Sales Engineer · DevSecOps · Machine Identity & Secrets Management
I help LatAm enterprises secure the identities that don't have a face: workloads, pipelines, services, and AI agents.
I spend most of my week with platform, DevOps and security teams across Latin America, helping them answer a question that sounds simple but rarely is: how should our workloads talk to each other?
Not the human side. The much messier world where a CI pipeline, a Kubernetes pod, a Lambda function or an AI agent needs a credential, and somebody has to make sure that credential is short‑lived, scoped, attested and auditable. That's the day job, and honestly it's the part of security I find the most fun.
role: Sales Engineer · DevSecOps LatAm
focus: Non-Human Identity (NHI) · Machine Identity · Secrets Management
domains: Kubernetes · CI/CD · Cloud-native · Zero-Trust workloads
based_in: Brazil, serving all of LatAm
currently: Turning the patterns I deploy in the field into open, hands-on demosThese are the repos I keep open as companions to customer conversations. Real code, real demos, no vendor slides.
| Project | Stack | What it shows |
|---|---|---|
| conjur-explainer | TypeScript · React | An interactive tour of CyberArk Conjur on Kubernetes, covering Spring Boot authn-jwt and the .NET Secrets Provider sidecar pattern. |
| machine-identity-explainer | TypeScript · React | SPIFFE/SPIRE, X.509, mTLS and zero‑trust workload identity, explained with diagrams you can actually click on. |
| k8s-eso-shop | Node.js · Kubernetes | A demo e‑commerce app on Kubernetes wired to External Secrets Operator and Conjur, with a live dashboard and a tiny secret‑watcher operator. i18n in PT/EN/ES. |
| workshop-action | Shell · GitHub Actions | Hands‑on workshop integrating GitHub Actions with Palo Alto Networks IDIRA / Secrets Management SaaS. |
| conjur-action | Shell · GitHub Actions | A reusable GitHub Action for pulling Conjur secrets safely into workflows. |
| appengine-java-conjur | Java · Spring Boot | Spring Boot on GCP authenticating to Conjur Cloud via authn-gcp, using a federated JWT instead of a static secret. |
Languages 
Identity & Secrets 
Cloud & Platform 
DevSecOps 
Non‑Human Identity is the identity problem of the next decade. Every service account, CI runner, microservice and AI agent needs short‑lived, attested, auditable credentials, and most companies are still doing the equivalent of writing the master password on a sticky note in their CI variables.
Federated trust beats shared secrets, every time. OIDC and JWT‑based flows like authn-jwt, authn-gcp, authn-iam, IRSA and Workload Identity Federation are how we get out of the secret‑sprawl spiral. A big part of my job is helping teams adopt them without rewriting their applications from scratch.
Developer experience is a security control. A secrets architecture only works if developers can actually use it. If the SDK is awkward, the sidecar is fragile or the operator hides behind ten YAMLs, people will route around it. Most of my public demos try to model what "easy to use" looks like.
I'm based in Brazil, I work across all of LatAm, and outside of work I tinker with personal automation, home labs, and the occasional side project that probably should have stayed an idea in my notebook. I read a lot, I'm a fan of long espressos, and I'll always say yes to a good architecture conversation.
If you're an enterprise in LatAm thinking about how your workloads should authenticate, how to retire long‑lived secrets from your CI/CD, or how to bring Non‑Human Identity under a single governance model, I'd love to chat.
Thanks for stopping by. ⭐ a repo if you find it useful.