Joe Bagdon, Developer in Bovey, MN, United States
Joe is available for hire
Hire Joe

Joe Bagdon

Verified Expert  in Engineering

Security Expert and Developer

Location
Bovey, MN, United States
Toptal Member Since
April 4, 2022

Joe is a seasoned security and infrastructure engineering professional with experience performing application and network assessments, writing and enforcing policies, providing defense for an enterprise environment, and administrating infrastructures. He has in-depth knowledge of information security, information technology, and information warfare. Joe is a competent Python programmer, adding automation and integration that reduces workloads.

Vulnerability ManagementSecuritySystem AdministrationInformation SecurityWeb App SecurityThreat IntelligenceWeb SecurityCloudData Loss Prevention (DLP)Cloud SecuritySecOpsSaaSSecurity ArchitectureCloudflarePCI ComplianceMetasploitData ProtectionBurp SuiteVirtualenvCybersecurityVulnerability AssessmentMobile SecurityNessusAWS Fargate

Portfolio

Kompleye
Penetration Testing, Burp Suite, OWASP Zed Attack Proxy (ZAP), OWASP Top 10...
AgileSecOps
AWS Fargate, Cloudflare, Python, Python API, HIPAA Compliance...
BoostLingo, LLC
Security, SOC 2, ISO 27001, Amazon Web Services (AWS), IT Security, CISO...

Experience

Information Security - 20 yearsPenetration Testing - 20 yearsVulnerability Assessment - 18 yearsHIPAA Compliance - 10 yearsPython - 10 yearsCloudflare - 8 yearsSOC 2 - 6 yearsAWS Fargate - 5 years

Availability

Part-time

Preferred Environment

Linux, Cloudflare, Amazon Web Services (AWS), Application Security, Python, MacOS, Docker

The most amazing...

...thing I've done is creating and teaching the first-ever undergraduate network warfare training (UNWT) course for the U.S. Air Force.

Work Experience

Principal Penetration Tester

2021 - PRESENT
Kompleye
  • Obtained FedRAMP and CMMC penetration testing certification/qualification for the company.
  • Created and maintained the penetration testing program for Kompleye. Built the program from the ground up, provided direct input into the sales channel, and technically completed all engagements.
  • Performed testing for companies of all sizes, from startups to Fortune 500s and almost every industry.
Technologies: Penetration Testing, Burp Suite, OWASP Zed Attack Proxy (ZAP), OWASP Top 10, OWASP, FedRAMP, NIST, HITRUST Certification, Nessus, Vulnerability Assessment, Social Engineering, Cybersecurity, APIs, DevSecOps, Mobile Security, Certified Information Systems Security Professional, Amazon S3 (AWS S3), Amazon EC2, Security Information and Event Management (SIEM)

