I'm a Senior Cloud Security Software Engineer with over 7+ years of experience building secure, scalable cloud-native systems. Based in Bengaluru, I specialize in securing Kubernetes clusters, container runtimes, service meshes, and cloud infrastructure through code. I focus on security-first design for distributed systems, building tools that harden cloud workloads, and automating security controls at scale across AWS, GCP, and on-premise data centers.

• Languages: Go, Rust, Python, TypeScript, C/C++, Zig, Assembly (x86-64, ARM64), Bash/Shell scripting, Lua, eBPF C
• Core CS Concepts: Data Structures and Algorithms, OOPs concepts, Distributed systems, Concurrency patterns, Consensus algorithms (Raft, Paxos), CAP theorem, Event-driven architecture, CQRS/Event Sourcing, Microservices patterns, Zero-trust architecture
• Cloud & Platforms: AWS, Azure, GCP, Kubernetes (EKS, GKE, AKS), RHEL, Crossplane, Terraform, OpenStack, VMware vSphere, Proxmox, CloudStack, Pulumi, Ansible, OpenShift, Rancher, k3s, k0s, Talos Linux
• Containers & Observability: containerd, CRI-O, Docker, Helm, Prometheus, Grafana, OpenTelemetry, Jaeger, Tempo, Loki, Fluentd, Fluent Bit, Thanos, Cortex, VictoriaMetrics, Datadog, New Relic, Elastic Stack (ELK), Kiali, Pixie
• Kernel & Low-Level: eBPF, XDP, io_uring, cgroups, namespaces, seccomp, AppArmor, SELinux, Landlock LSM, nftables, iptables, DPDK, AF_XDP, BPF CO-RE, libbpf, bpftrace
• Security & Compliance: Falco, MITRE ATT&CK, SPIRE/SPIFFE, cert-manager, Aqua, Tracee, Tetragon, in-toto, Sigstore (Cosign, Rekor, Fulcio), Notary, Harbor, Trivy, Grype, Syft, Clair, Snyk, OPA (Open Policy Agent), Kyverno, Gatekeeper, Vault, External Secrets Operator, Sealed Secrets, KMS (AWS/Azure/GCP), Keycloak, Dex, OAuth2-Proxy, Istio AuthZ, Linkerd Policy, Envoy external authz, CIS Benchmarks, NIST frameworks, PCI-DSS, SOC 2, ISO 27001
• Networking & Mesh: BGP, NATS, mTLS, gRPC, CNI, Cilium, Calico, Istio, Linkerd, Consul, Envoy, Traefik, NGINX, HAProxy, CoreDNS, MetalLB, Multus, Weave Net, Flannel, VPN (WireGuard, IPsec), VXLAN, Geneve, OSI model, TCP/IP stack, HTTP/2, HTTP/3 (QUIC), Service Mesh Interface (SMI), Gateway API, Ingress controllers
• Runtime & Execution: wasmcloud, WasmEdge, Wasmtime, gVisor, Kata Containers, Firecracker, Cloud Hypervisor, QEMU/KVM, runc, crun, youki, Podman, Lima, Inclavare Containers, SGX enclaves, AMD SEV, Confidential Computing
• Libraries & SDKs: kube-rs, client-go, controller-runtime, Kubernetes Operator SDK, AWS SDK (Boto3, aws-sdk-go), Azure SDK, Google Cloud Client Libraries, Tokio, async-std, actix, axum, hyper, tonic (gRPC), prost (protobuf), serde, clap, crossbeam, rayon
• Database & Data Infrastructure: PostgreSQL RLS, TDE, pgaudit, MongoDB RBAC, Vitess, CockroachDB, TiDB, etcd, Consul KV, Redis, Valkey, KeyDB, Dragonfly, Apache Cassandra, ScyllaDB, ClickHouse, TimescaleDB, InfluxDB, DynamoDB, CosmosDB, Spanner, Patroni, Stolon, PgBouncer, ProxySQL
• Security Practices: Secret rotation, Zero-trust networking, Defense in depth, Least privilege access, Threat modeling (STRIDE, DREAD), Security by design, Secure SDLC, Shift-left security, Penetration testing, Red team/Blue team, Vulnerability management, Incident response (NIST, SANS), Chaos engineering, Fuzzing (AFL, LibFuzzer, cargo-fuzz), SAST/DAST, SCA, SBOM, Supply chain security, Air-gapped deployments
• DevSecOps: GitHub Actions, GitLab CI, Jenkins, Argo (CD/Workflows/Rollouts/Events), Flux, Tekton, Spinnaker, CircleCI, Drone CI, Buildkite, Prow, SonarQube, Semgrep, CodeQL, Dependabot, Renovate, Checkov, Terrascan, tfsec, Anchore, Artifactory, Nexus, Container registries (Harbor, ECR, ACR, GCR, GHCR)

