AI-Powered Security Operations

Security systems that scale.
Without scaling headcount.

ZeroCreds installs automated security infrastructure for startups — compliance evidence generation, vulnerability triage, questionnaire automation — code you can ship and automation that keeps shipping after we leave.

6+ years at Nike, ZeroFox, IDX
200+ engineers on CI/CD I built
0 static credentials left behind

65+ actionable items. No spam. Delivered to your inbox.

Check your inbox for the checklist!

See how it works

// the reality

Your security isn't broken.
It just doesn't scale.

Security questionnaires eating your week.
Every enterprise deal requires one. Your CTO fills them out manually.
Compliance evidence scattered across 5 dashboards.
Your auditor asks for proof. You spend three days assembling screenshots.
Vulnerability alerts drowning real signals.
200 findings from the last scan. Maybe 3 actually matter.
No one owns security full-time.
Engineering patches what they can. The rest piles up.
# Before: what's probably in your stack right now containers: privileged: true # running as root readOnlyRootFilesystem: false network_policies: none # every pod talks to everything iam_credentials: "AKIA..." # hard-coded, never rotated dependency_scanning: off # hope nothing's vulnerable # After: what your stack looks like in 2-4 weeks containers: privileged: false runAsNonRoot: true readOnlyRootFilesystem: true network_policies: enforced # zero-trust between services iam_credentials: OIDC # short-lived, nothing to leak dependency_scanning: on # Trivy + Snyk in every PR

// capabilities

Full-stack security operations. Automated.

From containers to compliance — every engagement installs systems you own.

01

Container & Runtime Security

Secure base images, non-root execution, read-only filesystems, and runtime monitoring — so a container breach can't become a cluster breach.

02

Kubernetes & EKS Security

RBAC lockdown, network policies, pod security standards, and secrets management — least-privilege from pod to cluster.

03

Application Security

Dependency scanning, SAST/DAST integration, SBOM generation, and supply chain controls — catch vulnerabilities before they ship.

04

OIDC & Credential Elimination

GitHub Actions OIDC federation, short-lived tokens, subject claim scoping. Nothing to rotate. Nothing to leak.

05

GitHub Organization Security

Rulesets, secret scanning, push protection, CODEOWNERS, and access audits — your code locked down before it leaves the branch.

06

AWS Security Baselines

IAM tightening, CloudTrail, GuardDuty, SCPs, encryption defaults — all in Terraform you version and audit.

07

CI/CD Pipeline Security

Action pinning, least-privilege workflows, protected environments, and runner isolation — so a compromised action can't own your pipeline.

08

Compliance-as-Code

SOC 2 and ISO 27001 policies mapped to your actual infrastructure. Evidence collection automated from AWS, GitHub, and CI/CD — delivered as versioned, auditable code.

09

Security Questionnaire Automation

AI-powered responses to vendor security questionnaires, trained on your infrastructure and policies. Days of work reduced to hours.

// the process

Assess. Build. Automate.

01

Assess

I review your repos, configs, pipelines, and cloud accounts. Automated scanning covers ground fast. My judgment separates real risks from noise. You get a prioritized risk snapshot and an automation roadmap.

02

Build

I deploy the security infrastructure your stack needs — hardened configs, Terraform modules, CI/CD lockdown — plus AI-powered automation for questionnaires, compliance evidence, and vulnerability triage.

03

Automate

You own everything. Running systems, not a report. The automation keeps working after I leave — triaging vulnerabilities, generating evidence, answering questionnaires. Your engineers maintain it from day one.

// track record

Built by someone who's done this at scale.

Not a big consultancy. Not AI-generated output with a logo on it. One senior engineer who's secured production at Nike, ZeroFox, and IDX — specializing in the intersection of security operations and AI-powered automation.

6+
Years securing infrastructure at Nike, ZeroFox, and IDX
200+
Engineers on CI/CD infrastructure built at Nike
0
Static credentials left behind. Every engagement ships OIDC.

Most security firms hand you a report. Some hand you code. I install an AI-augmented security operations layer — so you get enterprise-grade security posture without hiring an enterprise-grade security team.

— Evan Ippolito, Founder

// proof of work

Here's what delivery actually looks like.