Principal Engineer

2015 - PRESENT
AgileSecOps
  • Contributed to policies, procedures, compliance initiatives, and technical implementations. CISO as a service provided guidance and direction related to security, keeping key business objectives in mind.
  • Developed Python and PowerShell scripts to integrate other threat intelligence products into specific platforms and gained solid experience with RESTful APIs.
  • Played a key role in vulnerability scanning and management, as well as penetration testing of infrastructure, mobile, and web applications.
Technologies: AWS Fargate, Cloudflare, Python, Python API, HIPAA Compliance, HITRUST Certification, SOC 2, Firewalls, Web App Security, DevOps, Penetration Testing, Vulnerability Assessment, IT Audits, PCI Compliance, Host-based Intrusion Prevention, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Application Security, ISO 27001, Risk Management, Disaster Recovery Plans (DRP), Virtualenv, Technical Training, Management, Google Cloud, Web Security, Cloud Security, SIEM, Windows, VMware, Threat Intelligence, Training, Compliance, Policy, Puppet, SaltStack, Data Loss Prevention (DLP), Sumo Logic, MacOS, Team Management, Mobile Device Management (MDM), Endpoint Detection and Response (EDR), Amazon Elastic Container Service (Amazon ECS), AWS ALB, CISO, Ansible, Terraform, PCI, Web Application Firewall (WAF), OWASP Zed Attack Proxy (ZAP), Burp Suite, Hacking, Ethical Hacking, Amazon Firewall, VPN, IT Security, Security Audits, Security, Okta, SaaS, Flask, Web, Amazon Web Services (AWS), System Administration, Cybersecurity, Network Security, DevSecOps, CI/CD Pipelines, Kubernetes, System-on-a-Chip (SoC), Architecture, Business Continuity & Disaster Recovery (BCDR), Security Architecture, Security Analysis, Content Delivery Networks (CDN), Consulting, Azure, Single Sign-on (SSO), OWASP, Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Metasploit, Data Privacy, GDPR, Technical Hiring, Task Analysis, Interviewing, APIs, Cloud, Source Code Review, CISSP, Vulnerability Identification, Authentication, Monitoring, Antivirus Software, IDS/IPS, Amazon CloudWatch, Cloud Architecture, Security Engineering, Data Governance, Data Protection, IT Governance, Group Policy, Database Security, Threat Modeling, WordPress, WP Engine, React Native, Microsoft 365, SecOps, Mobile Security, Certified Information Systems Security Professional, Amazon S3 (AWS S3), Amazon EC2, AWS VPN, Hardware, Infrastructure, Networking, Networks, DevOps Engineer

Fractional CISO

2022 - 2023
BoostLingo, LLC
  • Assisted in developing policies and procedures for SOC2 and ISO 27001 certifications.
  • Reviewed applications for vulnerabilities and made recommendations to developers on the best course of action for remediation.
  • Provided security representation of the company to clients. Completed security questionnaires, answered other client security-related questions, and interfaced with sales staff.
Technologies: Security, SOC 2, ISO 27001, Amazon Web Services (AWS), IT Security, CISO, DevOps, Mobile Security, Certified Information Systems Security Professional, Amazon S3 (AWS S3), Amazon EC2

Security Advisor | Security Engineer

2022 - 2023
Hearst
  • Led a team of eight engineers to assist in the overall reduction of risk for the corporation. Performed thorough technical remediation of vulnerabilities.
  • Collaborated with business units to assist in identifying and reducing risk. Performed penetration testing and source code analysis and trained developers on security tools.
  • Applied AWS best practices to remediate vulnerabilities in a complex multi-tenant environment.
  • Deployed Azure Sentinel with Terraform and configured rules/alerts to assist the company in meeting HITRUST requirements.
Technologies: Security, IT Security, ISO 27001, Compliance, Consulting, Application Security, Burp Suite, OWASP Zed Attack Proxy (ZAP), Amazon Web Services (AWS), Azure, Terraform, Python 3, Python, Sumo Logic, Cloudflare, Web Application Firewall (WAF), CrowdStrike, NIST, HITRUST Certification, SecOps, Mobile Security, Certified Information Systems Security Professional, Amazon S3 (AWS S3), Amazon EC2, Infrastructure, Security Advisory

