Thomas Whalley
DevSecOps · Cybersecurity · Digital Forensics
Gosport, Hampshire twhalley@email.com twhalley.online
SC Cleared — DV Eligible

SC-cleared DevSecOps and cybersecurity practitioner with hands-on experience across defence, healthcare, and public sector environments. Background spans digital forensics, infrastructure automation, SIEM deployment, secrets management, and privacy/decentralisation tooling. Strong security-first mindset grounded in real-world classified programme delivery, CTF competition, and independent research into anonymity networks and threat intelligence.

Get In Touch PGP Key GitHub Download PDF
Experience
Senior Systems & Security Engineer Jul 2025 — Present
Gosport Borough Council — Gosport, Hampshire

Broad infrastructure automation and security operations role for a local authority. Deployed and maintain Grafana + LibreNMS dashboards for real-time network observability and SNMP health monitoring. Built an authorised nmap/Zenmap estate mapping programme feeding a live node-status board.

Administered full Microsoft 365 stack: Exchange Online, Entra ID/hybrid AD, Intune (Windows, Android Enterprise, iOS, macOS), Defender, Purview DLP, and Priva for SAR/FOI compliance. Implemented hardened DMARC/DKIM mail flow and Conditional Access with MFA enforcement and TAP on-boarding.

Deployed Wazuh SIEM for security event visibility; developed a cyber risk register with automated RAG scoring aligned to NCSC CAF, ISO 27001, and NIST CSF. Secured democratic election infrastructure. Responded to phishing incidents and triaged Defender alerts.

Automated Entra ID/Intune group assignments via Microsoft Graph PowerShell. Wrote Python and PowerShell scripts for bulk AD operations, PST-to-MBOX migration, Power BI dashboards, and CSV/XLSX data pipelines. Code-signed scripts via internal AD CS CA for Intune deployment.

Microsoft 365Entra IDIntune Wazuh SIEMGrafanaLibreNMS PowerShellPythonNCSC CAF ISO 27001NmapSophos
DevSecOps Engineer Aug 2024 — Jul 2025
Mehal Technologies — Dublin

Engineered and secured medical edge devices for clinical environments (HeartRhythmIreland). Built hardened custom RHEL images with podman-bootc; deployed Wazuh Cloud SIEM/XDR for real-time monitoring and incident response across distributed infrastructure.

Architected secure GitHub Actions CI/CD runners with mandatory branch protections and IBM Container Registry secrets management. Deployed OpenBAO with AppRole auth, short-lived token TTLs, and immutable audit logging. Implemented Vault Agent templating to surface secrets at runtime, eliminating hardcoded credentials and env-var exposure.

RHELPodmanWazuh GitHub ActionsOpenBAOIBM Container Registry Healthcare CompliancePython
DevOps Engineer Dec 2022 — Aug 2024
BAE Systems — Portsmouth (Classified Site)

Delivered secure DevOps automation on a classified defence programme under strict change-control and SLA requirements. Led SDDC automation workstream — Ansible-driven full lifecycle provisioning and teardown of VMware ESXi environments, reducing build time from days to hours.

Architected enterprise secrets management with HashiCorp Vault/OpenBAO: AppRole auth, short-lived TTLs, Vault Agent sidecar injection into Docker microservices, namespace isolation, and immutable audit backends. Mentored junior and client engineers; ran policy design workshops and code reviews.

Wrote pytest suites embedded in Bitbucket CI/CD. Integrated Ansible with iDRAC for bare-metal provisioning. Applied shift-left security gates and OS hardening playbooks across Windows/Linux.

AnsibleHashiCorp VaultDocker VMware ESXiiDRACBitbucket CI/CD pytestPowerShellPython SC Cleared
Computer Analyst Jun 2022 — Aug 2022
Blanchard Wells — Southampton

IT and cybersecurity support across distributed civil engineering sites. Liaised directly with the Managing Director on risk mitigation, network troubleshooting, and endpoint security advice.

IT SupportEndpoint SecurityRisk Advice
Digital Forensics & Cybercrime Intern Oct 2019 — Oct 2020
South Wales Police — Cardiff

Conducted forensic examination and retrieval of evidence from computers, mobile devices, and digital media as part of live criminal investigations. Produced evidential reports for law enforcement and legal teams, ensuring chain of custody and court admissibility.

Proficient with Cellebrite UFED and Physical Analyzer, GrayKey (full-filesystem iOS/Android extraction), Passware Kit Forensic for encrypted evidence recovery, and EnCase / FTK / Autopsy / X-Ways / Oxygen Forensic Suite. Contributed to development of in-house forensic tooling and plug-ins.

