Since 2020: Cloud Detection & Response

I built and run the team that detects external threats targeting Google Cloud.

GCP is a planet-wide cloud infrastructure that powers millions of projects across hundreds of thousands of customers. It is constantly under attack from attackers ranging from script kiddies to state actors. I am responsible for building the layers of threat detection that identify malicious activity across GCP and stop it from spreading.

  • Created and executed on the multi-year cloud detection strategy and roadmap for GCP and Alphabet
  • Aligned detection & response with GCP's top goals of providing the most secure cloud, partnered with VPs and GMs on funding and reporting
  • Grew the team 5x in 3 years, led hiring across North America and Australia, grew managers and senior ICs to support team expansion
  • Established engineering velocity for a planet-wide threat detection pipelines processing hundreds of rules across exabytes of logs
  • Sustained operational efficiency on first-level alert triaging and escalation in 24/7 follow-the-sun setting
  • Converted local team to fully remote distributed across North America, created new office location for sub-team.


2015 - 2020: Head of Security, Firefox Services

Created the Operations Security team to address risks across the Firefox infrastructure with a strong focus on collaboration with engineering groups (~300 people across dozens of projects, including Firefox) and integration of security into the SDLC. Promoted DevOps security principles across operational groups, and built tools to accelerate security testing in CI/CD. The result of this work has been captured in Securing DevOps, published at Manning in 2018.

In this role, I reported to the board on the security posture of the organization, owned product and services security, managed risks across dozens of applications and several cloud providers and set the security roadmap for cloud services and release engineering of Firefox.

My team was also responsible for incident response across the Firefox infrastructure, and for engineering software and services that hardened defenses and increased product resistance to attacks (eg. fraud detection, code signing, secrets management, etc.).

As an engineer, I built the code signing backend, the TLS auditing service, the secrets management platform and a number of internal tools. I also acted as a security architect on all new projects, to shape engineering designs and follow security standards.

Inside Mozilla, I co-owned the bug bounty program, and sat on the security council to help coordinate security efforts across the organization.


  • Built and grew a DevSecOps team from the ground up, covering secops, appsec, red team and metrics.
  • Owned security for 100+ cloud services, serving 300M+ Firefox users
  • Executed on a multi-year strategy to mature security operations, reduce incidents, and ship products with high security by default
  • Created a metrics program to measure maturity, impact and report security KPIs to leadership
  • Grew a remote team of ~12 engineers, distributed across North America and Europe
  • Defined, implemented and ran security sensitive services: fraud detection, cryptographic signing, etc.
  • Set the standard for security integration into the SDLC, from early reviews to testing, audits, and end-of-life management
  • Supported various infrastructure environment (AWS, GCP, datacenters) and always evolving application stacks


  • Autograph: Mozilla's digital signature service, used to sign Firefox, add-ons & web extensions and many internal apps. Autograph is the service layer that provide cryptographic signers often implemented as separate packages, such as Renard, Margo or PKCS7.
  • TLS Observatory: An observatory for TLS configurations, X509 certificates, and more. I wrote supporting tools like cipherscan.
  • SOPS: Secrets configuration managers that allows ops teams to encrypt, provision & decrypt their YAML/JSON files with cloud provider KMSs.
  • MIG (Mozilla InvestiGator): (archived) Real-time endpoints security platform composed of agents installed on all systems of an infrastructure that are be queried to investigate the file-systems, network state, memory or configuration of endpoints.

Public Speaking

Cloudskills podcast episode 070: Securing DevOps in the Cloud
Testguild podcast: Securing DevOps: Security in the Cloud with Julien Vehent
2018 - Securing Devops - AppSec Podcast
2018 - Modern Web Application Security - BSides Tampa 2018
2018 - Protecting Firefox Data with Content Signature - Enigma 2018
2017 - Securing Your Websites - DevFestFlorida 2017, Orlando, FL
2017 - Test Driven Security in the DevOps Pipeline - AppSecUSA 2017, Orlando, FL
2017 - Test Driven Security in Continuous Integration - Enigma 2017, San Francisco, CA
2017 - Episode Hors Série sur DevOps -NoLimitSecu Podcast (FR)
2016 - Continuous Security in the DevOps world - RMLLSec, Paris, France

link to slides

2013 - 2015: Security Engineer

  • Mozilla Investigator (MIG): Creator & Lead developer. MIG is a platform to perform investigative surgery on remote endpoints. It enables investigators to obtain information from large numbers of systems in parallel, thus accelerating investigation of incidents and day-to-day operations security. I created, deployed and operate MIG across several thousands servers at Mozilla.
  • Application Security: all things that speak HTTP (1 or 2). Help projects integrate cryptography, access control, integrity and high availability in web applications. Assess and review the security of webapps and API: XSS, CSRF, SQLi, etc...
  • AWS Security: help operational teams design and run secure platforms in AWS (EC2, VPC, RDS, S3, Route53, and so on).
  • Risk and Security Review: co-designed Mozilla's Rapid Risk Assessment (RRA) framework, used across the organization to evaluate the risks of products and services.