Chief Information Security Officer

2020 - 2022
The Kit Company
  • Built the overall information security program for the company.
  • Achieved SOC2, Type 2 Certification, and HIPAA Compliance.
  • Recreated and redeployed applications into ECS and Fargate using Terraform, providing hardened, increased security, elasticity, and reproducible environment.
Technologies: AWS Fargate, Docker, DevOps, GitHub, GitHub Actions, Cloudflare, SOC 2, HIPAA Compliance, Python, Vulnerability Assessment, IT Audits, Host-based Intrusion Prevention, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Application Security, Python API, Web App Security, Risk Management, Disaster Recovery Plans (DRP), Virtualenv, Technical Training, Team Leadership, Management, Web Security, Cloud Security, SIEM, Threat Intelligence, Training, Compliance, Policy, Data Loss Prevention (DLP), Sumo Logic, MacOS, Team Management, Mobile Device Management (MDM), Amazon Elastic Container Service (Amazon ECS), AWS ALB, CISO, Ansible, Terraform, Web Application Firewall (WAF), OWASP Zed Attack Proxy (ZAP), Burp Suite, Amazon Firewall, VPN, IT Security, Security Audits, Security, SaaS, Web, Amazon Web Services (AWS), System Administration, Cybersecurity, Network Security, DevSecOps, CI/CD Pipelines, System-on-a-Chip (SoC), Architecture, Business Continuity & Disaster Recovery (BCDR), Security Architecture, Security Analysis, Content Delivery Networks (CDN), OWASP, Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Data Privacy, GDPR, Technical Hiring, Task Analysis, Interviewing, APIs, Cloud, Source Code Review, CISSP, Vulnerability Identification, Authentication, Monitoring, Antivirus Software, IDS/IPS, Amazon CloudWatch, Cloud Architecture, Security Engineering, Data Governance, Data Protection, IT Governance, Database Security, SecOps, Mobile Security, Certified Information Systems Security Professional, Amazon S3 (AWS S3), Amazon EC2, AWS VPN, Infrastructure, Networking, Networks, DevOps Engineer

Senior Manager of Information Security

2015 - 2016
Copart
  • Rebuilt the security team to operate efficiently, with the ability to detect threats and maintain company compliances such as PCI, SOC2, ISO 27001, and Safe Harbor for over 180 locations worldwide.
  • Led recertification of PCI environment by collecting evidence, recommending changes, and remediating issues.
  • Spearheaded the internal risk management program to bind ownership of security risks with the appropriate business owners and provided an overview of risks to C-level executives.
  • Installed Sumo Logic as the central syslog service and acted as the project lead, converting aging syslog and SIEM systems.
  • Architected and deployed the intrusion detection systems and file integrity monitoring, including HIDS, NIDS, and FIM.
Technologies: Sumo Logic, PCI DSS, ISO 27001, Python, Vulnerability Management, Firewalls, Vulnerability Assessment, IT Audits, PCI Compliance, Host-based Intrusion Prevention, Intrusion Prevention Systems (IPS), Application Security, Risk Management, Disaster Recovery Plans (DRP), Team Leadership, Management, Web Security, Cloud Security, SIEM, Windows, Threat Intelligence, Training, Compliance, Policy, Data Loss Prevention (DLP), Team Management, Python API, Web App Security, Endpoint Detection and Response (EDR), Ansible, PCI, Web Application Firewall (WAF), OWASP Zed Attack Proxy (ZAP), VPN, IT Security, Security Audits, Security, SaaS, Web, System Administration, Cybersecurity, Network Security, Business Continuity & Disaster Recovery (BCDR), Security Architecture, Security Analysis, Content Delivery Networks (CDN), OWASP, Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Data Privacy, Technical Hiring, Interviewing, APIs, Cloud, CISSP, Vulnerability Identification, Monitoring, Antivirus Software, IDS/IPS, Security Engineering, Data Protection, Group Policy, Certified Information Systems Security Professional, Infrastructure, Networks

Manager of Information Security

2014 - 2015
Think Finance
  • Oversaw the daily operations of information security, networking, and telephony teams.
  • Wrote and maintained policies and procedures to ensure compliance with PCI and company standards.
  • Built and configured a central logging system based on Elasticsearch and Kibana.
  • Converted all systems from traditional antivirus to Bit9 application whitelisting.
  • Built and installed a network-based intrusion detection system.
  • Incorporated the SaltStack configuration management for all Linux servers and wrote configuration to automate compliance to the Center for Internet Security benchmarks.
Technologies: Application Security, Vulnerability Management, Risk Management, PCI DSS, Data Loss Prevention (DLP), SaltStack, Vulnerability Assessment, PCI Compliance, Disaster Recovery Plans (DRP), Team Leadership, Management, SIEM, Windows, Threat Intelligence, Compliance, Policy, Team Management, Ansible, PCI, IT Security, Security Audits, Security, Web, System Administration, Cybersecurity, Network Security, Architecture, Security Architecture, Security Analysis, OWASP, Technical Hiring, Interviewing, Cloud, CISSP, Vulnerability Identification, Monitoring, Antivirus Software, IDS/IPS, Security Engineering, Data Protection, Group Policy, Certified Information Systems Security Professional, Infrastructure, Networking

