// BOOT SEQUENCE
000
[ok] mounting /dev/identity
[ok] verifying pgp signatures
[ok] scanning attack surface
[ok] loading threat model
[ok] initialising asset inventory
[ok] applying zero-trust policy
[ok] hardening kernel parameters
[ok] binding to port 443
[ok] nullsec operational
prod.nullsec // v1.0.0

// xoudev · 21 · paris · open sept 2028
// GRC · BLUE TEAM · DEVSECOPS
// Securing what others overlook.

Proof over promises.

Nothing here without a trace.

GRC / RISK

  • EBIOS RM
  • ISO 27001
  • NIS2: NIS2 compliance · Arvato
  • MITRE ATT&CK: Threat modelling & detection mapping
  • Vulnerability Mgmt (CVSS): Vuln management via JIRA · Arvato
  • PSSI & Policy: Security-policy drafting · Arvato
  • Training & Awareness: Creation of training · Arvato

BLUE TEAM / DEFENSE

OFFENSIVE / RECON

  • Burp Suite: Web pentest labs · Root-Me
  • Metasploit: Exploitation labs · Root-Me
  • Kali: Daily offensive toolkit
  • Nmap: Recon & service mapping
  • cURL: API testing & recon
  • OSINT: Footprinting & recon

ENGINEERING / WEB

INFRA / DEVSECOPS

  • Docker: Containerised services
  • Kubernetes: Orchestration labs
  • Ansible: Provisioning automation
  • CI/CD: Secure pipelines
  • Proxmox
  • Linux
  • Git: Version control everywhere
Trust is earned,
then documented.
[GRANTED]80%2026.03LEVEL 01
CSNA — STORMSHIELD NETWORK ADMINISTRATOR
STORMSHIELD
[PENDING]→ 2027LEVEL 02
ISO/IEC 27001 LEAD IMPLEMENTER
PECB
[PENDING]→ 2028LEVEL 03
CISSP — CERTIFIED INFORMATION SYSTEMS SECURITY PROFESSIONAL
ISC2

I don't build fortresses. I find where they leak.

Two years through computer science at EPSI — DevOps, systems and networks — before cybersecurity at Guardia. The early work was infrastructure and build pipelines, which turns out to be the most direct preparation for security there is: you cannot reason about how a system fails until you have built one under time pressure and watched it strain. The security focus sharpened into a specific interest at Guardia — the space between compliance documentation and operational reality, where most security programmes produce activity rather than outcomes.

The apprenticeship at Arvato is second-line GRC inside Internal Control: EBIOS RM risk analyses, ISO 27001 and ISREG alignment, PSSI and policy drafting, supplier assessments, vulnerability management. The work is governance-layer — translating frameworks into decisions an organisation can actually execute, then keeping the evidence that it did. What I am building toward is a hybrid profile: enough GRC to be credible on governance, enough technical depth for detection engineering and pipeline security. A Mastère in offensive and defensive cybersecurity starts in September 2026. The throughline is secure by design — policy without operational instrumentation is assumption, detection without governance accountability is noise no one owns, and the connective tissue between them is where security actually lives.

From shipping features to securing them.

Oct 2025 — Sept 2026// CURRENTArvato

Assistant LISO — Local Information Security Officer

EBIOS RM risk analyses (GRC, second line)ISO 27001 / ISREG alignmentPSSI and security-policy draftingThird-party / supplier security assessmentsVulnerability management via JIRA (CVSS · SLA)ISMS documentation & on-site sitewalk audits (logistics sites)
Dec 2024 — Feb 2025AaliaTech

Flutter Development Intern

Responsive Dart/Flutter interfacesFirebase auth and storagePerformance optimisation and bug fixing
Apr — Jun 2024Minkey

Web Developer Intern

UI improvementPerformance optimisationWordPress → HTML/CSS/JS migration

Notes from the noise floor.

Same focus, different targets.

MOTO

same focus, different throttle.

DRAWING

pencils, ink, and the occasional tablet.

MANGA & ANIME

raised on panels, arcs and late episodes.

TECHNOLOGY

where the day job and the hobby blur.

GAMING

competitive when it counts, chill when it does not.

Securing what others overlook.

// jordan.turnaco.pro@gmail.com
[ email ][ github ][ linkedin ][ cv ]
// xoudev — securing what others overlook.