plygrnd.
cat resume.md

Dan Urson.

Principal Security Engineer
// based in
Michigan, USA
// email
echo ZGFuQHBseWdybmQubmV0Cg== | base64 -d
// elsewhere
linkedin.com/in/durson
github.com/plygrnd
// work authorization: US Lawful Permanent Resident · South Africa Citizen · EU (Lithuania) Citizen

Overview.

15 years · self-taught

Self-taught IT security professional with 15 years' experience in defensive security engineering, customer service, and platform abuse mitigation. Focused on automation, incident response, and stakeholder engagement.

Specialist in Coordinated Vulnerability Disclosure (CVD) and offensive threat intelligence operations. Co-founder of Amazon Web Services' Security Outreach team, responsible for CVD across the company. Initiated and developed AWS's first CVE issuance benchmark framework.

Experienced Python/Rust developer adept at convincing discrete systems to speak a single language to one another.

Experience.

reverse chronological
current
Sep 2025 — Present
Permanent
T-Mobile USA United States
Sep 2025 — Present

Principal Security Engineer

  • Founded T-Mobile Cyber Threat Intelligence's deception program, focused on passive intelligence collection — both internal and external.
  • Created passive sensor network comprising both bare-metal and virtual sensor fleets. Leveraged data from sensor fleet to enrich internal data collection efforts.
  • Created network-based sensor platform intended to detect and mitigate threats against customer- and company-owned ICS/OT assets.
  • Tools / tech / processes: Ansible, Docker, Kubernetes / Helm, Terraform, ELK Stack, common virtualization technologies.
Mar 2024 — Sep 2025
Vultr remote
Feb 2025 — Sep 2025

Threat Intelligence Manager

  • Promoted to manager of the Threat Intelligence function I founded.
Mar 2024 — Feb 2025

Sr. Threat Intelligence Engineer

  • Founded Vultr's Threat Intelligence team. Used disparate internal and external data sources to protect Vultr and its customers.
  • Detected and mitigated an ongoing targeted phishing campaign against Vultr's frontline employees (Mar 2024).
  • Implemented third-party container image verification for containerized internal tools (PHP Composer, GitLab runner image).
  • Static Application Security Testing: built a net-new SAST platform to replace existing hosted Sonarqube using Opengrep, GitLab CI, and a custom auto-fix platform. Reduced Sonarqube spend by approximately $75,000 and accelerated MTTR for SAST findings by 80% (3 months → 2 weeks).
  • Implemented application control and data exfiltration mitigation using a combination of off-the-shelf (ThreatLocker, CrowdStrike Falcon) and custom-built technologies.
  • Designed and implemented monitoring and automated response within Vultr's new PCI cardholder data environment.
    • Tools: Puppet (host setup), OpenTelemetry Collector (log collection / pre-processing), Sumo Logic CIP (aggregation, analysis, presentation), Sumo Logic Cloud SIEM Enterprise (incident response), Wazuh (host security monitoring), Grafana stack (Prometheus / Loki / Grafana).
    • Processes: Diamond threat model, MITRE ATT&CK.
  • Designed and implemented Wireless Intrusion Detection (WIDS) and network traffic management for corporate HQ in West Palm Beach, Florida. Tools: Sumo Logic, Zeek, Juniper Mist (mesh wifi).
  • Built threat actor tracking platform based on OpenCTI and Yahoo ASHIRT.
  • Designed and implemented threat mitigation for corporate VPN (Palo Alto on-prem appliances):
    • TLS decryption for sensitive web properties
    • External / internal threat feed generation and integration
    • Dynamic blocklisting
    • Strong host identity via internal CA (SmallSTEP)
  • Designed and implemented actor identification and observation/removal system within Vultr's shared VM hosting environment ("Submarine"). Leverages existing netflow analysis platforms (Kentik, sflow-RT) and custom OLAP based on ClickHouse.
    • Reduced time-to-mitigate from 8 hours to 30 minutes.
    • Provides near real-time netflow monitoring.
    • Integrates with Jira and OpenCTI to enable cross-platform indicator processing.
2014 — 2023
Amazon Web Services Cape Town · Dublin · United States
2016 — 2023

