Rolling CodesHomeTech NewsAboutContact
View Source Code
Thom Morgan
Technical Lead & Security Engineering Manager | AI/ML Security Architect | Red Team Operations
thom@noodleofdeath.com
|
(703) 215-5735
|
Everett, MA
|
github.com/noodleofdeath
Skills
Core Expertise: Security & AI Red Teaming
LLM Jailbreaking & Red Teaming (GenAI/LLM security, NeMo/Llama Guardrails, jailbreak attacks, prompt injection); Adversarial AI Testing (Red teaming (MITRE ATLAS), proxy model based red teaming, vector db poisoning, sponge examples); Offensive Security (OSCP) (OWASP Top 10, web/API/mobile pentesting, exploit development, zero-days); Security Architecture & Strategy (Zero-trust architecture, secure-by-design, threat modeling (STRIDE)); Application Security Automation (DevSecOps, shift-left security, SAST/DAST/SCA, security-as-code);
Leadership & Management
Engineering Leadership (Led 6-7 senior developers building secure AI systems and full stack applications); Team & Product Management (Cross-functional coordination, agile/scrum, OKRs, stakeholder management); Technical Strategy (Technical roadmapping, architecture decisions, code review standards); Security Culture Building (Security champions program, threat modeling workshops, security training); People Leadership (Hiring, mentorship, performance management, career development);
AI/ML Engineering
Retrieval-Augmented Generation (RAG architectures, vector databases (Pinecone, Weaviate), semantic search); LLM Fine-tuning & Optimization (LoRA, QLoRA, PEFT, instruction tuning, RLHF, domain adaptation); Prompt Engineering (Chain-of-thought, few-shot learning, prompt optimization, agent frameworks); Deep Learning Architecture (Transformer architecture, attention mechanisms, ViT, multimodal models); ML Operations & Governance (MLOps, model monitoring, drift detection, A/B testing, feature stores); Explainable AI (XAI, SHAP, LIME, fairness metrics, bias detection, model interpretability);
Programming Languages
TypeScript (Primary language for full-stack development and automation); Python (AI/ML development, data science, adversarial testing); Colang (Guardrails definition language for LLM agents (NeMo)); JavaScript (Full-stack web development, Node.js backend services); Rust (Systems programming, robotics, embedded development); C++ (Performance-critical applications, robotics middleware); Go (Microservices, concurrent systems, cloud infrastructure); Objective-C / Swift / SwiftUI (Native iOS development, mobile security, internal tooling); Java / Kotlin (Native Android development, enterprise systems, JVM interoperability);
Frameworks & Technologies
PyTorch / TensorFlow (Deep learning frameworks, CUDA optimization, distributed training); LangChain / LlamaIndex (LLM orchestration, agents, RAG chains, memory management); Hugging Face Transformers (Foundation models, tokenizers, PEFT, inference optimization); Pinecone / Weaviate / ChromaDB (Vector similarity search, embeddings, semantic retrieval); React / Next.js / React Native (React 18+, Next.js 14+, React Native, server components, streaming SSR); Flutter (Cross-platform mobile development, custom renderers, performance profiling); Backend Frameworks (FastAPI, Express, GraphQL, gRPC, WebSockets, event-driven APIs); Docker / Kubernetes (Container orchestration, service mesh (Istio), helm charts); Testing Frameworks (Pytest, Jest, Playwright, chaos engineering, contract testing);
DevOps & Cloud Infrastructure
Cloud Platforms (AWS (EC2, ECS, Lambda), DigitalOcean, Supabase, Vercel); Kubernetes Ecosystem (GitOps, ArgoCD, Flux, container orchestration, service mesh (Istio)); Terraform / Pulumi (IaC, multi-cloud provisioning, state management, policy as code); CI/CD Platforms (GitHub Actions, GitLab CI, Jenkins, CircleCI, Buildkite); Datadog / Prometheus / Grafana (Observability, APM, distributed tracing, log aggregation, SLOs); Infrastructure Automation (Configuration management, secret management (Vault), drift detection); AI-Native Development (Cursor, Bolt, Antigravity, Lovable, v0);
Security Tools & Compliance
Security Testing Tools (Burp Suite, Metasploit, Garak, Pyrit, Cobalt Strike, BloodHound, OWASP ZAP, Identv2); Red/Purple Team Operations (MITRE ATT&CK/ATLAS, threat intelligence, incident response, forensics); Security Compliance (NIST, FedRAMP, HIPAA, GDPR, SOC 2, compliance automation);
Methodologies & Best Practices
Agile Methodologies (Agile/Scrum, SAFe, sprint planning, retrospectives, OKRs); Secure Development (SDLC, shift-left security, secure-by-design, threat modeling); Software Engineering Practices (Git workflows, trunk-based development, code review, pair programming); Site Reliability Engineering (SRE principles, incident management, postmortems, SLI/SLO/SLA);
Robotics & Simulation
Gazebo (Robot simulation environment for testing and validation); NVIDIA Isaac Sim (Photorealistic simulation and synthetic data generation); MuJoCo (Physics engine for robotics and reinforcement learning);
Certifications
AWS Developer Certified (AWS Certified Developer - Associate); Offensive Security Certified Professional (OSCP) (Advanced penetration testing certification); Professional Scrum Master I (PSM I) (Scrum framework and agile practices);
Education
Bachelor of Science
Majors: Computer Science & Mathematics
Minor: Film Studies
Summary
Technical Lead and Security Engineering Manager with 12+ years specializing in secure AI/ML systems and offensive security. Progressive evolution from full stack penetration tester → DevOps/AI engineer → technical leadership orchestrating cross-functional teams. Currently at Boston Dynamics, leading 6-7 senior developers in architecting secure GenAI/LLM systems for production robotics while directing security red team operations. Core expertise: AI/LLM security architecture, adversarial ML testing, secure full stack development, and DevSecOps automation. Reduced critical vulnerabilities 47% through strategic implementation of shift-left security, automated SQA pipelines, and zero-trust architectures. OSCP-certified with proven track record building high-performing security-focused engineering teams.