Public Speaking

2016 - Mozilla InvestiGator: Investigate 1,000 endpoints in 10s - OSDFConf, Washington, DC

link to slides

2016 - Investigate 1,000 endpoints in 10s with Mozilla Investigator - RMLLSec, Paris, France
2016 - Mozilla InvestiGator: Distributed and Real-Time Digital Forensics at the Speed of the Cloud - Security Bsides, Tampa, FL
2015 - Mozilla InvestiGator: Distributed and Real-Time Digital Forensics at the Speed of the Cloud - Usenix LISA15, Washington, DC
2015 - Mozilla InvestiGator: Distributed and Real-Time Digital Forensics at the Speed of the Cloud - SANS DFIR Summit, Austin, Tx
2015 - Mozilla InvestiGator: Distributed and Real-Time Digital Forensics at the Speed of the Cloud - HITB Conference, Amsterdam, NL
2014 - SSL/TLS for the Pragmatic - Bucks Country DevOps, New Hope, Pa


2011 - 2013: Systems & Security Architect

AWeber is an email marketing service provider for small businesses worldwide. I designed and implemented the security of AWeber's web stack.

  • Opscode Chef: authored security & web architecture provisioning scripts for Opscode Chef, in Ruby (Advanced FireWall (AFW), Ossec, Keymaster, ...).
  • Web infrastructure: designed highly available infrastructure using load balancing with Haproxy, Nginx, Varnish, etc.
  • Core Networking: lead architect on the redesign of the OSPF/BGP/VPN edge network. Replaced outdated Cisco routers with 10Gbps Linux routers. OSPF/BGP with Quagga, Openvpn, Keepalived, Conntrackd.
  • Sysadmin: participate in day to day operations. Systems & network management, datacenter operations and KVM hypervisors. Level 2 on-call rotation.
  • HIDS: deployment/maintenance of OSSEC for systems security monitoring
  • GeoIP: developped and implemented a set of geolocation algorithms, in Python, to detect suspicious activities.
  • Pentests: internal/external pentests (arachni, nmap, metasploit, ...)
  • Education: Prepared and taugh security & automation classes internally.

Public Speaking

2013 - AFW: Firewalling dynamic infrastructures with Chef and Netfilter - Netfilter Workshop 2013 / Open Source Days in Copenhagen, Denmark

2012 - AFW: Firewalling dynamic infrastructures with Chef and Netfilter - Security BSides Delaware 2012
2012 - Workshop: Advanced Netfilter & Iptables - Fosscon Philadelphia

The goal of the workshop is to demonstrate how netfilter, iptables, ipset and other tools available in Linux, can be used to build complex firewall policies for dynamic environments. I mentionned, at the end, some of the work i've done with Chef and the AFW cookbook. The slides are here.

2012 - Netfilter & Iptables Elements - AWeber Communications
2012 - Certificates & Public Key Infrastructures - AWeber Communications

The slides are here.

2011 - Qos & Traffic Control in the Linux Kernel - Philadelphia Linux User Group (PLUG)

This is a compressed version of my QoS article, rewritten and improved with the latest work on Bufferbloat, and some item from Comcast Residential DSL. The slides are here.

Greenlink Networks

2011: Cloud Engineer

Greenlink Networks was a startup that provided rewards programs for local businesses and TV stations. I was in charge of building a bigger, faster and more reliable hosting infrastructure for the 30+ websites of the company. This is were I first adopted AWS, back in 2011 when it wasn't nearly as complete as it is today.

  • Support 24/7 operations of the web platform. As GLN was a small shop, I was the oncall sysadmin, DBA, QA and sometimes developer all at once.
  • Transform the single node, Java based, web platform into a load balanced cluster.
  • Handle the migration of all components to AWS: websites (java) and database (oracle).
  • Maintain the production and corporate infrastructure on a day-to-day basis.


2008 to 2010: Security Consultant

Information and Web Security Consultant for banks and financial institutions in the Paris area.

2010: Web Security Engineer at La Banque Postale

Member of the Architecture team: web front-ends security, cryptography, strenghtening of ebanking operations.

  • eBanking security: Access control, system and network partitioning, performances
  • J2EE security: SSL/TLS, IBM IHS, WAS 6, MQ and Web Services cryptography
  • Security assessments and risks analysis

2009: IT Security Engineer at ALD International

Member of the Security team: BCM developement and testing, IT Disaster Recovery Plan (40+ locations worldwide and 2 datacenters).

