Skip to main content
~/hesham_

Introduction:$ whoami --verbose

Hesham
Abdelhay.

I turn security from a blocker into a paved road — shipping AppSec platforms that scan thousands of repos before coffee gets cold. UCL MSc, DeepMind scholar, ex-threat hunter. I've been breaking systems to build better ones since 2015.

view_experience()get_in_touch()
~/profile.json
const profile = {
  role: "Principal DevSecOps Lead",
  company: "Sky UK",
  location: "London, UK",
  stack: ["Python", "Go", "Java"],
  focus: [
    "AppSec",
    "DevSecOps",
    "CI/CD Security",
    "AI-Powered Security"
  ],
  status: "available_for_chat"
};
AppSec
DevSecOps
Cloud

section

About me.

I make insecure code expensive and secure code effortless. As Principal DevSecOps Lead at Sky UK, I'm the technical authority on application security and the person engineers ping when something looks wrong at 2am.

I lead a distributed team of seven building the platform that guards thousands of repositories — SAST, SCA, container, IaC and secrets scanning, all wired into CI/CD with policy-as-code so the safe path is also the fastest one.

My playbook: delete vulnerability classes, don't chase tickets. Ship Python automation that scales remediation, tune scanners until signal beats noise, and turn AppSec from a gate into a paved road developers actually want to walk.

Before going full DevSecOps I hunted threats and ran incident response — taking down phishing infrastructure, chasing IoCs, writing the playbooks teams still use. That attacker's instinct is what I bring to every pipeline, threat model and architecture review today.

Off the clock I run AppSecPulse, a curated feed for the AppSec community, and obsess over making security tooling that engineers genuinely enjoy using.

5+
years in security
1000s
CVEs remediated
7
engineers led
300%
community growth

section

Experience.

A timeline of building, breaking, and securing things at scale.

Principal DevSecOps Lead @ Sky UK

  • Technical authority on AppSec and DevSecOps, leading a distributed team of 7 engineers and consultants.
  • Architect & operate Sky's application security platform — SAST, SCA, container & IaC scanning, secrets — integrated into CI/CD via policy-driven automation.
  • Build Python automation to improve scan coverage, efficacy, and remediation across thousands of repositories.
  • Drive systemic vulnerability reduction using classic AppSec and AI-powered methodologies.
  • Own secrets security strategy: scanning optimisation, FP reduction, key validation, secrets management integration.
  • Embed security throughout the SDLC — from design and threat modelling to CI/CD guardrails and production runtime checks.
  • Promote secure coding in Java, Go, and Python aligned with OWASP standards, including hands-on developer enablement.

section

Tech stack.

Tools, languages, and disciplines I work with daily.

AppSec & DevSecOps

SASTSCADASTMASTContainer SecuritySecrets ScanningIaC SecurityThreat ModellingOWASPPolicy-as-Code

Languages

PythonGoJavaScalaNode.jsTypeScriptBash

Cloud & Infra

AWSAzureTerraformLinuxDockerKubernetesCSPM

CI/CD

GitHub ActionsJenkinsGoCDAzure PipelinesArgoCD

Security Ops

Threat IntelligenceIncident ResponseOSINTSplunkPagerDutyInstanaIoC Hunting

Secure SDLC

Secure Code ReviewDeveloper EnablementSecurity ChampionsKey ManagementSecrets LifecycleCryptography Standards

section

Projects & Publications.

Things I build and write outside the day job.

Founder & Maintainer

AppSecPulse

appsecpulse.com

A curated pulse of application security news, research, and tooling — built and maintained solo to keep AppSec practitioners current without the noise.

Application SecurityNewsletterCommunityOSINT
visit_site
MSc Dissertation · UCL · 2020

A Systematic Security Comparison of Different Federated Machine Learning Approaches

Supervised by Prof. Emiliano De Cristofaro (UCL)

A unified evaluation of security and privacy in Federated Learning. Implements and benchmarks comparable attacks — model poisoning, training and test data poisoning, and backdoor attacks — across Horizontal and Vertical FL on a shared baseline, producing quantifiable metrics for attack potency.

  • Model poisoning > training data poisoning > test data poisoning in effectiveness
  • Backdoor attacks viable under specific potency and distribution conditions
  • Unified attack-strength nomenclature transferable across FL variants
Federated LearningAdversarial MLPrivacyMNIST
download_pdf

section

Education & Credentials.

MSc Information Security

DistinctionUniversity College London (UCL)

  • Google DeepMind Full Scholarship recipient
  • NCSC-accredited programme
  • Thesis: "A Systematic Security Comparison of Different Federated Machine Learning Approaches"

BEng Computer Systems Engineering

First Class with HonoursQueen Mary, University of London

  • Thesis: "Development of a Proof-of-Concept Haptic Visualiser Using Principles of Electromagnetic Levitation"

Certifications

AWS Certified Cloud PractitionerProfessional Scrum Master (PSM)BCS CISMPCompTIA Security+Certified DevSecOps Practitioner (CDSOP)Certified Advanced Software Security Tester (CASST)

Hackathons & Awards

  • MLH HackLondon 2016
    Best Non-UI Hack & Best Chirp API Hack
  • HackKings 2019
    IBM DeepBlue Award
  • Microsoft DevOps OpenHack
    2021 & 2022
// 05 — get in touch

Let's build secure things.

Whether you want to talk AppSec strategy, DevSecOps platforms, or shifting security left in CI/CD — my inbox is open.

heshamabdelhay37@gmail.com
+44 (0)7551 437437 email linkedin