Xenodyne Technologies

About

Hi. I’m Scott Perry — and yes, I’m the guy who gets unreasonably excited about Azure Policy and loses sleep over other people’s bad decisions.

By day, I’m the Manager of Security Architecture and Threat Remediation at Novavax, where I lead a team of security and threat engineers building out a Zero Trust architecture on Microsoft’s stack — Entra Suite, Defender XDR, Intune — across a hybrid cloud environment that also has to play nicely with clinical labs, R&D systems, and the particularly fun world of GxP-regulated and validated environments. If that last part didn’t mean anything to you, consider yourself lucky. It means a lot of compensating controls and very careful conversations.

When I’m not wrangling NIST compliance, governing POA&M processes, tuning detections, or explaining to someone why Conditional Access policies matter before something goes sideways — I’m here, writing about it.  Or, at least, trying to.

I’ve got 25 years in IT under my belt, with the last 15 focused on security. The career arc has been a fun one — I started as a Windows Engineer, deep in the System Center trenches, automating everything I could get my hands on, managing AD environments, and developing a deeply personal relationship with SQL at 11 PM. From there I moved into security, spending nearly a decade at an insurance company where I got my hands on everything from LogRhythm and Palo Alto firewalls to Symantec EDR, Juniper switches, and the early days of Microsoft Defender ATP. That’s where the Microsoft obsession really took hold — architecting Conditional Access policies, App Protection Policies, and compliance configurations back when half the documentation didn’t exist yet and you were mostly figuring it out by trial, error, and creative interpretation of NIST guidelines.

I’ve seen the full arc: from the glorious “just open port 3389, it’ll be fine” era of on-prem everything, to today’s sprawling cloud ecosystems, zero-trust architectures, and licensing models that seem specifically designed to make your head hurt. I’ve cursed Microsoft Learn documentation at 3 AM. I’ve been on the wrong end of a misconfiguration. Probably more than one.  I’ve lived to tell the tale — and apparently decided to blog about it.

This is not a documentation mirror. Microsoft’s docs already exist, and they’re… fine. What I’m trying to do here is make the complicated stuff practical, digestible, and — if everything goes according to plan — occasionally entertaining. Think of it as the blog I wish existed when I was coming up through the ranks, written by the grizzled veteran who’s already made most of the mistakes so you don’t have to.

You’ll find a heavy Microsoft slant here — Entra ID, Defender XDR, Intune, Sentinel, Azure Policy, Purview — because that’s the ecosystem I live in. You’ll also find some Splunk, some Zero Trust philosophy, some vulnerability management war stories, and a healthy overlay of “here’s what the documentation doesn’t tell you.” Security is always the thread running through everything, even when the post is technically about something else.

Expect pop culture references. Expect metaphors involving bouncers, grizzled PIs, and people named Bob. Expect strong opinions about overly complicated licensing models, standing access, and why “I’ll fix it later” is the most dangerous phrase in IT.  Expect random – because in the world of IT, particularly in InfoSec, no two days are the same, and randomness is just something to live by. 

Speaking of “random,” when I’m not doing any of the above, I’m usually outside — because as it turns out, the guy who spends his days building Zero Trust architectures and locking down cloud environments also raises cattle on the side. Mostly it’s for my kids, who are involved in FFA and 4-H, and honestly, watching them develop that kind of work ethic and responsibility has been one of the better things I’ve done. There’s something quietly ironic about spending your week making sure nobody unauthorized gets into your Azure tenant, then spending your weekend making sure nobody unauthorized gets into your pasture. The principles aren’t that different, really. Never trust, always verify — especially the fence line.

Someday, the dream is a small cattle operation that can actually support itself — and maybe even help kids who want to get into agriculture programs like FFA but can’t afford the entry point. Agriculture programs matter. They teach things that no amount of cloud certification ever will. If I can eventually use what I’ve built to open that door for a few kids, that’d be a pretty good outcome.

But for now — the blog. Welcome to Xenodyne Technologies. Pull up a chair — and maybe go check your Conditional Access policies while you’re at it.  They’re not going to fix themselves!

Want to connect or talk shop? Hit me on LinkedIn or drop a comment!