Building security programs that actually work — for financial services and healthcare.

A financial services client was deploying Claude Enterprise across multiple access paths — browser, Claude Desktop, Cowork, and direct API — without a clear picture of where compliance coverage existed and where it didn't. With SEC examination cycles in view, compliance leadership needed a definitive map of what was captured, what wasn't, and what compensating controls were required.

Conducted a structured analysis of all three Claude access paths against six compliance dimensions: device management, Conditional Access, identity and access, file scope, agentic security visibility, and compliance capture and archiving. Identified that Cowork operates outside the Compliance API perimeter by design and requires a separate OTLP archiving pipeline to achieve partial coverage. Documented the key gaps — BYOD exposure via Conditional Access, API key usage bypassing web auth, Cowork session content not natively captured — and designed a layered control model using Entra ID, Cisco Umbrella DNS enforcement, and an AI gateway for programmatic API paths.

Delivered a controlled deployment reference document mapping every access path to its compliance posture, with explicit notation of coverage gaps and required compensating controls. Framework was presentable directly to compliance leadership and external counsel.

The CTM practice lacked a consistent, scalable way to assess client M365 security posture. Assessments were largely manual, inconsistent across engineers, and didn't produce structured data that could drive reporting or track remediation over time. With a growing portfolio of hedge funds and PE firms, the practice needed a repeatable process that could be run reliably by any engineer and deliver uniform client-facing output.

Designed and built a PowerShell-based assessment engine from scratch, covering 16 modules across Entra ID, Exchange Online, SharePoint, and Microsoft Defender. Migrated from deprecated MSOL and AzureAD modules to MS Graph SDK v2 and Exchange Online REST. Defined a Content_ID-keyed data schema producing structured JSON output consumed directly by a Power BI reporting layer — including an Executive Summary page, Deneb/Vega swimlane Remediation Roadmap, and control scoring dashboards. Authored a 38-task CTM Engineer Playbook standardizing the assessment workflow across the team.

Assessment engine deployed and running against live financial services clients. Consistent, automated data collection replaced manual processes. Power BI template provides uniform client-ready deliverables across the practice regardless of which engineer runs the engagement.

A community health center serving 34,000+ patients annually had a badly damaged relationship with their IT provider. Trust was low, projects had stalled, and leadership was weighing a full transition. Inherited the engagement mid-crisis as the technical lead on day one.

Prioritized relationship repair through transparency — assessed the environment honestly, communicated clearly about what was broken and what a realistic path forward looked like, and delivered quickly on the highest-visibility issues. Conducted a full IT SWOT analysis, then designed and scoped a multi-year technology strategy across four focus areas: security enhancements, hardware modernization, network and VoIP upgrades, and EHR transition support. Drove execution across all 12 concurrent projects including M365 migration, HIPAA SRA, Windows 10 refresh of 100+ devices, Meraki network upgrade, MFA deployment, and eClinicalWorks implementation support.

Relationship fully recovered. All 12 projects delivered. Client remained a managed services partner for seven years.

A multi-site rural FQHC had accumulated significant technical debt across every layer of its environment — end-of-life routers and switches, self-hosted infrastructure with no redundancy, 1,000+ stale AD computer accounts, unmonitored UPS systems, no MDM, legacy Exchange still running, and critical OS versions well past end-of-support. A security assessment surfaced 30+ high and critical findings across network, identity, endpoint, and infrastructure.

Scoped and structured a phased remediation program across four execution tracks: immediate fixes, hardware procurement, post-deployment configuration, and ongoing managed services onboarding. Replaced aging Cisco routers with Meraki MX SD-WAN firewalls across all sites, refreshed LAN switches and wireless infrastructure, migrated self-hosted servers to a HIPAA-compliant data center, deployed Intune MDM, and led an identity remediation sprint disabling stale accounts and enforcing MFA across M365 and VPN. Decommissioned legacy Exchange and restructured network segmentation with VLANs.

All critical and high findings resolved. Cloud-managed SD-WAN deployed across all sites. Self-hosted infrastructure decommissioned and migrated. Identity posture materially improved with over 1,000 stale accounts addressed and MFA enforced organization-wide.

A large urban health center was operating on aging workstations, unsupported servers, and outdated SQL infrastructure with no formal patch management, minimal endpoint security, and VPN access that hadn't been meaningfully reviewed in years. The organization needed a partner to own the full technology roadmap — not just respond to tickets.

Assessed the environment, prioritized findings, and designed a comprehensive multi-year modernization program. Scoped and managed a hardware and services budget in excess of $500K covering hyperconverged infrastructure, workstation and server replacement, Meraki network refresh across all sites, and software licensing. Led execution across data center consolidation, M365 migration, MFA deployment, VPN modernization, SQL upgrades, MDM rollout, and encryption compliance — coordinating procurement, vendors, and project delivery across all tracks simultaneously.

Full technology modernization delivered. Organization transitioned from reactive break-fix to a managed, proactive model with documented policies, automated patching, cloud-managed infrastructure, and enforced endpoint security.