MC

Michael Carlson

Staff Security Engineer (IC6)

Security engineer and force multiplier who builds AI-powered platforms, tooling, and automation that enable small security teams to operate at the scale of much larger organizations.

Application Security Security Architecture Penetration Testing Threat Modeling AI/LLM Security AI/LLM Integration Vulnerability Management Supply Chain Security CI/CD Security Platform Engineering

Press → or Space to navigate · F fullscreen · H help

Download PDF Resume

Professional Summary

The Thesis

Invest in platforms and AI-augmented tooling that raise every team member's ceiling, so the team scales through capability rather than headcount.

The Challenge

Significant headcount reductions left a lean security team responsible for the full application security program across a complex codebase and infrastructure.

The Approach

Build platforms and AI automation that replace manual toil, democratize expertise, and enable every team member to operate at a higher level.

Key Project

GridGuard

Vulnerability Management Platform

8 scanner types 40,000+ vulns managed

Scale

40,000+ vulnerabilities across 8 scanner types including SAST, SCA, secret scanning, container scanning, bug bounty, and penetration testing tools. AI-powered prioritization ensures critical issues get immediate engineering attention while routine findings flow into quarterly patching cycles.

AI-Powered Triage

LLM for automated vulnerability assessment, exploitability analysis, and intelligent prioritization — ensuring on-call teams focus on what matters most.

Automated Team Assignment

145 assignment rules with 6 match types and AND/OR logic. Auto-routes vulnerabilities to 19 engineering teams.

Proactive Monitoring

Terraform-managed metrics dashboards and monitors. Workflow failures, API errors, Slack health, vulnerability volume spikes — all proactively detected.

Impact: Transformed vulnerability management from manual and reactive to fully automated across 19 teams. AI triage and intelligent prioritization ensure critical vulnerabilities get immediate engineering attention while the vast majority are deferred to quarterly patching cycles — still remediated, but without interrupting sprint work. Estimated 2,000+ engineering hours/year saved by eliminating ad-hoc investigation and triage across on-call rotations (19 teams × ~2 hrs/week).

Key Project

GitGuard

AI-Powered Security PR Review System

MVC Architecture AI-Powered

AI Security Analysis

LLM-backed API for intelligent PR risk scoring with attack path analysis and OWASP risk mapping.

Dynamic Rule Engine

Flexible security rules — non-engineers can update evaluation criteria without code changes.

Smart Model Switching

Cost-optimized model selection based on PR complexity. Hourly scheduled runs with graceful shutdown.

Reference Architecture

Established the team's LLM codegen native, opinionated, secure by default MVC pattern:

Controllers Services Workflows Schema-Driven + DI LLM Secure Vibe Coding Rules

Impact: AI triages every PR, surfacing only those with genuine security implications. Any team member can review flagged PRs with full context, lowering the expertise barrier and saving the equivalent of a full-time analyst's workload (~$200K/yr in capacity).

Key Projects

Team Enablement Platforms

Appsec-Toolbox

Security Engineering Automation Suite

10+ tools AI-augmented

LLM Code Skills: GHA audit, PR review, log investigations, task management, SCA vuln triage

Incident Response: Secret verification, malware scanning, security headers, SBOM generation

Key insight: Engineers at any level perform senior-level investigations using AI-augmented tooling

OSS License Attribution

Automated Legal Compliance

6 platforms Automated SBOM

Industry-Standard SBOM: SBOM generation across all platforms

Full Coverage: Web, Desktop, Android, iOS, SDK, etc platforms — staggered weekly

Zero-Touch: Eliminated recurring multi-day manual compliance effort entirely

Key Project

Launchpad

Production-Grade Application Template

TypeScript 15+ Security Patterns

Security-first TypeScript boilerplate for backend APIs, fullstack apps, and AI/agent systems. Designed as a clone-and-trim template that embeds battle-tested security patterns into every new project from day one.

Security-by-Default Architecture

Custom ESLint rules enforcing auth on every route, body validation on mutations, strict schema validation, and database access layer boundaries. Developers cannot accidentally ship unprotected endpoints.

Production Cryptography

Dual-mode authenticated encryption at rest (passphrase-based KDF + raw-key), timing-safe HMAC with zero-downtime key rotation, double-submit CSRF with signed cookies.

Resilience & Observability

Circuit breakers with coordinated recovery probes, graceful shutdown with connection draining, dual-TTL session management, structured logging + application metrics.

Supply Chain & Containers

Multi-layer CI pipeline with dependency scanning, license policy enforcement, static analysis, and GHAS integration. Minimal-surface container images via multi-stage builds with Terraform IaC.