Security Officer

2012 - 2014
Rally Software
  • Interfaced with the customers to answer security-related questions and coordinate the customer security testing.
  • Composed and enforced the security and privacy policies.
  • Oversaw all aspects of an eCommerce site's PCI compliance.
  • Obtained the FISMA NIST 800-53 moderate compliance for SaaS offering and maintained the ISO 270001 compliance, EU Safe Harbor, and HIPAA.
  • Deployed the hose-based intrusion detection and network-based intrusion detection systems in both the corp and production environments.
  • Collaborated directly with the operations administrators in a security and operations function.
  • Performed vulnerability and penetration testing on a SaaS application offered by the company.
  • Conducted periodic application reviews while interfacing with developers to solve security issues.
  • Wrote the disaster recovery policy for the production environment and acted as the key contributor to the corp disaster recovery documentation.
Technologies: Application Security, Vulnerability Management, PCI DSS, ISO 27001, Linux, Puppet, Python, Bash Script, Policy, Disaster Recovery Plans (DRP), Vulnerability Assessment, IT Audits, PCI Compliance, Host-based Intrusion Prevention, Intrusion Prevention Systems (IPS), Web App Security, Risk Management, Team Leadership, Management, Web Security, SIEM, VMware, Threat Intelligence, Training, Compliance, SaltStack, Data Loss Prevention (DLP), MacOS, Team Management, CISO, PCI, Web Application Firewall (WAF), OWASP Zed Attack Proxy (ZAP), VPN, IT Security, Security Audits, Security, SaaS, Web, System Administration, Cybersecurity, Network Security, Business Continuity & Disaster Recovery (BCDR), NIST, Security Architecture, Security Analysis, OWASP, Dynamic Application Security Testing (DAST), Data Privacy, Technical Hiring, Interviewing, Cloud, CISSP, Vulnerability Identification, Authentication, Monitoring, Antivirus Software, IDS/IPS, Security Engineering, Data Protection, PHP, SecOps, Certified Information Systems Security Professional, Infrastructure, Networks

Global Information Security Engineer

2012 - 2012
Prologis
  • Provided all aspects of corporate security support, guidance, engineering, and management.
  • Built and replaced an aging network-based intrusion detection system.
  • Identified and managed the clean-up efforts of several botnets and other malicious infected systems located within the company’s worldwide infrastructure.
  • Installed the central logging and reporting capability to support security and infrastructure administrators.
Technologies: Python, Intrusion Detection Systems (IDS), SIEM, Penetration Testing, Threat Intelligence, Training, Policy, Risk Management, IT Security, Security Audits, Security, System Administration, Cybersecurity, Network Security, Security Analysis, Vulnerability Identification, Monitoring, Antivirus Software, IDS/IPS, Security Engineering, Data Protection, Infrastructure

Lead System, Network, and Security Engineer

2009 - 2012
Tendril Networks
  • Assessed compliance with the information technology controls and tested application technologies, development projects, data center operations, security, and information technology-related work processes.
  • Developed and maintained the processes to include the security incident response, vulnerability assessment and scanning, patch management, security metrics and reporting, security event management, protection of PII, and encryption.
  • Assessed the risk and internal operating controls by identifying areas of non-compliance and identified operational weaknesses, inefficiencies, and issues.
  • Performed penetration testing and vulnerability scans by utilizing BackTrack, Metasploit, Nessus, John the Ripper, Nikto, Nexpose, Burp Suite, and w3af.
Technologies: Python, Compliance, PCI DSS, Penetration Testing, Vulnerability Management, Web Security, Threat Intelligence, Policy, Puppet, Risk Management, Team Management, IT Security, Security Audits, Security, Web, System Administration, Cybersecurity, Network Security, Architecture, Security Analysis, OWASP, Technical Hiring, Interviewing, Cloud, Vulnerability Identification, Monitoring, IDS/IPS, Security Engineering, Data Protection, Hardware, Infrastructure, Networks

