Rohan Bhagat

18 years securing cloud-native infrastructure at scale.

I design CSPM architectures, automate Incident Response, and integrate security into every stage of the CI/CD pipeline — turning security from a gate into a built-in property of the systems I design.

About Me

Cloud Security Engineer with 18+ years of experience designing, automating, and hardening large-scale distributed systems across AWS and Azure. I have worked with energy trading companies, high-traffic ad-tech platforms, and global gaming infrastructure — environments where security is non-negotiable and scale is unforgiving.

My work sits at the intersection of cloud security engineering and DevSecOps. I build the systems that prevent breaches (CSPM, SCPs, IaC guardrails), detect them when they happen (GuardDuty, Security Hub, Orca Security), and contain them automatically before a human analyst even opens the alert (Step Functions–driven IR playbooks).

Currently at a Utility Company in Hamburg, where I architected an end-to-end Incident Response framework from zero and integrated SAST/DAST pipelines that cut vulnerability detection time by 40%. Previously secured global cloud infrastructure at IT Media and a Energy Trading Org.

I hold a Niederlassungserlaubnis (Permanent Residence) in Germany and am available for senior cloud security, DevSecOps, and AppSec engineering roles across Europe.

Core Competencies

🔍 Cloud Security & Detection

  • Cloud Security Posture Management (CSPM)
  • AWS GuardDuty · Security Hub · Inspector · Macie
  • Orca Security — Agentless cloud scanning
  • IAM Access Analyzer · AWS Config Rules
  • Threat Detection & Incident Response (IR)
  • Zero Trust Architecture

🔧 DevSecOps & IaC Security

  • Security-as-Code with Terraform + Checkov
  • SAST · DAST· SCA
  • CI/CD Security (GitHub Actions / GitLab CI/ Azure DevOps)
  • OPA/Rego Policy-as-Code
  • Artifact Signing with cosign / Sigstore
  • Secret Scanning (gitleaks)

☸️ Kubernetes & Container Security

  • EKS · AKS hardening — CIS K8s Benchmark
  • Admission Controllers: Kyverno + OPA/Gatekeeper
  • Runtime Threat Detection with Falco
  • RBAC · Network Policies · Pod Security Standards
  • Container Image Scanning · Approved Registry Enforcement
  • Supply Chain Security (SBOM, image signing)

📋 Governance, Risk & Compliance

  • NIST Cybersecurity Framework 2.0
  • CIS AWS Foundations Benchmark v3.0
  • GDPR / DSGVO · NIS2 / KRITIS
  • AWS Service Control Policies (SCPs)
  • Multi-Account Governance · AWS Organizations
  • Vulnerability Management (TVM) · RACI Design

PROJECTS

AWS automation with terraform
• Designing and building IaC pipeline to automate and build AWS infrastructure with terraform.
• Using multiple tools at disposable to enhance the deployment process, including but not limited to terragrunt, Cloud Formation, terraform etc.

Cost Optimization of Kubernetes resource
• Using cost analyzer and karpenter to optimize the cost

Helm Chart for Jenkins
• We are operating jenkins-operator on our kubernetes clusters.
• Dev Teams were struggling to configure their jenkins to deploy on kubernetes.
• Created helm chart to standardize the deployment of jenkins, and make it easier for Dev Teams to maintain and operate their jenkins.

EKS Upgrade automation
• Created tools and pipelines to automate manual EKS upgrade
• This helped avoiding human errors, frequent timeouts and time consuming upgrade process.
• And reduced the eks upgrade time to 1/3 with this

Argo-CD for kubernetes
• To deploy and maintain workloads on kubernetes easier way

Datadog monitoring and logging
• Configuring datadog to collect logs and metrics from kubernetes, SaaS services, workloads running on various platforms.
• Collaborating with development teams for the migration.

EKS creation with IaaC
• Implemented IaaC with terraform and pipeline to create and tear down EKS clusters.
• This helped cluster maintainer and deployment easier organization wide.

Bitwarden password solution
• Bitwarden password solution to easily share credentials between teams in self hosted environment

Kubernetes Dynamic Admission Controller
• Kubernetes admission controllers are plugins that govern and enforce how the cluster is used.
They can be thought of as a gatekeeper that intercepts (authenticated) API requests and may
change the request object or deny the request altogether.

AKS deployment with autoscaling and nodepools separation with terraform.
• Terraform azurerm provider to spin up new aks in easy and fast solutions, leveraging
features offered by Azure in AKS like autoscaling and nodepools for separation of workloads
requirements.

Log visualisation with Loki and Grafana on k8s
• Centralized log visualisation with Loki and Grafana for ease of access to the engineering team.
Faster issue debugging with monitoring and log on the same dashbords.

Cassandra on kubernets
• Cassandra statefulsets on AKS with premium storage for better scalability and resiliency.

Cassandra big data cluster
• Cassandra big data cluster to store large datasets and multi dimension data, to be consumed by various Machine Learning Algorithms and train on the data sets for AI (Artificial Intelligence) inputs.

AKS creation with IaaC
• Azure AKS and CI/CD using azure devops to deploy kubernetes cluster.

On Perm kubernetes cluster
• Deployment of kubernetes cluster on premise.
• Automated using gitlab CI/CD
• Integration of CD with gitlab on kubernetes
• Moving away from traditional vm based architecture to microservice and automated end to end pipeline with available tools.

Containerization and microservices deployments
• Containerization and microservices architecture deployments using docker.
• Managing and administering docker environment.

Centralized authentication with Red Hat Directory Server for Linux systems
• Centralized user management with RedHat directory server.

Gitlab and CI/CD
• Deployed Gitlab for code versioning and gitlab runners for CI/CD to automate deployments, configuration management and automation

Hadoop Bigdata Cluster
• Bigdata analysis and hadoop administration

OpenStack private cloud
• Deployed OpenStack based private cloud as proof of concept.

ELK(Elasticsearch, Logstash, Kibana) Stack
• Deployment and configuration of ELK(Elasticsearch, Logstash, Kibana) Stack for log visualization and analysis.

V2C Virtual to cloud migration
• Migration project to convert various virtual appliances to cloud.
• Moved virtual server farms to cloud platform.

Architecture of Datacenter
• Architecture and designing of datacenter.
• Disaster recovery and business continuity plans conceptualized.
• Created SOPs for DR.

Ansible for configuration management
• Deployed ansible for configuration management across various environments.
• Administering and writing playbooks to automate using ansible.

Data center migration
• Planning and migration of data center servers from CoLo to dedicated DC.
• Migration of servers and VMs from BareMatel to VM and cloud.

Docker containers and microservices
• Deployment of docker containers.
• Configuration and administration of microservices architecture.

FreeRADIUS PPPoE QoS management
• Deployed FreeRADIUS PPPoE QoS management

Implementation of intrusion detection system
• Implemented Nessus for Intrusion detection and data prevention.
• Review and identified mitigation using NESSUS log reporting.
• Implemented AIDE for PoC intrusion detection system.

LAMP Stack
• Deployment of LAMP(Linux, Apache, MySQL and PHP) stack.
• Administration of LAMP servers.

MRTG monitoring solution
• Deployed MRTG graphing solution for data visualization and bandwidth monitoring.

Nagios monitoring and alert
• Deployed Nagios monitoring and alerting solution.

Puppet configuration management
• Puppet configuration management to make it easier to manage hosts/servers in the environment.

Chef configuration management
• Chef configuration management to manage large server farms and data centers