Defensive Works
Security automation & detection engineering at scale. Built from real production experience across 300+ AWS accounts.
I'm Raajhesh Kannaa Chidambaram — Security Engineer and OSCP. I've spent 15 years building security infrastructure at progressively larger organizations, from racking servers in data centers to securing cloud platforms processing billions in transactions.
This site is where I document what I build and share what I've learned. The AWS docs cover security automation tools I've open-sourced. The blog is where I write about detection engineering, enforcement engineering, and building security at scale.
Everything here comes from doing the work, not theorizing about it.
Writing
Assumed Role — A cloud security thriller in six chapters. A solo security engineer. A stolen credential. 72 hours of real AWS attack & defense techniques wrapped in fiction. Every CloudTrail event, SQL query & IAM policy is functional. Read the PDF
Open Source Projects
| Project | What It Does |
|---|---|
| Attack Surface Management | Continuous external attack surface discovery & vulnerability scanning across AWS Organizations |
| Fleet Access | Hub & Spoke IAM roles for multi-account security — self-mutating CDK pipeline, deploys to all org accounts |
| Identity Center Automation | GitOps for AWS IAM Identity Center — Permission Sets & Assignments as Code, PR-reviewed |
| CloudTrail Lake Detections | Detection engineering over CloudTrail Lake — reusable SQL-based detections |
| Green Stone | Real-time Security Group change detection & one-click revert via Slack ChatOps |
| CDK Org Formation | Manage AWS Organizations as Code |
Find Me
- GitHub: raajheshkannaa
- LinkedIn: raajhesh-kannaa-chidambaram
- Site: raajhe.sh