## How I Got Here
My start in security wasn't cloud, and it definitely wasn't glamorous. It was the enterprise trenches — network and endpoint defense, SIEMs, incident response. At a Tier 1 fiber provider I was one of two network security engineers on a small (six-person) security team: Palo Alto firewalls, threat hunting across thousands of endpoints, and Splunk dashboards I built at odd hours because the alert I needed didn't exist yet. Before that, I ran managed security for ten different client organizations at once — a fast way to learn that there's no such thing as "one way" to secure anything.
Here's the part that explains the rest of it: I didn't start with security at all. I started at twelve, reverse-engineering drum videos from a website's page source because I wanted the parts the site wouldn't just hand me. That instinct — open the hood, read the source, figure out how the thing actually works instead of how the manual says it works — never went away. I just eventually pointed it at IAM policies and Terraform instead of drum transcriptions.
A few years ago I joined AWS Professional Services as a security consultant, and that's where the work changed scale. Cloud, infrastructure-as-code, application and product security, DevSecOps. The shift that stuck with me: security as code — something you version, test, and automate — not a checklist you bolt on at the end and hope for the best.
Where I cut my teeth:
- • Network security engineering (Palo Alto, Cisco)
- • SIEM & detection engineering (Splunk Enterprise, SPL)
- • Endpoint detection & response (Cybereason EDR)
- • Email security (Proofpoint, Abnormal Security)
- • Incident response & threat hunting
- • Security automation (Python, PowerShell, Bash)
## What I Actually Do
The through-line across all of it is simple to say and hard to do well: build the automation and guardrails that let teams move fast without shipping risk. Across a long run of enterprise engagements — healthcare, financial services, government, defense, and telecom — that has meant securing regulated cloud at serious scale. A few things I'm proud of:
Multi-Region IPAM on AWS. I authored the public AWS Prescriptive Guidance pattern for multi-Region IPAM and open-sourced the Terraform to aws-samples — dozens of hierarchical pools and hundreds of network resources, automated end to end — plus additional AWS-internal security patterns.
Cloud governance & compliance-as-code. Policy-as-code guardrails at enterprise scale: Service Control Policies, custom AWS Config rules, Security Hub and GuardDuty, Landing Zone Accelerator baselines — the machinery that keeps regulated environments continuously compliant, instead of compliant-on-audit-day.
Shift-left DevSecOps. A CI suite orchestrating 15+ scanners with intelligent change detection. On one financial-services platform it took security validation from a two-week slog down to a few hours — the difference between security being a gate and security being part of the pipeline.
GenAI & agentic-AI security. OWASP LLM Top 10 reviews, Model Context Protocol and multi-agent architecture security, and internal tooling that generates least-privilege IAM policies from plain English. This is the newest frontier, and the one I find the most fun right now.
A few things I've earned along the way:
- • AWS Security – Specialty certified
- • Security Bar Raiser (SBR)
- • Generative AI Security Maven
- • AppSec Guardian
- • Author, public AWS Prescriptive Guidance (multi-Region IPAM)
- • Open source on aws-samples
## How I Think About the Work
A few opinions I've earned the hard way:
Security is an enabler, not a gate. The fastest way to get cut out of the room is to be the person who only ever says no. Good security makes the business outcome possible — it doesn't just make it slower.
Automate the bottleneck. If I have to solve a hard problem once, I'll solve it. If I have to solve it twice, I'll build the thing that solves it forever. Most of my best work started as me being annoyed at doing something manually.
Document for whoever inherits it. The code is half the deliverable. The README, and the why behind a decision, are the other half — that's the part people actually thank you for six months later.
Be honest about trade-offs. Everything costs something: time, money, complexity, security. Pretending otherwise is how you lose trust. I'd rather tell you the real cost up front.
## Beyond the Terminal
When I'm not thinking about cloud architectures, I'm usually somewhere in the Colorado mountains — hiking, skiing, or finding a reason to be outside.
And before security became the main thing, music was. I'm a drummer and percussionist, and for 8 seasons (7+ years) with Kroenke Sports & Entertainment I performed in-game for the Denver Nuggets, Colorado Avalanche, and Colorado Rapids — including the Avalanche's 2022 Stanley Cup run. (Go Avs.) It turns out drumming and security have more in common than they look: both are pattern recognition, timing, and the discipline to practice the boring fundamentals until they're automatic.
## The Short Version
That's the path: enterprise defender to cloud security engineer, by way of a drum kit and an unreasonable amount of page source. If you want to see how I actually think and work — the real technical detail, the opinions, the occasional hot take — the blog is the best window into it. That's where I go deep.
Donny Schreiber
Cloud and product security engineer at AWS Professional Services, based in Boulder, Colorado. I write about cloud security, DevSecOps, infrastructure-as-code, and the security side of AI — drawn from daily practice.
The Security Side of Vibe Coding: What AI-Generated Code Gets Wrong
An honest look at the security risks of AI-assisted coding — real incidents, real examples, and practical guardrails.
Enterprise DevSecOps with GitHub Actions
Automated, multi-scanner security and quality gates in CI — the shift-left tooling I build in practice.