Security Engineer

  • Co-founded AWS's security community engagement team, known internally as "Outreach." Grew and nurtured a large community of trusted security research professionals and built significant trust in AWS as a vulnerability research partner.
    • Acted as a force multiplier within AWS, evangelizing for creating this new team.
    • Worked with the security research and AWS customer communities to promote the team and raise awareness of its function.
    • Met researchers in person at fwd:CloudSec, re:Inforce, Black Hat, and DEFCON, working with them to understand their needs and frustrations.
    • Result: built sufficient trust with independent security researchers to receive advance notice of several high-severity issues before they were made public, without AWS's knowledge.
  • Acted as incident commander for embargoed security issues, coordinating multiple stakeholders across internal lines of business to prevent impact on AWS before public release. See the Orca writeup; further examples available on request.
  • Provided mentorship and training to junior engineers; helped promote two engineers from Associate Engineer to Engineer 1 within nine months. Required weekly 1:1s, pair programming, and supervised work delegation.
  • Developed, tested, and deployed user account termination automation, replacing a complex manual process. Reduced error rate to 0% and execution time by 90%. Saved 250 engineer-hours per month.
  • Published 14 AWS Security Bulletins and coordinated mitigation of each related issue before publication. Required coordination across multiple AWS teams up to CEO level.
  • Led AWS's response to three major customer incidents requiring 24/7 focus. Restructured runbooks based on lessons learned. Built an automated log analysis framework to accelerate similar engagements.
  • Rewrote the team's entire internal knowledge base (~900 wiki pages) and consolidated into a new Sphinx-based platform.
    • Consulted with the team on needs and information architecture.
    • Culled approximately 700 unused/stale/outdated pages (final count: 195 pages).
    • Developed and deployed automation to render wiki content via custom Sphinx app, replacing prior XWiki solution.
    • Result: team referenced SOPs and tribal knowledge 80% faster. Laid the groundwork for directed work within incident response tooling.
  • Developed integration with custom internal log ingestion stack (ELK with Amazon OpenSearch) to bootstrap and deploy a log analysis stack for incident response. Wrote canned queries and scripts for common analyses. Worked with Amazon's corporate IT security team on a rapidly-deployable log collection script.
    • Result: time-to-mitigate improved from 90 minutes to 25. Incremental updates made launching from a Slack workflow possible. Metrics around usage were provided to CloudWatch and OpenSearch teams, who incorporated elements into their products.
  • Developed and trained engineers on AWS's internal HIPAA-specific incident response process, focusing on ensuring continued HIPAA / HITECH compliance.
  • Projects:
    • SCRY — internal tool for security-focused communication.
    • Custom report generator for security operations — generated on-call stats and reduced reporting time from 20 minutes to 30 seconds.
    • Amazon Locker customer service launch — acted as documentation SME, wrote customer-facing content and canned email text. Liaison between Locker engineering, CS program management, and CS operations.
2014 — 2016

Trust and Safety Specialist

  • Developed new processes to limit DoS attack impact on AWS customers — reduced mitigation time from 4 minutes to 30 seconds. Required coordination with AWS Networking and legal counsel.
  • Grew the South African team from 4 to 35 people by 2016 to meet caseload.
  • Subject matter expert on email and text spam.
  • Liaised with external IP reputation providers (Spamhaus, Trend Micro) to improve AWS's IP reputation. Reduced spam incidence by 94%.
  • Highest accuracy rating for mitigations on the team — 100% over 6 months.
  • Seconded to the US office in 2014 to develop the team's skills.
  • Promoted to lead specialist for EMEA in 2015.

Skills.

self-rated · 1–10
Security Operations / Incident Response 10/10
Secure Software Design static / dynamic 8/10
Technical Writing 8/10
Python 7/10
Relationship Management 7/10
Executive Communication 7/10
Infrastructure as Code 7/10
Log Analysis Splunk / ELK / CloudWatch 6/10
Crisis Communication 5/10

// languages spoken

  • English native
  • Afrikaans native
  • Hebrew professional
  • Spanish limited

// also worth knowing

  • Rust working
  • FEMA ICS certified
  • CVD specialist primary
  • Threat intel primary
Need this in a format your applicant tracking system can read? Grab the PDF — same content, machine-friendly:
Download PDF →