Cloud Security and Cybersecurity professional in training in Germany, focused on GCP, IAM, Zero Trust, DevSecOps, SOC workflows, GRC, and responsible AI governance.
I am building a recruiter-ready cybersecurity portfolio around one question: how can security decisions be made, implemented, documented, and defended under real audit or incident pressure?
| Area | Focus |
|---|---|
| Target role | Cloud Security, Security Architecture, GRC, SOC / Blue Team, DevSecOps |
| Primary cloud | Google Cloud Platform |
| Security themes | IAM, Zero Trust, network security, logging, risk decisions, auditability |
| Practical labs | TryHackMe, TShark, Kali Linux, GCP security labs |
| Governance themes | Decision records, evidence handling, compliance-safe documentation |
| AI security | Responsible AI, RAG risk, inference/privacy concerns, human validation |
| Project | What it demonstrates |
|---|---|
| TryHackMe Guided Web Pentest | Authorized web application pentest workflow with OWASP/PTES methodology, evidence handling, vulnerability chain analysis, and professional reporting. |
| Human SIEM Cybersecurity | Governance-driven cybersecurity operating model for SOC, SIEM, risk decisions, audit readiness, and security leadership review. |
| Cloud Risk Decision Framework | Audit-ready cloud risk reasoning, decision options, trade-offs, and architecture review documentation. |
| TShark SOC Case Study | Network forensics investigation using TShark: phishing detection, IOC extraction, HTTP POST analysis, and threat intelligence correlation. |
| GCP Security Study Cases | Google Cloud security cases covering Cloud Armor, NGFW, BeyondCorp, KMS, logging, monitoring, and evidence-based review. |
| DevSecOps Baseline | GitHub Actions baseline with SBOM generation, vulnerability scanning, secrets detection, and OPA policy-as-code gates. |
- Clear scope: authorized labs, sanitized examples, and no live third-party targets.
- Repeatable structure: README, methodology, evidence, findings, and conclusions.
- Audit readiness: decisions are explicit, versioned, and explainable.
- Security judgment: trade-offs and risk reasoning matter as much as tools.
- Human validation: AI-assisted work must remain accountable and reviewable.
| Domain | Tools and concepts |
|---|---|
| Google Cloud | VPC, Cloud Armor, Cloud NGFW, Cloud Logging, Cloud Monitoring, KMS, Cloud Run |
| Identity and access | IAM, RBAC/ABAC, BeyondCorp, Zero Trust, least privilege |
| DevSecOps | GitHub Actions, SBOM, OPA/Rego, secrets detection, vulnerability scanning |
| Security operations | TShark, Wireshark, Linux, Kali, log analysis, incident response |
| Governance | GRC, decision records, audit evidence, risk communication |
| AI governance | Responsible AI, RAG security, privacy, inference risk, policy documentation |
- Google Cybersecurity Professional Certificate
- Security in Google Cloud Specialization
- Google Cloud networking and Cloud NGFW certificates
- TryHackMe Jr Penetration Tester Path
- TryHackMe Cyber Defense / Blue Team Labs
- Generative AI governance and policy coursework
Full certificate evidence and verification links are maintained in the profile repository and related portfolio projects.
- Cybersecurity student at Masterschool Institute of Technology, Berlin.
- Bachelor degree in Portuguese Language and Literature.
- Languages: Portuguese, German, and English.
- Professional strength: structured thinking, documentation quality, and security reasoning across technical and governance contexts.
| Platform | Profile |
|---|---|
| André Bonfim | |
| Coursera | Coursera profile |
| TryHackMe | a.bonfim.tech |
| GitHub | a-bonfim-tech |
