Open To Work
Sam Ceballos
The Hague
Work Preference
Summary
Senior Cybersecurity Engineer with extensive experience securing commercial, federal, and military networks. Holds a Top Secret clearance and leads initiatives in cloud security architecture and vulnerability management, integrating compliance frameworks such as Zero Trust, DOD RMF, and NIST into security solutions. Committed to continuous learning and mentoring teams to enhance cybersecurity effectiveness.
Overview
27
27
years of professional experience
14
14
Certification
Work History
Senior Cybersecurity Engineer contract
NATO Communications and Information Agency
10.2025 - Current
- Contributed to NATO projects in cloud environments (AWS, Azure), AI chatbot systems, cryptography, and classified systems, integrating security solutions into network infrastructure across complex multi-tier domain systems.
- Reviewed application security, conducted vulnerability assessments, monitored networks, and assessed security controls, integrating safeguards into technical security documentation and reports.
- Review network and system architecture designs, giving guidance to the different projects through the NATO accreditation process and complying with NATO security policies, accreditation and compliance requirements including the Letter of Request (LOR), Authority to Operate (ATO) processes and risk analysis.
- Engaged in technical meetings with engineers and management stakeholders, providing support in explaining and integrating security controls into network infrastructure solutions and the NATO accreditation process.
- Secured active government clearance (Cosmic Top Secret) for access to classified information.
Senior Cybersecurity Engineer
Ampcus, Nightwing US DHS Cybersecurity and Infrastructure Security Agency CISA
04.2022 - 03.2025
- Led threat hunting and incident response for DHS CISA, securing OT/ICS networks and cloud environments (AWS, Azure) supporting 40+ federal agencies for critical infrastructure in a team environment, aligned with NIST SP 800-53 and Zero Trust principles, OWASP, Cloud Controls Matrix (CCM) and Zero Trust principles, DoD RMF, MITRE ATT&CK, TOGAF and NIST Cybersecurity frameworks.
- Reduced mean time to detect (MTTD) and respond (MTTR) to advanced threats by 30%, leveraging MITRE ATT&CK, Cortex XDR, CrowdStrike, and custom Splunk SIEM dashboards.
- Strengthened IAM and MFA controls across 5,000+ assets; audited and optimized firewall rules (Palo Alto, Cisco) to close high-risk gaps identified during vulnerability scans (Tenable Nessus) with proven safeguards.
- Reviewed AWS architecture for adherence to AWS best practices and well-architected framework; suggested security architecture changes aligned with framework's six pillars, addressing security issues through reasoning and troubleshooting.
- Designed and tested AWS cloud attack scenarios using CALDERA and PACU; created reusable playbooks that improved red team efficiency by 30%.
- Integrated Corelight Malcolm, Zeek, Metasploit, and Elasticsearch for deep packet and protocol analysis, enhancing anomaly detection capabilities in SCADA/OT environments.
- Delivered security workshops and executive briefings to cross-functional stakeholders, promoting adoption of best practices and ensuring regulatory compliance during security tool integration under Continuous Diagnostics and Mitigation (CDM) program.
Senior Network Security Consultant
Venatore US Army EUCOM
04.2020 - 09.2021
- Led vulnerability management efforts using Tenable Nessus, prioritized critical CVEs, and coordinated patching across Windows and Linux servers, achieving 98% STIG compliance with accepted mitigations with DOD Risk Management Framework (RMF).
- Conducted senior-level audits and tuning of Palo Alto and Cisco firewall policies for a European Command network spanning 3,000+ endpoints, ensuring compliance with DISA STIGs, ACAS and DOD RMF.
- Identified and remediated misconfigurations, reducing unauthorized access incidents by 25%, which enhanced perimeter defense and reinforced MFA enforcement.
- Designed and implemented Varonis DatAdvantage and DataPrivilege for enterprise-wide privileged access management, improving audit readiness and insider threat mitigation.
- Developed secure Azure cloud architecture with Microsoft Entra ID and CI/CD pipelines, supporting secure test labs for application developers to ensure compliance with TOGAF framework.
- Authored security documentation and trained cross-functional teams, increasing awareness of cloud security best practices and compliance with DISA and DoDI 8510.01.
Senior Cybersecurity Architect
Devis contracted to US Department of State
07.2018 - 04.2020
- Built and secured the agency’s GovCloud migration plan, aligning Azure and AWS architecture with FedRAMP controls, TOGAF framework, and OWASP standards.
- Led security architecture and audit of Palo Alto firewall rule sets, DLP policies, SSL decryption, and dynamic external lists, strengthening data-in-transit protection across multiple State Department sites.