Cellebrite UFEDGrayKeyPassware EnCaseFTKAutopsy Mobile ForensicsEvidence Handling
Security Arsenal
SIEM / Monitoring
  • Wazuh SIEM / XDR
  • SecurityOnion
  • Grafana
  • LibreNMS
  • Zabbix
  • Microsoft Defender
Network & IDS
  • Snort IDS
  • Nmap / Zenmap
  • Wireshark
  • pfSense
  • Sophos Firewall & VPN
  • Protectli (pfSense)
Digital Forensics
  • Cellebrite UFED
  • GrayKey
  • Passware Kit Forensic
  • EnCase
  • FTK Imager
  • Autopsy
  • X-Ways Forensic
  • Oxygen Forensic Suite
Secrets & IAM
  • HashiCorp Vault
  • OpenBAO
  • Microsoft Entra ID
  • Conditional Access / MFA
  • RBAC / Least Privilege
  • Vault Agent Templating
Endpoint & MDM
  • Microsoft Intune
  • Defender for Endpoint
  • MaaS360
  • Samsung Knox / OEMConfig
  • Apple Business Manager
  • VMware vSphere VDI
Anonymity & Privacy
  • Tor (v3 Hidden Services)
  • I2P / i2pd (eepsites)
  • Namecoin (.bit domains)
  • Proxychains
  • mkp224o (vanity onion)
  • Monero (XMR)
Hardening & Compliance
  • NCSC CAF
  • ISO 27001
  • NIST CSF
  • GDPR / DPA 2018
  • ITIL
  • OS Hardening (Ansible)
  • DMARC / DKIM
  • Code Signing (AD CS)
CTF & Offensive Tools
  • Burp Suite
  • Metasploit Framework
  • evil-winrm
  • CrackMapExec
  • Impacket suite
  • John the Ripper
  • Hashcat
  • Gobuster / Feroxbuster
  • Netcat / Ncat
  • Searchsploit
  • GTFOBins
  • Ghidra / IDA / dnSpy
  • CyberChef
  • strings / file / checksec
Local AI / OpSec
  • Ollama (ROCm / AMD)
  • Open WebUI
  • Abliterated models
  • Bitwarden
  • PGP / GPG
  • OpenAlias (XMR/BTC DNS)
Core Skills
Languages
  • Python
  • PowerShell
  • Bash
  • JavaScript
  • SQL
  • C#
  • PHP
  • HTML / CSS
Infrastructure & Automation
  • Ansible
  • Terraform
  • Docker / Podman
  • Kubernetes (K8s)
  • AWS
  • VMware vSphere / ESXi
  • iDRAC (bare-metal)
  • Rundeck
  • NetBox
  • Nginx
  • Certbot / Let's Encrypt
Testing & QA
  • pytest
  • Molecule (Ansible)
  • Selenium
  • Pre-commit hooks
  • GitHub Actions
  • Bitbucket Pipelines
  • Git
Operating Systems
  • Arch Linux
  • Debian / Ubuntu
  • RHEL / CentOS
  • Windows Server
  • Windows 10/11
  • macOS
Python Libraries
  • pandas
  • openpyxl
  • selenium
  • requests
  • Microsoft Graph SDK
  • Manim (animation)
Education
2020 – 2023
BSc Cyber Security & Forensic Computing
University of Portsmouth
2017 – 2019
BSc Digital Forensics
Birmingham City University
2014 – 2017
BTEC Level 3 Diploma — Computer Information Systems
South Downs College, Havant  Distinction* Distinction
Clearance & Certifications
SC Cleared Active UK security clearance. DV eligible for higher-classification defence and government roles.
DEF PROGRAMME Classified site delivery at BAE Systems. Experienced with strict change-control and classification constraints.
NCSC CAF Implemented CAF-aligned cyber risk registers with automated RAG scoring at local government level.
ISO 27001 Applied ISO 27001 controls across defence and public sector environments.
NIST CSF NIST CSF mapped alongside CAF and ISO 27001 in security governance deliverables.
GDPR / DPA 2018 UK GDPR Article 15 and DPA 2018 exemptions; SAR/FOI workflows via Microsoft Priva.
Open Source Contributions
tails/tails — Duress Wipe Mode (MR !2828)
Proof-of-concept feature MR to the official Tails OS project: a duress wipe mode that triggers irreversible cryptographic erasure of the Tails USB when a coercion passphrase is entered — designed for journalists, activists, and at-risk users forced to hand over or unlock their device. 39 commits across 25 files, requiring a full fork and custom ISO build of Tails from source.
Implemented: a D-Bus daemon (org.boum.tails.Duress) running as root for privilege separation; cryptsetup luksErase destroying all LUKS keyslots; USB overwrite with OpenSSL AES-CTR random data sized dynamically from lsblk; power-off via direct kernel reboot syscall; persistent storage configuration UI in GTK3; standalone trigger dialog with test mode and write-speed benchmark; GNOME app and navbar integration. Password hashing via scrypt with open design questions around Argon2id and adaptive parameters. MR closed as not ready to merge — submitted as proof-of-concept to gather upstream design feedback.