❤️ Rust 🦀 + Go for cloud security tooling

• Cloud-native security automation at Lumen Technologies: Building Kubernetes admission controllers, OPA policies, and security operators using Go/Rust
• Container runtime security: Developing eBPF-based runtime security monitors and syscall filtering for containerd/CRI-O
• Infrastructure security: Hardening service mesh configurations (Istio/Linkerd), implementing mTLS at scale, and automating zero-trust network policies
• Personal projects:
  • Kubernetes security scanner (Rust + kube-rs)
  • Cloud workload identity and SPIFFE/SPIRE integrations
  • Infrastructure-as-code security scanner for Terraform/Pulumi
  • eBPF-based DDoS mitigation for cloud workloads

• CNCF security ecosystem: Falco, Tetragon, Cilium, OPA/Gatekeeper, cert-manager, Sigstore
• eBPF for cloud security: Building runtime security tools with Aya (Rust) and libbpf-rs
• Zero-trust architectures: SPIFFE/SPIRE, Istio ambient mesh, BeyondCorp patterns
• Supply chain security: In-toto, SLSA, image signing with Cosign/Sigstore
• Advanced Kubernetes security: Pod Security Standards, seccomp/AppArmor profiles, admission control
• Cloud-native threat detection: Building detection rules for Falco, integrating with SIEM/SOAR

• CNCF security projects: Contributing to Falco, Cilium, OPA, Tetragon, or similar runtime/network security tools
• Open-source Kubernetes security: Admission controllers, security operators, policy engines
• Cloud security automation: Infrastructure scanning, compliance-as-code, security posture management
• eBPF security tooling: Runtime security, network policy enforcement, observability

• Scaling eBPF-based security solutions across heterogeneous Kubernetes clusters (kernel version compatibility)
• Optimizing Rust async runtime performance for high-throughput security event processing (Tokio vs async-std tradeoffs)

• Kubernetes security: Hardening clusters, Pod Security Standards, admission control, RBAC design, secrets management (Vault, External Secrets Operator)
• Container security: Image scanning (Trivy, Grype), runtime protection, seccomp/AppArmor, rootless containers
• Service mesh security: Istio/Linkerd configuration, mTLS automation, authorization policies
• Cloud infrastructure security: AWS Security Hub, GCP Security Command Center, IAM policy automation
• IaC security: Terraform/Pulumi best practices, policy-as-code with OPA/Sentinel
• Network security in cloud: Calico, Cilium, network policies, microsegmentation

• GitHub: sushink70
• Email: sushink70@gmail.com | sushink70@protonmail.com
• LinkedIn: sushink70
• Website: https://sushink70.github.io/sushink70/

I've automated security compliance across 1000+ cloud workloads and reduced container vulnerability remediation time by 75% through CI/CD pipeline integration!

Core Languages: Rust, Go, Python, C/C++
Orchestration/Control Plane: TypeScript, Python, Bash

• Platforms: Kubernetes, OpenShift, EKS, GKE, AKS
• Container Runtimes: containerd, CRI-O, Docker
• Service Mesh: Istio, Linkerd, Cilium
• Policy & Admission: OPA/Gatekeeper, Kyverno, Falco
• Observability: Prometheus, Grafana, Jaeger, OpenTelemetry
• Secret Management: HashiCorp Vault, External Secrets Operator, Sealed Secrets

• Runtime Security: Falco, Tetragon, Tracee, Sysdig
• Network Security: Cilium, Calico, Network Policies
• Image Security: Trivy, Grype, Clair, Harbor
• Supply Chain: Cosign, Sigstore, in-toto, SLSA
• eBPF Tools: Aya (Rust), libbpf, bpftrace
• Policy as Code: OPA (Rego), Cedar, Kyverno policies
• Security Testing: OWASP ZAP, Nuclei, Burp Suite, Metasploit

