MC

Michael Carlson

Staff Security Engineer (IC6)

Security engineer and force multiplier who builds AI-powered platforms, tooling, and automation that enable small security teams to operate at the scale of much larger organizations.

Application Security Security Architecture Penetration Testing Threat Modeling AI/LLM Security AI/LLM Integration Vulnerability Management Supply Chain Security CI/CD Security Platform Engineering

Press → or Space to navigate · F fullscreen · H help

Professional Summary

The Thesis

Invest in platforms and AI-augmented tooling that raise every team member's ceiling, so the team scales through capability rather than headcount.

The Challenge

Significant headcount reductions left a lean security team responsible for the full application security program across a complex codebase and infrastructure.

The Approach

Build platforms and AI automation that replace manual toil, democratize expertise, and enable every team member to operate at a higher level.

Key Project

GridGuard

Vulnerability Management Platform

Many scanner types Thousands of vulns managed

Scale

Many thousands of vulnerabilities across various scanner types including SAST, SCA, secret scanning, container scanning, bug bounty, and penetration testing tools.

AI-Powered Triage

LLM for automated vulnerability assessment, exploitability analysis, and intelligent categorization — replacing hours of manual analyst triage per week.

Automated Team Assignment

Rule-based engine with many match types (exact, contains, glob, regex) and AND/OR logic. Auto-routes vulnerabilities to the correct engineering teams.

Proactive Monitoring

Terraform-managed metrics dashboards and monitors. Workflow failures, API errors, Slack health, vulnerability volume spikes — all proactively detected.

Impact: Transformed vulnerability management from manual and reactive to fully automated. Engineering teams self-service their vulnerability views. New team members productive in days, not weeks.

Key Project

GitGuard

AI-Powered Security PR Review System

MVC Architecture AI-Powered

AI Security Analysis

LLM-backed API for intelligent PR risk scoring with attack path analysis and OWASP risk mapping.

Dynamic Rule Engine

Flexible security rules — non-engineers can update evaluation criteria without code changes.

Smart Model Switching

Cost-optimized model selection based on PR complexity. Hourly scheduled runs with graceful shutdown.

Reference Architecture

Established the team's LLM codegen native, opinionated, secure by default MVC pattern:

Controllers Services Workflows Schema-Driven + DI LLM Secure Vibe Coding Rules

Impact: AI triages every PR. Any team member can review flagged PRs with full AI-provided context, lowering the expertise barrier. Saved the equivalent of a full-time analyst's workload.

Key Projects

Team Enablement Platforms

Appsec-Toolbox

Security Engineering Automation Suite

10+ tools AI-augmented

LLM Code Skills: GHA audit, PR review, log investigations, task management, SCA vuln triage

Incident Response: Secret verification, malware scanning, security headers, SBOM generation

Key insight: Engineers at any level perform senior-level investigations using AI-augmented tooling

OSS License Attribution

Automated Legal Compliance

6 platforms Automated SBOM

Industry-Standard SBOM: SBOM generation across all platforms

Full Coverage: Web, Desktop, Android, iOS, SDK, etc platforms — staggered weekly

Zero-Touch: Eliminated recurring multi-day manual compliance effort entirely

Secure SDLC

Security Embedded in Every Stage

Code Gen

Many Cursor Rules

→

Pre-Push

SCA Malware Scan

→

PR Review

GitGuard AI

→

CI Pipeline

Dep Review + Age Policy

→

SAST

CodeQL (Optimized)

→

Production

GridGuard Monitoring

LLM Security Rules (1,500+ lines)

Many always-active Cursor IDE rule files governing every line of AI-generated code in the monorepo:

Admin Authorization Encrypted DB Layer Auth & Sessions Credentials Deserialization Input Validation Library Approval Core CWEs Among others

Supply Chain Defense-in-Depth

Multi-layered dependency security in CI:

1. Vulnerability scans — blocks vulnerable deps
2. Dep version age check — mitigate OSS malware
3. Clear audit trail
4. Metrics publishing for block rates and trends
5. Git integrated malware scanning

Team Enablement

Scaling Security Knowledge

Security Training Platform

80+ slides · 7+ security domains · codebase-specific

Purpose-built for the internal codebase. References real code paths, validated method signatures, with regular accuracy audits.

AI/LLM Security — prompt injection, MCP, agent scope

Web Security — XSS, CSRF, CSP, SSRF, IDOR

Database Security — encrypted DB architecture, privilege system, race conditions

Auth, Secure Dev, Application-Layer Encryption

"This is definitely the best security training I've done in my time here."

Secure LLM Codegen Boilerplate Application

Production-ready reference architecture codifying proven patterns. Enables other engineers to build and maintain security tools without reverse-engineering existing projects.

Controllers Services Workflows Type-Safe Models

NewsGuard — Threat Intelligence

Automated cybersecurity news aggregation with AI-powered impact analysis. Weekly Slack digests with time-series trend rollups. Team stays current without manual research.

Application Security Risk Library

Centralized risk catalog mapping security risks to mitigating programs. Maturity scores and KTLO tracking for data-driven investment decisions with leadership.

Cross-Functional Leadership

Security Architecture & Advisory

AI

AI Product Security

Flagship AI Product

Penetration testing uncovering critical data integrity violations
Attacker persistence vectors and data exfiltration risks
Architectural recommendation: multi-agent model with constrained Worker LLMs
Human-in-the-loop verification for dangerous operations
Indirect prompt injection risk analysis

CD

Custom Domains

Security DRI

Session isolation architecture with server-side scope enforcement
Authorization code exchange
Replay attack prevention with one-time codes and semaphore concurrency
JWT hardening: audience validation, RSA-256, clock tolerance, etc
Secure OIDC with PKCE and redirect validation

Impact

The Force Multiplier Effect

Challenge	Solution	Scale Achieved
Manual vulnerability triage	AI-powered categorization & exploitability analysis	Thousands of vulns auto-triaged
PR security review bottleneck	GitGuard AI evaluation with dynamic rules	Every PR evaluated automatically
Manual team assignment	Rule-based engine with many match types	Thousands of vulns auto-assigned
Compliance license tracking	Automated SBOM across all platforms	Zero manual effort
Threat intelligence	AI-filtered RSS with Slack delivery	Continuous, no analyst time
Security training delivery	Codebase-specific interactive platform	Scales to entire eng org
KTLO operational burden	10+ AI-powered CLI tools & skills	Any engineer productive in minutes
Silent automation failures	Metrics monitoring & proactive alerting	Issues detected before reports
Onboarding & knowledge transfer	Training platform + opinionated boilerplate	New engineers productive in days

Technical Stack

Tools & Technologies

Languages

Python JavaScript TypeScript Golang Ruby

AI / ML

Anthropic Claude API Claude Code Skills Airtable AI Fields LLM Prompt Eng.

Platforms

Airtable GitHub Actions Datadog Slack API

Security Tools

CodeQL Socket.dev Dependabot SAST/SCA/DAST Bug Bounty Container Security

Architecture

MVC Patterns Schema-Driven Dependency Injection Type-Safe Models

Infrastructure

Terraform CycloneDX/cdxgen OpenSearch IaC

Team maintained full operational capacity through significant headcount reductions.

Scaling through capability, not headcount.