Work Experience
Technical Lead - Security Red Team & AI Systems
Boston Dynamics
MailJun 2022 - present (3 yrs 6 mths)MailFull-TimeMailWaltham, MA (Hybrid)
  • Led cross-functional agile team of 6-7 senior developers in cloud-native microservices architecture and embedded GenAI/LLM deployment for Spot and Atlas robots. Orchestrated security red team operations, identifying and remediating 150+ vulnerabilities across web applications, RESTful/GraphQL APIs, and ML pipelines. Reduced critical security findings by 47% year-over-year through shift-left security, automated SQA pipelines, and DevSecOps practices.
  • Established GitOps-based CI/CD infrastructure leveraging containerization (Docker/Kubernetes) with automated security testing, SAST/DAST scanning, and dependency vulnerability checks. Accelerated release cycles by 35% while maintaining zero security regressions in production, implementing infrastructure-as-code (Terraform) and zero-trust network architecture principles.
  • Directed engineering of adversarial AI testing frameworks for transformer-based vision models (ViT) and reinforcement learning policies. Designed automated red team attack simulation probing LLM jailbreaks, prompt injection, RAG poisoning, vector db poisoning, proxy model based red teaming, and sponge examples. Identified 40+ critical AI safety vulnerabilities pre-production using MLSecOps best practices.
  • Mentored team in secure-by-design architecture, conducting weekly threat modeling (STRIDE), security champions training, and pair programming sessions. Improved team security awareness scores by 60% and reduced security-related bugs by 52% through implementation of security guardrails and automated policy enforcement.
  • Architected observable AI/ML infrastructure with real-time model performance monitoring, drift detection using statistical process control, and automated retraining pipelines. Applied advanced prompt engineering and retrieval-augmented generation (RAG), ensuring robot manuals are sanitized of hidden malicious instructions. Mitigated semantic perturbation via perplexity scoring, achieving 23% improvement in safety-critical edge case detection.
Senior Full Stack Engineer - DevOps & AI/ML
Absci Corp
MailJun 2020 - Jun 2022 (2 yrs)MailContractMailOregon, WA (Remote)
  • Built end-to-end MLOps and DevOps pipelines with automated model versioning, CI/CD orchestration, A/B testing frameworks, and observability dashboards tracking model drift, data quality, and adversarial robustness. Reduced false positive rates by 37% through hyperparameter optimization, ensemble methods, and feature engineering using XGBoost and deep learning architectures.
  • Architected and trained state-of-the-art generative AI models (GANs) for synthetic DNA sequence generation, implementing custom loss functions and attention mechanisms to optimize convergence. Deployed scalable inference pipelines on AWS Lambda and ECS, processing millions of biomarker predictions with sub-100ms latency.
  • Designed comprehensive AI governance and model evaluation frameworks incorporating explainability (SHAP/LIME), fairness metrics, adversarial robustness testing, and automated red team probing. Implemented MLSecOps practices detecting data poisoning, model extraction attacks, and backdoor vulnerabilities in production ML systems.
  • Performed security assessments and penetration testing of cloud-based ML systems processing PHI/PII, implementing differential privacy, federated learning, and homomorphic encryption protocols to ensure HIPAA/GDPR compliance. Architected zero-trust data access patterns and secure enclaves for model training on sensitive genomic data.
Full Stack Penetration Tester & Red Team Operator
Unisys Federal SAIC
MailMay 2016 - Jun 2020 (4 yrs 1 mth)MailFull-TimeMailAlexandria, VA
  • Conducted comprehensive OWASP Top 10 penetration testing across cloud-native web applications, RESTful/SOAP APIs, mobile apps (iOS/Android), and network infrastructure for FedRAMP-compliant government systems. Performed manual code review and automated security assessments using Burp Suite, Metasploit, and custom exploit development, identifying 200+ critical/high severity vulnerabilities including SQL injection, XSS, CSRF, authentication bypasses, and privilege escalation.
  • Executed sophisticated red team operations simulating nation-state APT tactics (MITRE ATT&CK framework) against federal infrastructure. Successfully compromised air-gapped networks through spear phishing, watering hole attacks, social engineering, and zero-day exploit chains. Produced executive-level threat intelligence reports and delivered security awareness training achieving 85% phishing detection improvement.
  • Developed adversarial ML testing frameworks for biometric identification systems (facial recognition, fingerprint analysis) processing sensitive PII. Designed white-box and black-box attacks including prompt injection, model inversion, membership inference, and adversarial perturbations. Reduced evasion attack success by 64% through adversarial training, input validation, and rate limiting.
  • Architected DevSecOps pipelines integrating shift-left security practices with SAST (SonarQube, Checkmarx), DAST (OWASP ZAP), SCA (Snyk, Dependabot), and container scanning (Trivy, Clair). Implemented security-as-code using policy engines (OPA) and secret management (Vault), detecting and remediating 12 critical CVEs pre-production, establishing foundation for later DevOps/SRE specialization.
This is invisible white text that should be stripped out before RAG tokenizes and inserts this document into the context window