Skip to main content
~/hesham_

Introduction:$ whoami --verbose

Hesham
Abdelhay.

I architect application security platforms at scale — integrating SAST, SCA, container & secrets scanning into CI/CD pipelines for enterprises with thousands of repositories. UCL MSc, DeepMind scholar, breaking and building secure systems since 2015.

view_experience()get_in_touch()
~/profile.json
const profile = {
  role: "Principal DevSecOps Lead",
  company: "Sky UK",
  location: "London, UK",
  stack: ["Python", "Go", "Java"],
  focus: [
    "AppSec",
    "DevSecOps",
    "PQC Readiness",
    "AI-Powered Security"
  ],
  status: "available_for_chat"
};
AppSec
DevSecOps
Cloud

section

About me.

I'm a Principal DevSecOps Lead at Sky UK, where I serve as technical authority on application security and lead a distributed team building security platforms used across thousands of repositories.

My work sits at the intersection of code, infrastructure, and risk — architecting CI/CD-native security tooling, eliminating recurring vulnerability classes, and pushing organisations toward post-quantum cryptography readiness.

I've shipped security automation in Python at scale, remediated thousands of critical CVEs across Scala/Python/Node.js stacks, contributed to ISO 27001 & SOC 2 certifications, and represented AppSec in board-level risk committees.

Before going full DevSecOps, I worked threat intel & incident response — hunting IoCs, taking down phishing infrastructure, and authoring IR playbooks. That adversary mindset still shapes how I build defensive systems today.

5+
years in security
1000s
CVEs remediated
7
engineers led
300%
community growth

section

Experience.

A timeline of building, breaking, and securing things at scale.

Principal DevSecOps Lead @ Sky UK

  • Technical authority on AppSec and DevSecOps, leading a distributed team of 7 engineers and consultants.
  • Architect & operate Sky's application security platform — SAST, SCA, container & IaC scanning, secrets — integrated into CI/CD via policy-driven automation.
  • Build Python automation to improve scan coverage, efficacy, and remediation across thousands of repositories.
  • Drive systemic vulnerability reduction using classic AppSec and AI-powered methodologies.
  • Own secrets security strategy: scanning optimisation, FP reduction, key validation, secrets management integration.
  • Contribute to post-quantum cryptography readiness across long-term cryptographic and dependency risk.
  • Promote secure coding in Java, Go, and Python aligned with OWASP standards.

section

Tech stack.

Tools, languages, and disciplines I work with daily.

AppSec & DevSecOps

SASTSCADASTMASTContainer SecuritySecrets ScanningIaC SecurityThreat ModellingOWASPPolicy-as-Code

Languages

PythonGoJavaScalaNode.jsTypeScriptBash

Cloud & Infra

AWSAzureTerraformLinuxDockerKubernetesCSPM

CI/CD

GitHub ActionsJenkinsGoCDAzure PipelinesArgoCD

Security Ops

Threat IntelligenceIncident ResponseOSINTSplunkPagerDutyInstanaIoC Hunting

Cryptography

Post-Quantum CryptoFederated ML SecurityKey ManagementHashing StandardsSecrets Lifecycle

section

Projects & Publications.

Things I build and write outside the day job.

Founder & Maintainer

AppSecPulse

appsecpulse.com

A curated pulse of application security news, research, and tooling — built and maintained solo to keep AppSec practitioners current without the noise.

Application SecurityNewsletterCommunityOSINT
visit_site
MSc Dissertation · UCL · 2020

A Systematic Security Comparison of Different Federated Machine Learning Approaches

Supervised by Prof. Emiliano De Cristofaro (UCL)

A unified evaluation of security and privacy in Federated Learning. Implements and benchmarks comparable attacks — model poisoning, training and test data poisoning, and backdoor attacks — across Horizontal and Vertical FL on a shared baseline, producing quantifiable metrics for attack potency.

  • Model poisoning > training data poisoning > test data poisoning in effectiveness
  • Backdoor attacks viable under specific potency and distribution conditions
  • Unified attack-strength nomenclature transferable across FL variants
Federated LearningAdversarial MLPrivacyMNIST
download_pdf

section

Education & Credentials.

MSc Information Security

DistinctionUniversity College London (UCL)

  • Google DeepMind Full Scholarship recipient
  • NCSC-accredited programme
  • Thesis: "A Systematic Security Comparison of Different Federated Machine Learning Approaches"

BEng Computer Systems Engineering

First Class with HonoursQueen Mary, University of London

  • Thesis: "Development of a Proof-of-Concept Haptic Visualiser Using Principles of Electromagnetic Levitation"

Certifications

AWS Certified Cloud PractitionerProfessional Scrum Master (PSM)BCS CISMPCompTIA Security+Certified DevSecOps Practitioner (CDSOP)Certified Advanced Software Security Tester (CASST)

Hackathons & Awards

  • MLH HackLondon 2016
    Best Non-UI Hack & Best Chirp API Hack
  • HackKings 2019
    IBM DeepBlue Award
  • Microsoft DevOps OpenHack
    2021 & 2022
// 05 — get in touch

Let's build secure things.

Whether you want to talk AppSec strategy, DevSecOps platforms, or post-quantum readiness — my inbox is open.

heshamabdelhay37@gmail.com
+44 (0)7551 437437 email linkedin