Lead Product Security Engineer | Docusign | Rio Vista / Oakland, CA
Product security engineer with 20+ years building security programs that engineering teams actually adopt. I work at the intersection of secure SDLC, agentic AI security, and software supply chain, translating risk into practical controls that ship into CI/CD pipelines without slowing delivery.
At Docusign I lead our Security Champions program, build security tools for developers to use on a daily basis, and coding security guardrails across product teams. Before that: principal-level consulting at KPMG and EY (AppSec, data security, and regulatory readiness for multiple large clients), and a DevSecOps practice lead at Slalom.
Currently building open tooling for the MCP and agentic AI attack surface, a risk area that is moving faster than most teams' defenses.
mcp-sentinel active
Static and dynamic security auditor for MCP (Model Context Protocol) servers - the tool layer between LLMs and the systems they act on. Maps findings to OWASP MCP Top 10, OWASP Top 10 for Agentic Applications (2026), and MITRE ATLAS via a pluggable, versioned rule engine.
Built because the agentic AI attack surface (tool poisoning, supply chain compromise, over-permissioned schemas, prompt injection via tool results) is largely undefended and moving into production at speed.
python mcp llm-security agentic-ai appsec owasp
Veritas-POC active
An AI driven local code security scanner built to help developers perform more effective manual secure code reviews. This approach an agentic AI approach with JSON artifact pipelines to let developers know where the needles are in the haystack.
The pipeline scans a directory of source files, runs each file through a chain of specialized security agents (scope → threat model → hypotheses → evidence → fix → gate), and produces structured JSON artifacts and a Markdown report per file, plus a merged summary across all files.
python agenticAI security-champions securecode llm owasp
|
Program & Process
|
Engineering & Tooling
|
Emerging (2025-2026)
|
| Project | What It Is | Stack |
|---|---|---|
| mcp-sentinel | MCP server security auditor (OWASP MCP Top 10, Agentic Top 10, MITRE ATLAS) with pluggable multi-source rule engine | Python |
| security-champions-kit | 36-month Security Champions program framework (intake, enablement tracks, metrics, governance playbooks) built from real program experience | Markdown / Templates |
| Veritas-POC | Multi-stage agentic LLM pipeline for automated security code review | Python |
| Dome9toDD | Dome9 cloud security findings bridge to DefectDojo for centralized vulnerability tracking | Python |
The CISSP (2007) paired with OSCP (2024) along with other certifications along the way reflects both program-level governance experience and continued investment in hands-on technical depth.
M.S. Engineering Management - Ohio University | B.S. Computer Engineering - Shawnee State University
- 80%+ reduction in security review time (multiple sprints to a single sprint before release) by delivering end-to-end pipeline automation of application security scanning at Slalom (global diagnostics client)
- Data Security Program Office for one of the largest U.S. utilities, safeguarding data for 40M+ customers and 50K+ employees across cloud and on-prem environments (KPMG)
- Software Supply Chain Security program at Docusign: code signing, artifact integrity verification, and dependency risk management across multiple products
- Security Champions program at Docusign: gamified hands-on training (Security Journey), self-service tooling, and embedded security ownership across product engineering teams
- NERC CIP v3 to v5 migration training and delivery as cybersecurity SME for SCADA/IoT environments (EY)
- FISMA/FedRAMP ATO achieved within first year of building program from scratch (TPMC/SAIC)
Open to conversations about senior product security, AI/LLM security, and security program leadership roles.
