| name |
Jonathan Perez |
| github |
GRCJP |
| specializations |
Vulnerability Management |
Cloud Security |
Compliance Automation |
|
| languages |
|
| title |
Senior Cybersecurity Specialist, GRC Engineer |
| company |
Assurit |
| location |
Virginia, USA |
| linkedin |
https://www.linkedin.com/in/cyberjp/ |
| blog |
https://securitybyjp.com/ |
| frameworks |
NIST RMF |
NIST CSF |
NIST 800-53 |
FedRAMP |
SOC 2 |
ISO 27001 |
IRS Pub 1075 |
COBIT |
GAO Green Book |
CMS ARC-AMPE |
CMMC |
|
| certifications |
CISSP |
CISM |
CGRC |
AWS Solutions Architect Associate |
CCSK |
CCZT |
CSA TAISE |
CMMC CCA |
CMMC CCP |
CISA HVA Technical Lead |
CISA HVA Assessment Lead |
|
| available_for |
open-source |
consulting |
hiring |
collaboration |
|
| projects |
| name |
url |
description |
POA&M Manager – Nexus |
|
Ingests raw vulnerability scan data, normalizes findings, maps to controls, and automates POA&M generation and lifecycle tracking. |
|
|
I am a GRC engineer focused on building systems that reduce real security risk while minimizing compliance overhead. My work sits at the intersection of vulnerability management, cloud security, and control governance, with an emphasis on automation, data normalization, and repeatable workflows.
Rather than treating compliance as a documentation exercise, I design solutions that treat controls as measurable, testable system behaviors. My approach is to integrate directly with scanning tools, cloud platforms, and APIs to eliminate manual analysis and shift effort toward remediation and risk reduction.
I spend most of my time engineering solutions that translate raw security data into control-aligned decisions that engineers, ISSOs, and leadership can act on without friction.
- Built automation-first workflows that translate scanner and cloud findings into control-mapped risk objects and POA&M updates.
- Improved vulnerability management execution by focusing on remediation-driving governance, measurable closure validation, and operational reporting.
- Designed repeatable compliance evidence approaches that treat artifacts as system outputs rather than manual documentation.
Feel free to reach out if you want to discuss GRC engineering, vulnerability management automation, OSCAL, or building compliance systems that prioritize real security outcomes.