Security and Operations Center Linux Administrator

2008 - 2009
DigitalGlobe
  • Provided the security and administration support for Linux RHEL 5, Windows (XP, 2003, 7, 2008), Solaris 10, and IRIX systems.
  • Troubleshot and resolved issues with the infrastructure components and company-built specialized software applications.
  • Wrote scripts and programs to automate the monitoring and administration processes.
Technologies: Python, Vulnerability Management, Linux, Windows, VMware, Policy, VPN, IT Security, Security, Web, System Administration, Cybersecurity, NIST, Vulnerability Identification, Monitoring, Antivirus Software, IDS/IPS, Infrastructure, Networks

Intelligence and Network Security Administrator

1994 - 2008
U.S. Air Force
  • Managed a development project team for network security attacks.
  • Acted as the certified instructor and developer for the first-ever Air Force undergraduate network warfare course.
  • Instructed students on the defense of hacker techniques and the use of malicious software, utilizing Linux hosts with Ruby, Python, and shell scripting.
  • Performed penetration testing with open source software such as NMAP, Nessus, and Metasploit, and other malicious code found on the internet consisting of C++, Python, and shell scripting.
Technologies: Penetration Testing, Python, Compliance, Training, Threat Intelligence, Firewalls, Virtualenv, Vulnerability Assessment, Application Security, Technical Training, Team Leadership, Management, Web Security, Windows, Policy, Data Loss Prevention (DLP), Risk Management, Team Management, Web App Security, Mobile Device Management (MDM), HIPAA Compliance, Web Application Firewall (WAF), Military Operations, Hacking, Ethical Hacking, IT Security, Security Audits, Security, System Administration, Cybersecurity, Network Security, System-on-a-Chip (SoC), NIST, Security Analysis, OWASP, Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Metasploit, Technical Hiring, Vulnerability Identification, Authentication, Monitoring, Antivirus Software, IDS/IPS, Infrastructure, Networks

The Unstoppable Denial of Service

I was contacted by a Fortune 100 company with a security issue on their web application. Almost immediately, I identified the problem related to malicious actors hitting an endpoint that was causing a long-running database query and taking the application offline. I worked with the developers and security team to quickly put a web application firewall in place. After 24 hours, the app became tuned and effective and ran smoothly.

DevSecOps Champion

Hired to assist a startup with all things security. I quickly saw that there were noticeable issues in the production environment. There was a lack of knowledge of AWS and proper/secure code deployment pipelines. I was asked to help and get them on the right track. After a couple of weeks, I architected and implemented a new AWS environment. The new environment consisted of running containers in ECS/Fargate and an automated deployment pipeline using GitHub Actions. The solution was deployed with Terraform, and new environments could be spun up in minutes. In the end, the solution was repeatable, secure, and easy to maintain.

From Zero to Compliant – SOC 2, Type 2

A recent customer had a business requirement to become SOC2, type 2 compliant, and it needed to happen quickly. There was a risk of losing critical business opportunities if it wasn't achieved on time. They seem confused as to what went into becoming compliant. SOC 2 was nothing but a terrifying term they didn't want to tackle.

I took the lead and performed most of the work with little interruption to daily operations. Everything from policies to technical implementations was accomplished within 30 days. The auditor provided the SOC 2, Type 1 certification a week later. The monitoring period passed without incident, and we obtained the SOC 2, Type 2, as promised.