- Integrated FireEye HX, Splunk SIEM, and Python scripts to automate log aggregation and threat detection, cutting false positives by 30% and streamlining reporting for NIST 800–53 audits.
- Collaborated on Zero Trust strategy and DevSecOps pipelines with Kubernetes and Terraform, securing cloud deployments and automating policy enforcement.
- Designed and executed a major Splunk upgrade from Windows to Unix, creating new indexes, custom data ingestion, and real-time dashboards, reducing incident investigation time by 40%. Working with a model-based systems engineering environment for the security solutions to provide traceability and threat modeling analysis with proof-of-concept building.
- Developed and enforced incident response playbooks and certificate-based authentication policies, enhancing response consistency and reducing manual errors.
- Conducted vulnerability assessments with Rapid7 Nexpose, Metasploit, Tenable Nessus, and HP WebInspect Fortify; coordinated patching with sysadmins, achieving 95% STIG compliance.
Senior Network Security Contractor
Leidos contracted to NIH
04.2017 - 02.2018
- Hardened the perimeter of NIH’s enterprise network by configuring and optimizing Palo Alto and Cisco ASA firewalls, including HA failover, SSL decryption, URL filtering, and threat prevention; applied Zero Trust principles to over 10,000 endpoints.
- Enhanced malware detection and reduced incident volume by 35% through improved WildFire and antivirus integration across the security stack.
- Managed audits of Palo Alto firewall rule set and conducted PCAP analysis to fine-tune IPS signatures and enforce secure data flows; remediated over 100 misconfigurations in URL filtering and ACLs.
- Led vulnerability scanning and ensured compliance with NIST 800-53, HIPAA, and FISMA using Splunk, Elasticsearch, Nessus, and Kibana to generate audit-ready dashboards and minimize false positives.
- Resolved complex networking issues involving Cisco ISE, VRF, VPN, and 802.1x in collaboration with the network engineering team, reducing network downtime by 20%.
- Produced architecture documentation and verification procedures to enable repeatable and scalable firewall deployments, enhancing security posture and ensuring operational consistency.
Senior Network Security Contractor
ATOS
12.2016 - 04.2017
- Reviewed and enforced encryption standards, including TLS certificate validation and secure cipher suite configuration, enhancing data-in-transit security across 10+ production networks.
- Tuned IDS/IPS sensors and signatures across enterprise healthcare environments, aligning detection logic with HIPAA, TLS policies, and internal security objectives, resulting in a 30% drop in false positives.
- Developed and implemented a structured incident response process integrated with change control, ensuring all signature updates and response actions were documented, tested, and traceable.
- Collaborated with security engineers to harden threat detection infrastructure.
- Authored and presented audit reports on IDS/IPS tuning efforts and risk reduction strategies to technical and executive stakeholders, facilitating informed decision-making and improving cross-team coordination.
Senior Network Security Architect Presales Engineer
CA Technologies
02.2016 - 12.2016
- Advised DOD clients on deploying CA Privileged Access Manager (PAM) across hybrid environments, improving privileged account governance and reducing insider risk for ~25,000 users.
- Integrated PAM with Palo Alto and Cisco firewalls, optimizing ACLs and enforcing centralized identity-based access controls while resolving routing issues for seamless policy enforcement.
- Conducted technical reviews of network security architectures with clients to ensure compliance with DOD RMF and DIACAP, validating deployments against ACAS scan outputs and IAM policy baselines.
- Architected policy flows and placement strategy for CA PAM deployment within Navy’s NGEN and NMCI environments, leading to successful ATO (Authority to Operate) approval.
Senior Network Security Consultant
IT People
09.2015 - 12.2015
- Served as SME for Palo Alto and Cisco firewall policy audits for Danish Bank client, ensuring compliance with PCI-DSS, ISO 27001/2, and NIST 800-53 standards.
- Assessed enterprise IAM policies, TLS/SSL configurations, and Cisco ISE posture, uncovering gaps in SSO and encryption enforcement that were remediated across global environments.
- Authored risk analysis reports outlining architecture vulnerabilities and control weaknesses utilizing Nessus; presented findings to CISO and engineering teams to guide roadmap prioritization and developing a vulnerability management program.
- Consulted on IT security team structure and processes, delivering strategic recommendations that influenced a 20% reduction in security audit remediation time.
- Led client meetings to discuss project updates and security strategies, enhancing client understanding and engagement.
Senior Network Security Architect Consultant
Dimension Data
12.2014 - 07.2015
- Designed and implemented enterprise-wide Palo Alto firewall architecture across global biotech environments, supporting secure migration from legacy platforms while meeting HIPAA and PII compliance requirements.