Fastify React Vite PostgreSQL Redis Authenticated Encryption Schema Validation Distroless Containers Terraform

Impact: Eliminates weeks of security infrastructure setup for new projects. Embeds production-hardened patterns into a reusable foundation — security is the default, not an afterthought.

Secure SDLC

Security Embedded in Every Stage

Inherited a pipeline with ad-hoc SAST and no supply chain scanning. Built end-to-end automated coverage across 7 stages:

Code Gen

34 Cursor Rules

→

Pre-Push

SCA Malware Scan

→

PR Review

GitGuard AI

→

CI Pipeline

Dep Review + Age Policy

→

SAST

CodeQL (Optimized)

→

Production

GridGuard Monitoring

34 LLM Security Rules

34 always-active Cursor IDE rule files governing every line of AI-generated code in the monorepo:

Admin Authorization Encrypted DB Layer Auth & Sessions Credentials Deserialization Input Validation Library Approval Core CWEs Among others

Supply Chain Defense-in-Depth

Multi-layered dependency security in CI:

1. Vulnerability scans — blocks vulnerable deps
2. Dep version age check — mitigate OSS malware
3. Clear audit trail
4. Metrics publishing for block rates and trends
5. Git integrated malware scanning

Team Enablement

Scaling Security Knowledge

Security Training Platform

88 slides · 8 security domains · codebase-specific

Purpose-built for the internal codebase. References real code paths, validated method signatures, with regular accuracy audits.

AI/LLM Security — prompt injection, MCP, agent scope

Web Security — XSS, CSRF, CSP, SSRF, IDOR

Database Security — encrypted DB architecture, privilege system, race conditions

Auth, Secure Dev, Application-Layer Encryption

Replaced traditional slide decks with self-paced, always-current training that scales to the entire engineering org.

Secure LLM Codegen Boilerplate Application

Production-ready reference architecture codifying proven patterns. Enables other engineers to build and maintain security tools without reverse-engineering existing projects.

Controllers Services Workflows Type-Safe Models

NewsGuard — Threat Intelligence

Automated cybersecurity news aggregation with AI-powered impact analysis. Weekly Slack digests with time-series trend rollups. Team stays current without manual research.

Application Security Risk Library

Centralized risk catalog mapping security risks to mitigating programs. Maturity scores and KTLO tracking for data-driven investment decisions with leadership.

Cross-Functional Leadership

Security Architecture & Advisory

AI

AI Product Security

LLM-Powered Product

Penetration testing uncovering critical data integrity violations and exfiltration risks
Architectural recommendation: multi-agent model with constrained Worker LLMs
Human-in-the-loop verification for dangerous operations

Findings led to architecture changes before GA launch, shifting the product to a safer multi-agent design.

ID

Multi-Tenant Identity

Security DRI

Session isolation architecture with server-side scope enforcement
Replay attack prevention with one-time codes and semaphore concurrency
JWT hardening and secure OIDC with PKCE

Served as security DRI through full project lifecycle. Designs shipped to production without security incidents.

Impact

The Force Multiplier Effect

Challenge	Solution	Scale Achieved
Manual vulnerability triage	AI-powered categorization & exploitability analysis	40,000+ vulns prioritized across 19 teams
PR security review bottleneck	GitGuard AI evaluation with dynamic rules	Every PR evaluated, team reviews only flagged
Manual team assignment	145 rules routing to 19 teams	40,000+ vulns auto-assigned
Compliance license tracking	Automated SBOM across 6 platforms	Zero manual effort, weekly cadence
Threat intelligence	AI-filtered RSS with Slack delivery	Continuous, no analyst time
Security training delivery	Codebase-specific interactive platform	Scales to entire eng org
KTLO operational burden	10+ AI-powered CLI tools & skills	Any engineer productive in minutes
Silent automation failures	Metrics monitoring & proactive alerting	Issues detected before reports
Onboarding & knowledge transfer	Training platform + opinionated boilerplate	New engineers productive in days

Technical Stack

Tools & Technologies

Languages

Python TypeScript JavaScript Golang Ruby

AI / ML

Anthropic Claude API Claude Code Skills Airtable AI Fields LLM Prompt Eng.

Backend

Node.js Fastify PostgreSQL Redis libsodium Zod

Frontend

React Vite Tailwind CSS

Platforms

GitHub Actions Datadog Slack API Airtable

Security Tools

CodeQL Socket.dev Dependabot Custom ESLint Rules SAST/SCA/DAST Bug Bounty Container Security

Architecture

MVC Patterns Schema-Driven Dependency Injection Circuit Breakers Type-Safe Models

Infrastructure

Terraform Docker / Distroless CycloneDX/cdxgen OpenSearch

Team maintained full operational capacity through significant headcount reductions.

Scaling through capability, not headcount.