Cesar Marroquin
Verified Expert in Engineering
Cloud Security Engineer and Developer
Kennett Square, PA, United States
Toptal member since February 25, 2026
Cesar is a cloud security engineer with expertise across fintech and healthcare environments. He has designed zero-trust-aligned cloud security frameworks spanning identity, endpoint, detection, and data protection domains. Backed by CISPP and GIAC credentials, he has strengthened enterprise risk posture through scalable control design, data loss prevention architecture, and executive-level security visibility.
Portfolio
Experience
- Zero-trust Architecture - 6 years
- Azure - 6 years
- Cloud Security - 6 years
- Defense-in-depth Strategy - 6 years
- Risk Management - 6 years
- Role-based Access Control (RBAC) - 6 years
- Endpoint security architecture - 4 years
- Governance, Risk, and Compliance (GRC) - 4 years
Preferred Environment
Windows 10, CrowdStrike, Azure, Microsoft Intune, Microsoft Entra ID, Windows PowerShell, ServiceNow, Amazon Web Services (AWS), Active Directory (AD)
The most amazing...
...thing I've done is architect zero-trust-aligned identity and endpoint controls across Azure, reducing surface while aligning technical enforcement.
Work Experience
Cloud Security Specialist
Customers Bank
- Developed, implemented, and maintained enterprise cloud security strategies, standards, and secured authentication and authorization mechanisms aligned with least-privilege principles via RBAC.
- Audited GPOs, conditional access policies, and endpoint configurations to identify and remediate security gaps, ensuring compliance with Microsoft Defender and CIS requirements.
- Deployed automated security solutions for continuous monitoring, threat detection, configuration management, and security logging architecture.
- Collaborated with incident response and cross-functional teams to resolve cloud-specific threats and integrate security into cloud initiatives.
Information Security Advisor (DevSecOps)
Fiserv
- Integrated SAST, OSS/SCA, and DAST scanning into CI workflows to prevent deployment of applications with critical or high vulnerabilities.
- Ensured regulatory compliance with PCI-DSS, FISMA, and ISO 27001 through enforcement activities.
- Led enterprise security initiatives, increasing MFA adoption by 47%, data encryption by 34%, and WAF implementation by 52%.
- Executed comprehensive vulnerability management, reducing on-premise vulnerabilities by 73%, AWS and Azure cloud vulnerabilities by 92%, and infrastructure vulnerabilities by 57%.
- Conducted risk assessments, threat modeling, root-cause analyses, and impact analyses to advise leadership on remediation and secure technical solutions.
- Performed 3rd-party risk management and audited on-premise and cloud architectures to ensure alignment with zero-trust principles.
- Performed dependency and compatibility analysis for open-source libraries (Maven Central, GitHub repositories) to ensure secure upgrade paths without breaking application functionality.
- Reviewed secure code findings across Java and .NET-based applications, validating remediation prior to production approval.
- Remediated injection vulnerabilities (XSS, SSRF, input validation flaws) by updating regex validation logic and strengthening secure coding practices.
Systems Security Officer
Apovia
- Designed and deployed IT infrastructure for 10 sites, contributing to a 70% organizational revenue increase in 2021, while leading a team of three to deliver projects on time and within budget.
- Deployed and administered Azure cloud services (IAM and networking), Active Directory (GPOs and user management), and Entra ID (RBAC, MFA, and conditional access).
- Managed and supported security and network infrastructure, including Windows Servers, Symantec endpoint security, firewalls, routing, VLANs, CCTV, POS, and VoIP systems.
Experience
Microsoft Defender & Intune Security Configuration
I implemented Microsoft Defender security features, including endpoint protection policies, attack surface reduction rules, and threat detection configurations aligned with industry best practices. Conditional Access, compliance policies, and device configuration profiles were carefully designed to balance strong security controls with usability.
Throughout the project, I tested and refined configurations to ensure devices were properly secured, compliant, and reporting correctly. The final outcome was a fully functional, scalable, and secure endpoint management and protection environment that met the client’s operational needs and significantly improved their overall security posture.