Tails OSCustom ISO BuildLUKS / cryptsetup D-BusGTK3GNOME PythonShellDuress / Coercion Cryptographic ErasureOpSec
ansible-collections/vmware.vmware_rest
Contributor to the official Ansible VMware REST collection — the module set used for automating VMware vSphere infrastructure via the vSphere REST API. Directly relevant to SDDC automation work at BAE Systems.
AnsibleVMwarePythonOpen Source
oxen-io/oxen-website
Raised and contributed to issue #50 on the Oxen (Session/Lokinet) project website. Oxen is the privacy network and cryptocurrency project underpinning the Session messenger and Lokinet onion router.
PrivacyAnonymity NetworksOpen Source
Digital-Forensics-Discord-Server / LawEnforcementResources
PR #18 to the community-maintained law enforcement digital forensics resource repository. Contributed based on hands-on experience from the South Wales Police Digital Forensics & Cybercrime internship.
Digital ForensicsLaw EnforcementOpen Source
monero-project/monero
Contributor to the Monero privacy cryptocurrency codebase — a community-driven open source project focused on fungible, private, and censorship-resistant digital currency.
MoneroXMRC++PrivacyOpen Source
Own Projects
nazca
Darknet reverse proxy and phishing research toolkit written in Python. Routes all traffic through Tor (SOCKS5h proxy) to intercept and inspect HTTP/S communications between a client and a target onion service. Captures POST body data and Set-Cookie headers, strips Content-Security-Policy headers, and includes commented scaffolding for onion address replacement, BTC/PGP key swapping, and Tor hidden service auto-generation via a modified torrc. Containerised with Docker. Built for security research and understanding how darknet MITM/phishing infrastructure operates.
PythonTorSOCKS5 MITM ProxyPhishing ResearchDocker DarknetSecurity Research
python-podman-terraform-aws-openbao-deployment
Containerised Terraform + OpenBAO deployment pipeline using Podman targeting AWS. Hardened container runtime — read-only FS, all capabilities dropped, no new privileges. Infrastructure-as-code secrets management with OpenBAO from a reproducible, immutable build environment.
PythonPodmanTerraform AWSOpenBAOContainer Hardening
embed-fixer
FOSS Discord bot (Python + Podman) that intercepts social media links and reposts them using privacy-respecting frontends (rxddit, vxtwitter, ddinstagram). Hardened container deployment: read-only FS, all Linux capabilities dropped, no-new-privileges.
PythonDiscord APIPodman PrivacyContainer Hardening
early-ssh-remote-unlock
Shell tooling to configure remote SSH unlock of an encrypted Linux system at initramfs stage — allowing headless LUKS-encrypted servers to be unlocked over the network without physical access.
ShellLUKSinitramfsSSHEncryption
Duressd
Duress password shell implementation for Linux — triggers a configurable action (wipe, decoy, alert) when a duress credential is entered, providing plausible deniability under coercion.
ShellOpSecEncryptionPrivacy
twhalley.online — Privacy-first personal site
Self-hosted on Debian VPS. No JavaScript, no tracking, no ads. Nginx + Let's Encrypt clearnet, Tor v3 hidden service, I2P eepsite, Namecoin .bit domain. PGP-signed. Monero/Bitcoin via OpenAlias DNS.
NginxTorI2P NamecoinCertbotDebian
Arch Linux Homelab
Hardened desktop running Podman containers, pfSense + Snort IDS, SecurityOnion SIEM, Grafana, LibreNMS, RAID 6. Local LLMs via Ollama with ROCm on AMD RX 7800 XT (16GB VRAM). Mirrors production security toolchains.
Arch LinuxPodmanpfSense SnortSecurityOnionOllama ROCmRAID 6
YouTube — Cybersecurity & Privacy Channel
Independent educational channel covering anonymity networks, threat intelligence, decentralisation, and practical security tooling. Non-commercial. Series in production: "The Business of Cybercrime" (threat actor economics) and "Proof of Concept" (hands-on lab demos).
Threat IntelTorI2P PrivacyManimKdenlive
Hack The Box
Heist — Machine / Windows / Easy
