# Andrew Mills A+ | Network+ | Security+ | CEH he/him | Seattle, WA | remote mills@millsymills.com | github.com/millsmillsymills ## Professional Summary Corporate Security Engineer with 10+ years of experience in IT and security, specializing in identity and access management, endpoint security, and security automation. Experienced administrator of Okta, Google Workspace, and Azure AD/Entra ID; implements SSO/SAML and SCIM provisioning, automates identity lifecycle workflows. Manages large device fleets with Jamf and CrowdStrike. Builds custom compliance programs for HIPAA, CMMC, SSPA, and others. Replaces costly vendor functionality with in-house automations. ## Core Skills - Identity & Access Management — Okta, Google Workspace, Azure AD/Entra ID, SSO/SAML, SCIM provisioning, LDAPS, identity lifecycle - Endpoint & Device Security — Jamf, CrowdStrike Falcon, Google Context-Aware Access, fleet administration - Zero Trust & Network Access — Tailscale (ZTNA), 802.1X/RADIUS, Conditional Access, VLAN segmentation - Scripting & Automation — Python, Bash, Terraform, Docker/Compose, n8n, Slack workflows, cron, CI/CD, Google Cloud Run, AWS Lambda ## Experience ### Corporate Security Engineer — Trail of Bits, 2023 – present · Seattle, WA (remote) - Planned and executed migration of 150+ host fleet from SimpleMDM to Jamf. - Built identity lifecycle workflows for onboarding, offboarding, and access auditing using Bash, Python, and Slack integrations. - Replaced an expensive SOC-as-a-service vendor with n8n automations, enriched Slack alerts, and one-click incident response workflows ($50k annual savings). - Managed intelligence sharing between organizations targeted by ELUSIVE COMET. Hardened endpoints against Zoom remote-control social engineering attacks and authored the associated blog post. - Developed and maintained compliance frameworks for Microsoft SSPA, CMMC, UK Cyber Essentials, and OCP-SAFE. Worked with project managers and clients on security questionnaires. - Administered Tailscale ZTNA, managing tailnets, exit nodes, and access policies for remote connectivity. - Tested all internal security tooling personally before fleet rollout — package security scanners, NIST 800-88 cryptographic erasure tools — through staged environments. Filed bugs, gave feedback, broke things on purpose. - Provided billable corporate IT and security consultancy directly to clients. - Administered Google Workspace and CrowdStrike Falcon. Used Terraform for internal infrastructure projects. ### Associate Security Consultant — Leviathan Security Group, 2022 – 2023 · Seattle, WA (remote) - Discovered and cataloged vulnerabilities in customer environments. - Prioritized vulnerabilities and provided mitigation instructions. - Met with clients to set expectations and present findings. - Created custom tooling to speed up engagement onboarding for other consultants. ### Security Architect — RealSelf, 2017 – 2022 · Seattle, WA (in-office through 2020, remote 2020–2022) - Owned the vendor vetting program and Risk Register, working with procurement and business stakeholders to evaluate third-party security and privacy risks. - Identified and modeled threats to production users, internal employees, and third-party vendors. - Created a Security Ambassador program so non-technical and engineering teams could adopt secure practices without top-down mandates. - Built and maintained program metrics including active vulnerability tracking, security silo scoring, and impact-scored future work. - Led a team to build HaveIBeenPwned credential-checking functionality into an AWS Lambda using Terraform. Took it from planning to production. - Administered Okta, Google Workspace, and Azure AD/Entra ID — SSO integrations, MFA enforcement, SCIM provisioning, LDAPS, and access controls for internal and SaaS applications. - Hot-swapped the Zoom environment from Okta's pre-built integration to a custom SAML integration with zero downtime, zero complaints, and no lost data. - Planned, staged, and rolled out 802.1X and RADIUS authentication using Entra ID for RBAC. Migrated 300 clients across 2 VLANs to a 12-VLAN environment automated with PowerShell. - Built Security Awareness Training program from the ground up, including HIPAA-specific training and executive-targeted curricula. - Deployed an AWS-based Wazuh SIEM with host agents for threat hunting, plus open-source honeypots for network intrusion detection. - Managed Jamf endpoint fleet and Meraki network infrastructure. - Ran an internal "Hacktoberfest" security month with guest speakers, offensive training, and a company-wide CTF. - Migrated bug bounty program from HackerOne to Bugcrowd. Handled triage and management. - Moved asset management from a spreadsheet to an AWS-hosted Snipe-IT instance. ### Level 3 Support Engineer — Commonwealth Financial Network, 2013 – 2017 · San Diego, CA (in-office) - Final escalation point for 50+ Level 1 and Level 2 technicians in a FINRA/SEC-regulated environment. - Worked with Compliance and Information Security teams on audit findings and security policy improvements. - Mitigated active security incidents including Poweliks and Cryptolocker infections under FINRA/SEC compliance requirements; insider threats involving social engineering and unauthorized hardware; and a Zoom RCE 0-day patched 8 hours before the vendor released their fix. - Solved an internal hardware theft case by correlating MAC address movement across Meraki access points with RADIUS logs, video feeds, and badge access logs. - Handled a rogue client who deployed keyloggers and used social engineering to obtain firewall credentials from a Level 1 technician. - Performed an emergency data exfiltration for a VIP who couldn't reach their beachfront office in Florida before Hurricane Irma made landfall and destroyed it. ## Skills (full list) - Cloud — AWS, Azure, GCP, DigitalOcean, fly.io, Docker, VMWare Horizon - Server — Windows Server, Linux Server - Network & Firewall — Checkpoint, Meraki, Ubiquiti, RADIUS, Windows Network Policy - IAM — Active Directory, Entra, Okta, Google Workspace - Endpoint Protection — CrowdStrike Falcon, Symantec Endpoint, Symantec DLP, Proofpoint, Material Security, Wazuh, OpenCanary - Pentest — Burp Suite, Wireshark, network penetration, web app testing, Bugcrowd - SIEM — Splunk, CloudWatch, ELK - Compliance — HIPAA, GDPR/CCPA, SSPA, CMMC, UK Cyber Essentials, OCP-SAFE - Scripting — Python, PowerShell, Bash - AI — Claude Code (admin + dev), OpenAI (admin), Codex (dev) - DevOps — GitHub Enterprise, GitLab - Productivity — JAMF, Snipe-IT, Jira, Google Workspace, Adobe CC, WordPress, DNSimple