Security Platform / Production Systems Engineer

Stewart Wallace

I work on production systems where failure modes, blast radius, observability and abuse resistance matter.

Currently Senior Software Engineer at Monzo, working around authentication abuse controls, cloud identity, edge signals, SIEM visibility and safer rollout patterns. Previously AWS Networking and Skyscanner platform engineering.

Based in Scotland.

Positioning

I’m most useful in the messy space between security, infrastructure and production engineering: turning ambiguous risks into controls that are observable, testable and safe to operate.

What I work on

Authentication abuse & edge controls

Rate limits, WAF signals, silent challenges, replay risk, detection paths, and customer-invisible controls.

Cloud identity & credential hygiene

Short-lived credentials, workload identity, standing-secret removal, scoped access, and blast-radius reduction.

Production systems

Observability, rollout safety, failure modes, incident-shaped thinking, and boring day-two operation.

Technical judgement

Designing controls that fail safely, produce useful signal, and do not collapse under the load they exist to handle.

Selected work

Authentication abuse controls

Worked on login-enumeration defences, including distributed rate-limit tuning, limiter prewarming, and dynamic per-client limit design validated against production traffic.

AWS WAF silent challenges

Evaluated silent challenge options, built a fail-open AWS WAF PoC, propagated token verdicts downstream, and designed mitigations for replayable challenge tokens.

Cloud credential hygiene

Migrated services from static GCP/GCS credentials to short-lived Security Token Exchange credentials, including workload identity and terraform IAM changes.

Security review tooling

Improved protected-config diff readability for multi-party auth reviews, making sensitive changes easier to review correctly.

Contact

If you want to talk about platform security, production controls, or incident-shaped engineering, the contact page has the least noisy routes.

This is what I bring from platform and security engineering: fast ambiguity reduction, adversarial thinking before rollout, production controls that fail safely, and systems that are observable enough to learn from real abuse rather than merely block it.