Enumerated a Windows IIS support portal exposing a Cisco IOS router config. Cracked Cisco Type 7 and MD5 password hashes. Performed SID enumeration via Impacket lookupsid to discover additional accounts, then used CrackMapExec to validate credential pairs. Gained initial shell via evil-winrm. Escalated to Administrator by dumping a running Firefox process with procdump64 and extracting credentials from the memory dump using strings.
NmapHash CrackingCisco IOS ImpacketCrackMapExecevil-winrm Process DumpingWinRMSMB
OpenAdmin — Machine / Linux / Easy
Discovered a vulnerable OpenNetAdmin 18.1.1 instance via directory bruteforcing. Exploited a known RCE vulnerability to gain a www-data shell. Extracted MySQL database credentials from PHP config files and reused them for lateral movement to a local user. Cracked a passphrase-protected RSA private key with ssh2john and John the Ripper. Escalated to root by abusing a sudo misconfiguration on nano via GTFOBins.
GobusterRCE (OpenNetAdmin)Credential Reuse ssh2johnJohn the RipperGTFOBins Sudo PrivescSSH Key Cracking
Armageddon — Machine / Linux / Easy
Identified Drupal 7.56 via service enumeration and source code analysis. Exploited Drupalgeddon2 (CVE-2018-7600) via Metasploit to gain an Apache shell. Extracted MySQL credentials from settings.php, queried the database to retrieve the admin password hash, and cracked it with hashcat against rockyou. Escalated to root by abusing sudo permissions on snap install via a malicious Snapcraft package (dirty_sock technique).
Drupalgeddon2CVE-2018-7600Metasploit MySQL enumerationHashcatSnap privesc dirty_sockDroopescan
Editorial — Machine / Linux / Easy
Identified SSRF in a book upload feature via Burp Suite by controlling the bookurl parameter. Enumerated internal ports through the SSRF to discover a local API, then iterated API endpoints to leak cleartext credentials for an SSH user. Discovered additional credentials buried in Git commit history after exploring the dev user's home directory. Escalated to root by exploiting a Python script with sudo privileges via CVE-2022-24439 (GitPython arbitrary code execution).
SSRFBurp SuiteAPI enumeration Git history analysisCVE-2022-24439GitPython RCE Sudo PrivescNmap
Bypass — Challenge / Reversing / Easy
Analysed a .NET Windows PE executable. Used strings to identify the binary as a Mono/.NET assembly. Decompiled and debugged with dnSpy to inspect authentication logic — found the main validation function hard-coded to always return false, preventing any legitimate login path. Patched boolean flags at runtime via breakpoints to bypass authentication and extract the flag.
.NET ReversingdnSpystrings Runtime PatchingBinary AnalysisBreakpoints
Easy Phish — Challenge / OSINT / Easy
Investigated a domain receiving convincing phishing emails. Queried DNS TXT records using dig and nslookup to extract SPF configuration — found a weak ?all policy permitting any sender, effectively making spoofing trivial. Queried DMARC records (_dmarc.secure-startup.com) to retrieve the second flag fragment. Demonstrated working knowledge of email authentication mechanisms (SPF, DKIM, DMARC) and how misconfigurations enable spoofing attacks.
DNS enumerationdig / nslookupSPF DMARCDKIMEmail spoofing analysisOSINT
MarketDump — Challenge / Forensics / Easy
Analysed a network capture (PCAP) to investigate a data exfiltration incident. Filtered HTTP traffic in Wireshark, identified anomalous X-SQL headers, and followed the TCP stream to surface a database exfiltration payload. Decoded the encoded string using CyberChef to identify the targeted customer record and retrieve the flag.
WiresharkPCAP analysisTCP stream analysis HTTP forensicsCyberChefstrings
SpookyPass — Challenge / Reversing / Very Easy
Static analysis of a 64-bit Linux ELF binary. Used file and checksec to profile the binary, then ran strings to extract all printable data — identified the hardcoded password in plaintext. Confirmed via Ghidra decompilation showing a direct strcmp against the stored credential. Classic unobfuscated strings challenge demonstrating why hardcoded secrets in binaries are a critical vulnerability.
ELF analysisstringschecksec GhidraStatic analysisBinary reversing
🌐 twhalley.online 🥅 onion service 🔑 57EF 6CBB 932C B8A5 github.com/twhalley Last updated: 2026