  • Develop BCM methodology and define Business/IT priorities
  • Design IT recovery architectures
  • Run BCP tests and evaluate reaction capabilities

2008: Web Security Engineer at Societe Generale

eBanking architecture team: web front-ends security and performance, cryptography usage in applications and communications, security audit.

  • eBanking security: Access control, log auditing, performances
  • Security measures: SSL/TLS on J2EE, Weblogic, HAproxy
  • Qualys security audits, firewall rules management

University of Maryland

2007: Research Engineer

Engineered a TCP/UDP proxy in C on Linux 2.6 for connection redirection inside honeypots networks.

Honeybrid was an intelligent network proxy that stands in front of a farm of honeypots and redirect connections from low interaction to high interaction honeypots. This work was completed at University of Maryland in the summer of 2007 as part of my Master thesis.

In the team of Dr. Michel Cukier at the Center for Risk and Reliability.

  • Research: Study of network attacks aiming Linux and Microsoft systems in honeypots environments
  • Design: software engineering using UML specification
  • Coding: C on Linux (TCP stack, B-tree based Decision engine)

note: this project still lives on sourceforge under the name Honeybrid.

MAAF Assurances

Summer 2006: Intern Assistant to the Chief Security Officer

Member of the Information System team: Perl programming for security log processing, application of the privation protection law.

  • Development of a Perl software to supervise antivirus solutions (Norton,
  • Compliancy of the information system with the privacy protection law


2005: Sysadmin

Architecture design and maintenance of the email infrastructure.

  • Migration of the Email infrastructure to Linux/Postfix/Cyrus
  • Integrated PKI (OpenSSL) and LDAP Directory (OpenLDAP)
  • Design of a Site to Site interconnection with OpenVPN


2002 to 2004: part-time helpdesk

French agency for the social security system funding, Tours, France

Helpdesk and Administration/Maintenance of Windows NT/2000 based networks


2007: Master in Information Security Management - University of Poitiers, France

Honor: Summa Cum Laude

2005: Bachelor in Telecommunications Security - University of Tours, France

2004: Brevet de Technicien Superieur en Informatique de Gestion - ISCB of Tours, France

Option System and Network Administrator.
The program was half-time in class and half-time in a professional position at Ursaff.


Securing DevOps: Safe services in the Cloud

Manning Editions - ISBN 9781617294136

Securing DevOps is my first book. It explores how the techniques of DevOps and Security should be applied together to make cloud services safer. The book is written for a technical audience of administrators, operators and security engineers who are tasked with keeping their customers data safe. Securing DevOps reviews state of the art practices used in securing web applications and their infrastructure, and teaches techniques to integrate security directly into the product.

DevOps: nuageux, avec chance de securite - MISC 88 - November 2016

An overview of security techniques in DevOps through the eyes of a fictional french startup.

Mozilla InvestiGator: Quand vos serveurs se prennent pour Sherlock Holmes - MISC HS 11 - May 2015

A presentation of MIG through three short stories of security investigations.

A state-of-the-art of SSL/TLS Server Side - MISC Magazine - March 2014

This article is an overview of the security of SSL/TLS, the challenges in selecting ciphers and certificates, and the state of transport security in general.

Mozilla Server Side TLS guidelines

The Operations Security (OpSec) team maintains this document as a reference guide to navigate the TLS landscape. It contains information on TLS protocols, known issues and vulnerabilities, configuration examples and testing tools.

Postfix Postscreen: The Zombie Exterminator - GNU/Linux Magazine #147 - April 2012

A tour of Postscreen, the zombie blocker integrated in Postfix 2.8. I also used this article as an opportunity to develop Postscreen-stats, a Python script that parses the Postscreen logs in an intelligent way.

Web Development with Perl and Mojolicious - GNU/Linux Magazine #138 - May 2011

Introduction to the Mojolicious framework through the development of a simple URL shortener.

Fighting Spam with DSPAM - GNU/Linux Magazine #132 - November 2010

Description of the QOS layer of the Linux Kernel. The article covers the description of the shapping algorithms, the definition of a QoS policy with implementation examples and the set up of RRDtools graphs using Perl.

QoS and Traffic Control in the Linux Kernel - GNU/Linux Magazine #127 - May 2010

Description of the QOS layer of the Linux Kernel. The article covers the description of the shapping algorithms, the definition of a QoS policy with implementation examples and the set up of RRDtools graphs using Perl.

DKIM Email signature and verification with DKIMProxy - GNU/Linux Magazine #125 - March 2010

Article describing the DKIM protocols, its implementation in DKIMProxy and the deployment of a DKIM infrastructure using Debian, Postfix and Bind 9.