# What you get: a Terraform module in your repo. # This one sets up GitHub Actions OIDC federation with AWS. resource "aws_iam_openid_connect_provider" "github" { url = "https://token.actions.githubusercontent.com" client_id_list = ["sts.amazonaws.com"] thumbprint_list = [data.tls_certificate.github.certificates[0].sha1_fingerprint] } resource "aws_iam_role" "deploy" { name = "github-actions-deploy" assume_role_policy = data.aws_iam_policy_document.github_oidc.json # Scoped to specific repo and branch. # No long-lived keys. No secrets to rotate. Nothing to leak. }
# Auto-generated compliance mapping: SOC 2 CC6.1 → your actual controls. # Not a spreadsheet. Versioned code that stays current as your infra changes. control "cc6.1_logical_access" { requirement = "Restrict logical access to information assets" evidence { iam_policies = module.aws_baseline.iam_policy_arns oidc_federation = module.github_oidc.provider_arn rbac_config = module.eks_security.rbac_roles } validation { no_wildcard_actions = true # verified against live IAM no_static_keys = true # OIDC federation confirmed mfa_enforced = true # AWS account-level check } }

Every engagement installs systems like this — shaped by judgment about what your stack actually needs. Reviewed, tested, merged into your repo. You keep everything.

// engagements

Fixed scope. Running systems. Code you keep.

No hourly billing. No scope creep. Every engagement installs automated security infrastructure you own.

Security Baseline

$5,000
~1 week
  • Infrastructure & application security assessment
  • Container and Dockerfile review
  • GitHub org & repo security review
  • CI/CD pipeline risk analysis
  • Prioritized remediation code + security automation roadmap

Security Operations Buildout

$12,000
~2–3 weeks
  • Everything in Security Baseline
  • AI-powered security questionnaire automation
  • Compliance evidence generation workflows
  • Intelligent vulnerability triage & noise reduction
  • Terraform modules + automation you own and run

Full Security Stack

$20,000
3–4 weeks
  • Everything in Security Operations Buildout
  • Kubernetes/EKS security (RBAC, network policies, pod security)
  • AWS security baseline (IAM, CloudTrail, GuardDuty, SCPs)
  • Complete AI-augmented security operations layer
  • Monitoring, alerting & team enablement
Ongoing Retainer — Security maintenance, policy updates, and quarterly reviews. Your stack evolves. Your security keeps up.
$2k–$5k/mo

// questions

Frequently asked. Straight answers.

What's a "code-first" engagement?
I assess your stack, identify what matters, and install automated security systems — Terraform modules, hardened configs, AI-powered triage and compliance workflows. Not a PDF of recommendations — running infrastructure you merge and deploy.
Do I need to be on AWS?
I work across AWS, GCP, and Azure. Most engagements are on AWS, but the security patterns are cloud-agnostic.
How long does a typical engagement take?
Security Baseline is ~1 week. Security Operations Buildout is ~2–3 weeks. Full Security Stack is 3–4 weeks. Retainers are ongoing.
What if we already have some security in place?
Good — I'll assess what you have, identify the gaps that actually matter, and only fix what needs fixing. No rip-and-replace.
What if we're early-stage or a small team?
That's exactly when security decisions compound. The Security Baseline is scoped for teams of 5–50 engineers — you get the controls that matter at your stage without overbuilding. Fix it now or pay 10x to fix it during your SOC 2 audit.
How does AI fit into the engagement?
AI powers the automation layer we install — questionnaire responses, compliance evidence generation, vulnerability triage. Every architecture decision and line of Terraform is reviewed and shaped by my judgment. You're hiring experience that knows how to make AI work for security — not a prompt.

// latest from the blog

Security engineering insights. No fluff.

March 07, 2026

Dependency Review: Catching Malicious Packages Before They Merge

GitHub's dependency review action scans every PR for new dependencies with known vulnerabilities and license changes before they hit your default branch.

 March 05, 2026

Infrastructure as Code Is Your Biggest Security Win

IaC isn't just an ops efficiency play — it's the single highest-leverage security decision most teams can make.

 March 05, 2026

Security Is a Feature, Not a Phase

Shift-left security means embedding security into design and CI/CD from day one — not adding a review gate before production.

// get started

Tell me about your stack.
I'll tell you where to start.

Let's talk

Tell me what you're running, where you deploy, and what keeps you up at night. I'll respond within 24 hours with an honest assessment of where your biggest risks are.

No sales calls. No pressure. Just a straight answer from someone who's done this.

evan@zerocreds.io
Find me on LinkedIn