Languages

Python, Bash Script, Python 3, PHP

Paradigms

HIPAA Compliance, Penetration Testing, Management, DevSecOps, DevOps

Platforms

Amazon Web Services (AWS), Amazon EC2, Docker, Linux, MacOS, Windows, AWS ALB, Burp Suite, Web, WordPress, Kubernetes, Azure

Industry Expertise

Cybersecurity, Network Security, Security Advisory

Storage

Amazon S3 (AWS S3), Google Cloud, Database Security, WP Engine

Other

Incident Response, Incident Management, Information Security, Cloudflare, SOC 2, Vulnerability Assessment, IT Audits, PCI DSS, PCI Compliance, Team Leadership, Host-based Intrusion Prevention, Intrusion Detection Systems (IDS), Team Management, HITRUST Certification, Web App Security, ISO 27001, Vulnerability Management, Risk Management, Data Loss Prevention (DLP), Policy, Disaster Recovery Plans (DRP), Compliance, Training, Threat Intelligence, SIEM, Web Security, Cloud Security, PCI, IT Security, Security Audits, Security, SaaS, System Administration, System-on-a-Chip (SoC), Business Continuity & Disaster Recovery (BCDR), Security Architecture, Security Analysis, Content Delivery Networks (CDN), Consulting, OWASP, Technical Hiring, Interviewing, Cloud, CISSP, Vulnerability Identification, Antivirus Software, IDS/IPS, SecOps, Mobile Security, Certified Information Systems Security Professional, Automated Security Controls Assessment (ASCA), Infrastructure, Incident Handling, GitHub Actions, Firewalls, Technical Training, Intrusion Prevention Systems (IPS), Application Security, Mobile Device Management (MDM), Endpoint Detection and Response (EDR), CISO, Web Application Firewall (WAF), Military Operations, Hacking, Ethical Hacking, CI/CD Pipelines, Architecture, NIST, Single Sign-on (SSO), Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Data Privacy, GDPR, Task Analysis, APIs, Source Code Review, Authentication, Cloud Architecture, Security Engineering, Data Governance, Data Protection, IT Governance, Microsoft 365, AWS VPN, Hardware, Networking, Networks, DevOps Engineer, Monitoring, Teamwork, Okta, Group Policy, Threat Modeling, CrowdStrike, OWASP Top 10, FedRAMP, Social Engineering, Security Information and Event Management (SIEM)

Libraries/APIs

Python API

Tools

AWS Fargate, GitHub, Sumo Logic, SaltStack, Virtualenv, VMware, Amazon Elastic Container Service (Amazon ECS), Ansible, OWASP Zed Attack Proxy (ZAP), Amazon Firewall, VPN, Metasploit, Amazon CloudWatch, Puppet, Terraform, Nessus

Frameworks

Flask, React Native

JANUARY 2017 - PRESENT

AWS Business Professional

Amazon Web Services

JANUARY 2017 - PRESENT

AWS Technical Professional

Amazon Web Services

SEPTEMBER 2015 - PRESENT

Programming for Everybody (Python)

Coursera

JULY 2015 - PRESENT

An Introduction to Interactive Programming in Python (Part 1)

Coursera

DECEMBER 2012 - PRESENT

Certified Information Systems Security Professional

International Information Systems Security Certification Consortium (ISC)2

DECEMBER 2007 - DECEMBER 2011

GIAC Certified Incident Handler (GCIH)

Sans Institute

JULY 2007 - JULY 2011

GIAC Security Essentials (GSEC)

SANS Institute

Collaboration That Works

How to Work with Toptal

Toptal matches you directly with global industry experts from our network in hours—not weeks or months.

1

Share your needs

Discuss your requirements and refine your scope in a call with a Toptal domain expert.
2

Choose your talent

Get a short list of expertly matched talent within 24 hours to review, interview, and choose from.
3

Start your risk-free talent trial

Work with your chosen talent on a trial basis for up to two weeks. Pay only if you decide to hire them.

Top talent is in high demand.

Start hiring