Education
Master's Degree in Cybersecurity and Information Assurance
Western Governors University - Salt Lake City, UT, USA
Bachelor's Degree in Computer Science
Harvard University - Cambridge, MA, USA
Certifications
Certified Information Systems Security Professional (CISSP)
ISC2
Pentest+
CompTIA
SANS Security Strategic Awareness Professional (SSAP)
SANS
GIAC Defensible Security Architect (GDSA)
GIAC
GIAC Strategic Planning, Policy, and Leadership (GSTRT)
GIAC
GIAC Certified Incident Handler (GCIH)
GIAC
GIAC Security Essentials (GSEC)
GIAC
Skills
Tools
Microsoft Intune, Microsoft Power BI, Metasploit, Wireshark, Splunk, Nessus
Paradigms
Role-based Access Control (RBAC), HIPAA Compliance, DevSecOps, Penetration Testing
Platforms
Azure, Amazon Web Services (AWS), SharePoint, CrowdStrike, Windows Server, Docker
Storage
Microsoft Entra ID, Azure Active Directory, Database Security
Frameworks
AI Risk Management Framework, Windows PowerShell
Languages
Java, Python, Snowflake
Other
Risk Management, Cloud Security, Risk Assessment, IT Security, Security Architecture, Defense-in-depth Strategy, Zero Trust, Translating business risk into technical controls, Aligning security initiatives with business objectives, Security best practices for enterprise environments, Vulnerability identification and mitigation, Prioritizing vulnerabilities for remediation, Executive-level reporting and presentation, Vulnerability Management, Executive Reporting, Microsoft Conditional Access, Secure Storage Accounts, Zero-trust Architecture, Fortify SSC, RSA Archer, Bitlocker Configuration, Cybersecurity Strategy Development, Strategic security planning, Security, CISSP, MITRE ATT&CK, Risk Management Framework (RMF), ServiceNow, Active Directory (AD), Threat Modeling, Networking, Threat Analysis and Risk Assessment (TARA), Incident Response, Network Architecture, Network and Communication Security, Secure Software Development Lifecycle (SSDLC), Business Continuity & Disaster Recovery (BCDR), Intrusion Detection and Analysis, Malware Analysis, Log Analysis, Digital Forensics, Enterprise Security Architecture, Secure firewall and proxy architecture, Endpoint security architecture, SaaS, Network & Cloud Security Design, Enterprise cybersecurity strategy development, Executive Communication & Decision-Making, Cybersecurity Strategy & Leadership, Standards, guidelines, and procedures development, Security awareness and hygiene, Cryptography & Authentication, Planning, scoping, and recon of engagements, Identifying misconfigurations and security gaps, SQL Injection, XSS, CSRF, Security Reporting & Risk Prioritization, Security awareness program development, Communicating security concepts to executives and non-technical stakeholders, Influencing security culture across teams, Process Improvement, Vulnerability Assessment, Group Policy Objects (GPOs), Indentity and Access Management, Endpoint Security, Just-in-time Access, Data Loss Prevention (DLP), Microsoft Purview, Cloud Apps Security, Policy and Standard Development, Azure Virtual Machines, Hybrid Frameworks, Multi-factor Authentication (MFA), Regulatory Compliance, Firewalls, Ticketing Systems, Mobile Device Management (MDM), VLANs, Attack Surface Management, Attack Surface Reduction Rules, Threat Detection and Response (TDR), Secure network design & architecture, Information Assurance, Governance, Risk, and Compliance (GRC), Audit preparation and support, Platform as a Service (PaaS), Infrastructure as a Service (IaaS), PCI, NIST, ISO 27001, CI/CD Pipelines, Application Security, SecOps, AI Risk Assessment, GRC, AI Security, Identity & Access Management (IAM), OWASP, Vulnerability Triage, Data Governance, Microsoft 365, Architecture, IT Audits, Vulnerability Remediation, Security Assessment, Risk Analysis, Network Security, Operating System Security, Privileged Access Management (PAM), Compliance, IT Governance, Security Information and Event Management (SIEM), Windows 10, Open-source Intelligence (OSINT), Incident Handling, Network Traffic Analysis, Cyber Threat Hunting, Threat modeling (STRIDE, ATT&CK), Container & virtualization security, Security program maturity assessment, Third-party & supply chain risk management, Linux security, Network vulnerability scanning and analysis, Nmap, Nessus, OpenVAS, Burp Suite, OWASP ZAP, Azure Landing Zones, Infrastructure as Code (IaC), Secure Containers, Network Architecture Auditing, Source Code Review, Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Wiz Cloud Security Platform, VoIP Administration, Point of Sale, SonicWall, Symantec, Microsoft Defender Antivirus, SOC 2, Web Application Security (Web AppSec)
How to Work with Toptal
Toptal matches you directly with global industry experts from our network in hours—not weeks or months.
Share your needs
Choose your talent
Start your risk-free talent trial
Top talent is in high demand.
Start hiring