- Acted as SME for firewall integration strategy, configuring Advanced Threat Protection (ATP), SSL decryption, and WildFire analysis to enhance malware detection and response.
- Provided architectural oversight on Panorama deployments for centralized firewall management and rule base optimization across distributed LAN/WAN segments.
- Led firewall policy rationalization and ACL restructuring efforts, helping reduce redundant rules by over 30%, improving performance and audit clarity.
- Created network security documentation, including firewall migration guides, access policies, and Visio diagrams, which reduced deployment errors by 50% across engineering teams.
Senior Network Security Consultant
BCI
05.2014 - 09.2014
- Configured and tuned Palo Alto firewalls, Cisco ASA, and Sourcefire IPS to enforce Zero Trust policies and decrypt SSL traffic, improving malware detection capabilities across enterprise networks.
- Led comprehensive IT security audits of firewall and IPS infrastructure, aligning configurations with NIST 800-53 and PCI-DSS standards, ensuring compliance and enhancing audit readiness.
- Conducted risk assessments to identify vulnerabilities and recommend solutions.
- Provided training and guidance to personnel on security protocols and procedures.
Senior Network Security Engineer
DRS Technical contracted to US NAVY
11.2010 - 10.2013
- Secured classified DOD networks through deployment of Palo Alto and Juniper firewalls, FireEye threat detection, and SolarWinds monitoring across 8,000+ nodes over satellite links, enhancing overall network defense.
- Conducted vulnerability assessments with Nessus and Metasploit, enabling RMF compliance and decreasing exploitable CVEs by 40% in mission-critical systems.
- Designed network security protocols for US Navy systems.
- Implemented intrusion detection systems for enhanced threat monitoring.
- Conducted vulnerability assessments to identify and mitigate risks.
Security Auditor
P3SCorp contracted to DOD
01.2010 - 10.2010
- Architected and documented secure firewall/IPS configurations and vulnerability remediation procedures, supporting successful DIACAP certifications.
- Implemented FortiGate firewalls and Cisco security appliances to meet DOD STIGs and SANS best practices for global military communication networks.
- Conducted financial audits for compliance with federal regulations and DOD standards.
- Reviewed internal security controls to ensure operational efficiency and risk management.
IT Auditor
ZeroChaos contracted to HP/EDS
04.2009 - 01.2010
- Conducted comprehensive audits of IT systems and processes.
- Conducted DIACAP testing and auditing across federal systems using Retina, Nessus, Gold Disk, and Wireshark, enhancing security posture of NIPRnet/SIPRnet environments.
- Identified misconfigued encryption and access controls, offering remediation guidance leading to successful recertification of multiple systems.
- Evaluated compliance with internal policies and regulatory standards.
- Collaborated with cross-functional teams to identify risk areas.
Penetration Tester
Genesis Networks
08.2008 - 12.2008
- Designed and executed penetration tests using advanced testing tools and frameworks.
- Conducted wireless and network penetration testing with SAINT and Cisco Spectrum Expert tools, identified vulnerabilities, and recommended remediation strategies using Nessus for enterprise clients.
- Conducted security assessments on client systems to identify vulnerabilities.
- Advised customers on securing wireless controllers and implementing NAC solutions to ensure compliance with industry-specific standards.
- Collaborated with development teams to enhance application security measures.
Network Security Consultant
NEC Unified Solutions Cisco
07.2007 - 08.2008
- Implemented Cisco firewalls, NAC, and IPS devices with role-based access control, enabling policy enforcement and compliance with PCI and internal audit controls.
- Led secure wireless network deployments with WLCs and ACS, enforcing EAP-TLS and SSO authentication.
- Built client relationships, provided tailored security solutions, and advised on industry best practices to enhance client security posture.
Sr. Network Team Lead
ITT Systems
04.2006 - 06.2007
- Managed secure WAN/LAN operations for NATO and US Army FOBs in Afghanistan, deploying Cisco ACLs, TACACS, and military encryption systems (KG-175, KIV-19) in compliance with DISA standards.
- Developed and executed 24/7 network security monitoring and troubleshooting SOPs utilizing SolarWinds and SNMP-based tools to enhance operational readiness.
- Led project teams to enhance system performance and improve service delivery.
- Mentored junior staff in technical skills and project management best practices.
Network Engineer
Jet Propulsion Laboratory contracted w/ITT Industries
12.2003 - 04.2006
- Deployed and managed firewalls, VPNs, and Cisco access control lists for space mission support networks to ensure high availability and maintain security compliance.
- Designed network architectures for innovative space exploration projects.
- Configured routers and switches for optimal performance and reliability.
- Developed secure web-based documentation platforms with Apache, SSL, and token authentication to enhance internal NASA operations.
