I assess drone security, I understand the attack surface from the inside: firmware vulnerabilities, RF link exploitation, GPS spoofing vectors, and payload tampering. This operational experience — combined with SDR/RF research (TraceLock™) and FAA Part 107 certification — positions me to secure the systems I once built.

Advanced Air Mobility (AAM) is an emerging domain where few practitioners have both engineering depth and security discipline. I bring both.

Connect: LinkedIn | Contact