• Cloud Providers: AWS (EKS, GuardDuty, Security Hub, IAM, KMS), GCP (GKE, Security Command Center, Workload Identity)
• IaC: Terraform, Pulumi, Crossplane, Helm
• CI/CD: GitHub Actions, GitLab CI, ArgoCD, Flux
• Identity: SPIFFE/SPIRE, OAuth2/OIDC, Workload Identity

• Languages: Rust (kube-rs, tokio, aya), Go (client-go, operator-sdk), C++
• Datastores: PostgreSQL, ScyllaDB, etcd, Redis
• Sandboxing: gVisor, Kata Containers, Firecracker

Cloud DDoS Mitigation Platform: Built Kubernetes-native DDoS detection and mitigation using Cilium eBPF, with automated BGP flowspec injection. Reduced mitigation time from 15min to <30s.

Kubernetes Security Posture Scanner: Developed Go-based operator that continuously audits cluster security (PSS violations, RBAC misconfigurations, exposed services). Integrated with Falco for runtime correlation.

Multi-Cloud Secret Rotation Pipeline: Automated secret rotation across AWS/GCP using External Secrets Operator + Vault, with zero-downtime rollout via progressive delivery (Argo Rollouts).

• Falco Rules: Custom rulesets for detecting cloud-native attacks (container escapes, privilege escalation, crypto mining)
• kube-rs: Contributed admission webhook framework and controller examples
• Cilium: Network policy testing and documentation improvements

k8s-security-scanner (Rust + kube-rs): Admission controller that validates security contexts, secrets exposure, and image provenance using Sigstore verification.

ebpf-runtime-guardian (Rust + aya): eBPF-based syscall filter that blocks suspicious container behavior (network to sensitive ports, filesystem writes outside allowlist).

iac-policy-engine (Go + OPA): Terraform/Pulumi scanner that enforces security policies pre-deployment (exposed S3 buckets, overprivileged IAM, unencrypted resources).

spiffe-workload-attestor (Rust): Lightweight SPIFFE workload attestor for non-Kubernetes environments with hardware-backed attestation (TPM).

• B.E. in Electronics and Communication Engineering – Anna University, Chennai (2016)
• Certified Kubernetes Security Specialist (CKS) – CNCF
• Certified Kubernetes Administrator (CKA) – CNCF
• Certified Ethical Hacker v11 (CEH) – EC-Council (2021-2022)
• AWS Certified Security – Specialty – Amazon
• Google Professional Cloud Security Engineer – Google Cloud
• CCNA/CCNP Security – Networkers Home (2019)

• Reduced Kubernetes security incidents by 80% through automated admission control and runtime monitoring
• Implemented zero-trust networking across 500+ microservices using Istio + SPIFFE
• Built security automation that cut cloud compliance audit time from weeks to hours
• Promoted to P3 at Lumen Technologies for cloud security platform contributions
• Achieved 99.9% uptime for DDoS mitigation services protecting 1000+ customer networks

• Cloud-native security: Kubernetes, containers, service mesh hardening
• Runtime security: eBPF-based detection, syscall filtering, anomaly detection
• Zero-trust architecture: Workload identity, mTLS automation, policy enforcement
• Supply chain security: Image signing, SBOM generation, provenance verification
• Security automation: Policy-as-code, compliance-as-code, infrastructure hardening

Security: Falco, OPA, Notary, TUF, in-toto, SPIFFE/SPIRE
Networking: Cilium, Calico, Istio, Linkerd, Envoy
Runtime: containerd, CRI-O, gVisor, Kata Containers
Observability: Prometheus, Jaeger, OpenTelemetry, Fluentd
Orchestration: Kubernetes, Helm, Argo (CD/Rollouts/Events)

Check out my GitHub for cloud security tools and CNCF contributions!

I create cloud security software strictly for defensive and ethical purposes.
By using any of my code, you agree to the following:

• ❌ You must not use my work for illegal, harmful, or unethical activities
• ❌ My code is prohibited from use in:
  • Offensive security operations without proper authorization
  • Systems that violate privacy or data protection laws
  • Financial exploitation or gambling platforms
  • NSFW or adult content infrastructure
  • Any project that causes harm to individuals or organizations

✅ My intention is to strengthen cloud infrastructure security, promote secure-by-default practices, and contribute to the CNCF ecosystem.

I am not responsible for any misuse, damages, or consequences caused by those who ignore these terms. Use responsibly.