Nguyen Truong Khoi

Security Engineer

📧hi@nguyentruongkhoi.com 📞+84 794 216 998
📍Ho Chi Minh City, Vietnam
GitHub: @khoint0210

Basics

Security Engineer with hands-on experience securing cloud environments across AWS and GCP, managing SIEM and SOAR platforms, and embedding security into DevSecOps pipelines. Currently building AI-powered security operations — including MCP Server integrations and AI Agent harnesses for Chronicle SIEM and SOAR — to automate investigation, triage, and documentation workflows. Experienced in IaC-driven security tooling with Terraform and Ansible, and focused on practical risk reduction that scales with engineering teams.

Work

Aurify
Security Engineer
  • Optimize and operate Chronicle SIEM and SOAR platform to improve detection, response, and investigation workflows for FINTech environments.

  • Implement AI Agent setup with MCP Server integrations for Chronicle SIEM and SOAR, enabling intelligent automation and context-aware security operations.

  • Review and implement DORA Compliance controls across GCP, AWS, and On-Premises Data Centers, ensuring regulatory alignment for financial services.

  • Develop IaC modules for security tooling including Security Command Center Enterprise (SCCE) and Google Web Security Scanner on GCP.

  • Design and deploy an AI Agent harness to generate and improve internal documentation, replacing reliance on unstructured Google Docs and Slides.

  • Lead security architecture reviews across multi-cloud and on-prem infrastructure to meet FINTech regulatory requirements.

Katalon
Security Engineer
  • Incorporate DevSecOps practices into development workflows through effective collaboration with developers and infrastructure teams.

  • Monitor and manage security misconfigurations across all SaaS applications through in-depth security checks and automated remediation.

  • Conduct security reviews on multi-cloud environments (AWS, GCP) and implement targeted improvements and mitigations.

  • Build a Security Information and Event Management (SIEM) system based on OpenSearch for real-time analysis of security events across cloud, SaaS, and on-premises systems.

  • Respond to incidents across Email, Endpoint, and SaaS tools — perform analysis, containment, recovery, and post-incident reviews.

  • Automate operational and monitoring requirements using Terraform, Python, and Ansible.

One Mount
Security Engineer
  • Integrate SAST and SCA platforms (Synopsys, Veracode, JFrog) into the DevSecOps pipeline.

  • Control network security by managing Prisma Access firewall policies and configurations.

  • Build Golden Image for Google Compute Engine (GCE) using Packer aligned to CIS standards.

  • Architect and develop VDesktop — a secure virtual desktop for remote production database access with full DLP enforcement.

  • Develop an automated service to scan vulnerable container images on GKE and generate actionable reports.

  • Build a secret scanning tool to detect credentials stored in internal GitLab, Jira, and Confluence.

Innoteq
Security Engineer
  • Set up and harden servers for multiple WordPress and Node.js web applications.

  • Establish security controls and monitoring for web applications to reduce attack surface.

  • Implement vulnerability assessment processes and remediation workflows.

Projects

Security Analysis Agent
Developed an LLM-driven automation system utilizing an Evaluator-Optimizer loop to triage, investigate, and respond to security alerts across Chronicle and Wazuh, reducing SOC alert fatigue.
  • Employ an Orchestrator-Worker workflow instead of relying on a single agent model to reduce hallucinations and improve reasoning accuracy.

  • Automated structured reasoning tasks for SOC analysts, eliminating the standard 30–90 minutes of manual effort per alert to combat alert fatigue.

  • Integrated a self-improving Shared Knowledge Base that continuously refines query libraries, attack patterns, and entity baselines after every confirmed case.

DORA Compliance for Fintech platform
Worked with the GRC and DevOps teams to identify all control gaps and implement fixes via IaC.
  • Identified all misconfigurations and security control gaps related to DORA compliance.

  • Implemented fixes using Terraform modules to ensure a unified, repeatable deployment across future resources.

OpenSearch SIEM
Built a SIEM system based on OpenSearch for Katalon
  • Implemented Infrastructure as Code (IaC) to simplify management and maintenance of the stack.

  • Configured AWS services for integration with OpenSearch, including log normalization before sending to SIEM.

  • Migrated rules from the legacy Coralogix SIEM to the OpenSearch platform.

Cloud Security Posture using Wiz
Integrated Wiz cloud security platform across Katalon environments
  • Integrate and deploy Wiz's suite of tools for cloud security across selected environments.

  • Perform thorough testing of each feature — Cloud Vulnerability Management, CIEM, Container Security, IaC Scanning, CNAPP, and DSPM.

  • Manage access to Wiz with SSO and SAML role mapping by allocating specific roles to IdP user groups.

  • Use Python to automate remediation of Wiz findings.

GitHub IaC
Manage GitHub organization configuration as Infrastructure as Code using Terraform
  • Develop GitHub IaC using Terraform, GitHub Actions, Terraform Cloud.

  • Define IAM Access across Katalon's Org to meet least privilege.

  • Ensure all configuration modifications can be monitored.

  • Apply Infrastructure as Code (IaC) to manage GitHub users and repository permissions.

Optimizing Crowdstrike Falcon Workflow
Enhanced CrowdStrike Falcon detection and response workflow for Katalon
  • Optimize and enhance the workflow of CrowdStrike Falcon by streamlining incident response, customizing configurations, and improving reporting and alarms.

  • Use Python and a Slack bot to automate response to CrowdStrike events.

  • Perform compliance checks with the MDM system for ISO 27001:2022.

  • Define malware infection response processes.

GitLab Prevent Credentials
Prevent accidental credential leaks to One Mount's GitLab
  • Use Bash, pre-receive hooks, and regex definitions to block One Mount credentials from being accidentally pushed to GitLab.

VDesktop for Database Access
Secure virtual desktop solution for remote database access at One Mount
  • Allow remote employees to connect to internal database with all control enforcement on the virtual desktop to prevent data leakage.

Skills

Cloud Security
Keywords: AWS, GCP, Wiz, Prisma Access, CSPM, CNAPP
SIEM & Detection
Keywords: Chronicle SIEM, OpenSearch, Coralogix, CrowdStrike
DevSecOps
Keywords: Terraform, Ansible, GitHub Actions, Synopsys, Veracode, Jfrog, StackStorm
AI & Automation
Keywords: AI Agent, Litellm, Langchain, Opencode
Endpoint & Identity Security
Keywords: CrowdStrike Falcon, Workspace One UEM, Workspace One Access, MDM
Programming & Scripting
Keywords: Python, Bash, SQL, NoSQL, JavaScript

Awards

One Mount Star Engineering
One Mount

One Mount Top Employee recognition for outstanding engineering contributions.

Languages

Vietnamese: Native or Bilingual Proficiency
English: Full Professional Proficiency

Education

FPT University
Bachelor, Information Assurance
  • Achievement: Top score on graduation thesis "DevSecOps In Enterprise".

Courses: Software Foundations, Computer Architecture, Algorithms, Artificial Intelligence, Comparison of Learning Algorithms, Computational Theory