Infantry Scout
U.S. Marine Corps USMC
09.1988 - 09.1992
- Conducted reconnaissance missions to gather intelligence in diverse environments.
- Analyzed terrain and enemy positions to support tactical planning.
- Collaborated with unit leaders to develop strategic operational plans.
- Completed service worldwide, including Persian Gulf War, culminating in honorable discharge.
Education
Master of Science - Cybersecurity
Capella University
Bachelor of Arts - Anthropology
University of California, Los Angeles
Skills
- Palo Alto Networks
- Cybersecurity Architecture
- AWS Solutions Architecture
- Network Security
- Architecture & Compliance
- DoD RMF
- AWS Machine Learning
- Firewall Configuration & Management
- Azure Solutions Architecture
- NATO networks and security policies
- Zero Trust Architecture Implementation
- PCI-DSS
- PKI
- Anomaly Detection
- Network Traffic Analysis
- ACAS
- TOGAF framework
- AWS and Azure Cloud Security
- Linux
- Unix
- Technical reasoning ability
- Certificate authentication
- Cipher suites
- Incident Response
- Planning & Execution
- Crowdstrike
- Governance and compliance tools
- Sagemaker
- NIST Framework
- Python
- PowerShell scripting
- Multi-factor Authentication (MFA) policies
- Cybersecurity incident response implementation
- TensorFlow
- SSL/TLS encryption
- Microsoft
- Defender
- Identity access management policies (IAM)
- RBAC
- Data Loss Prevention policies (DLP)
- IDS / IPS Configuration & Management
- Azure
- Security architecture
- Patch management
- Application security
- Two-factor authentication
- Intrusion detection
- Network security design
- Network security management
- Secure network architecture
- Vulnerability assessment proficiency
- Endpoint security solutions
- Cloud security expertise
- Advanced threat analysis
- Information Protection
- Network Design & Implementation
- Information Assurance & Vulnerability Management
- PCAP file analysis
- Cyber Security
- Endpoint security
- Information Security Risk Management
- Information Security Awareness
- Problem-solving
- Digital Forensics
- Troubleshooting network security issues
- Network security engineering
- Incident response management
- Compliance auditing
- Cloud security
- Threat hunting
- Vulnerability assessment
- Network architecture
- Incident response
Certification
- CISSP - ISC2
- PCNSE - Palo Alto Networks
- AWS Certified Solutions Architect Associate - AWS
- AWS Certified Security - AWS
- AWS Certified Machine Learning Specialist - AWS
- TOGAF Enterprise Architect - Open Group
- Azure Fundamentals - Microsoft
- CCFH - Crowdstrike
- PCDRA - Palo Alto Networks
- Enterprise Certified Admin - Splunk
- CISA (Certified Information Systems Auditor) - ISACA
- CNDA (Certified Network Defense Architect)
- CEH (Certified Ethical Hacker) - EC-Council
- ITIL Foundation - Exin
Timeline
Senior Cybersecurity Engineer contract
NATO Communications and Information Agency
10.2025 - Current
Senior Cybersecurity Engineer
Ampcus, Nightwing US DHS Cybersecurity and Infrastructure Security Agency CISA
04.2022 - 03.2025
Senior Network Security Consultant
Venatore US Army EUCOM
04.2020 - 09.2021
Senior Cybersecurity Architect
Devis contracted to US Department of State
07.2018 - 04.2020
Senior Network Security Contractor
Leidos contracted to NIH
04.2017 - 02.2018
Senior Network Security Contractor
ATOS
12.2016 - 04.2017
Senior Network Security Architect Presales Engineer
CA Technologies
02.2016 - 12.2016
Senior Network Security Consultant
IT People
09.2015 - 12.2015
Senior Network Security Architect Consultant
Dimension Data
12.2014 - 07.2015
Senior Network Security Consultant
BCI
05.2014 - 09.2014
Senior Network Security Engineer
DRS Technical contracted to US NAVY
11.2010 - 10.2013
Security Auditor
P3SCorp contracted to DOD
01.2010 - 10.2010
IT Auditor
ZeroChaos contracted to HP/EDS
04.2009 - 01.2010
Penetration Tester
Genesis Networks
08.2008 - 12.2008
Network Security Consultant
NEC Unified Solutions Cisco
07.2007 - 08.2008
Sr. Network Team Lead
ITT Systems
04.2006 - 06.2007
Network Engineer
Jet Propulsion Laboratory contracted w/ITT Industries
12.2003 - 04.2006
Infantry Scout
U.S. Marine Corps USMC
09.1988 - 09.1992
Master of Science - Cybersecurity
Capella University
Bachelor of Arts - Anthropology
University of California, Los Angeles