Scott Perry | Manager, Security Architecture & Threat Management | Freelance Microsoft Security Consultant Remote / U.S.-Based |
🌐 Scott Perry | LinkedIn
So you’ve read a post or two, you’ve nodded along at the storage account jokes, you’ve maybe even gone and checked your own Conditional Access policies — and now you’re wondering if I do this kind of work for hire.
The answer is yes. Let’s talk.
What You’re Probably Dealing With
You’ve got a Microsoft environment that’s grown faster than your security policies have kept up with. Maybe you’ve got identity sprawl — role assignments that haven’t been reviewed since the previous administration, service principals with Contributor access that nobody can quite explain, a PIM deployment that someone started and then got pulled off of. Maybe you’re staring down a Zero Trust initiative that’s been on the roadmap for two years and hasn’t moved. Maybe you’ve got a Defender deployment that’s technically “on” but not really doing anything. Maybe compliance is breathing down your neck and you need someone who’s actually read NIST frameworks and lived to tell the tale.
I’ve been that person in the room who untangles all of it. And I can be that person to help you.
What I Bring to the Table
I’ve got 25 years in IT, with the last 15 focused on security — and the career arc matters here. I didn’t come up as a pure security person. I came up through infrastructure: System Center, Active Directory, endpoint management, virtualization, automation. I know how the plumbing works because I built a lot of it. That background is why I can have an actual conversation with your infrastructure team instead of just handing them a policy document and walking away.
For the last several years I’ve been doing this work at Novavax — a pharmaceutical company — where I lead Security Architecture and Threat Remediation across a hybrid cloud environment that includes clinical labs, R&D systems, OT environments, and GxP-regulated and validated systems. That last part matters if you’re in a regulated industry. I’m not theorizing about how to balance security requirements with compliance mandates in complex, sensitive environments. I’m doing it right now, every day, at a company where getting it wrong has real consequences.
My stack is Microsoft — deep, opinionated, and current. Entra Suite, Defender XDR, Intune, Sentinel, a healthy dose of Azure Policy and Purview — I know where the bodies are buried and where the documentation is quietly wrong. I also know ways to have the ecosystem work with Splunk, having scaled a Splunk Cloud / ES ecosystem with the team, pulling logs from across a full enterprise environment, and I’ve spent enough time with NIST (800-53, a little light 800-171), ISO, and SANS to have strong feelings about all of them.
What I Can Help You With
Zero Trust Architecture & Identity Entra ID, Conditional Access, Privileged Identity Management, and IAM strategy — designing it, implementing it, and making it actually work instead of just looking good on a slide deck. If your identity posture has drifted and you need someone to run an honest access review and clean it up, that’s a place I particularly enjoy starting.
Microsoft Defender Suite Defender for Endpoint, Defender for Identity, Defender XDR — coverage assessment, tuning, custom detection rules, and incident response maturity. If Defender is deployed but not really pulling its weight, let’s fix that. And maybe you want to connect it to Sentinel to make use of some data allowances or E5 freebies? Let’s get the party started.
Cloud Security & Endpoint Management Security baseline design, Azure Policy configuration, Defender for Cloud recommendations that actually get acted on. If your posture score is a number nobody looks at, we can change that. Those endpoints that are floating around, unpatched and hopeless – let’s fix them, too.
Vulnerability & Threat Management TVM program design, Tenable.io and Defender Vulnerability Management, POA&M governance, patching SLA enforcement. The whole “we know we have vulnerabilities but we’re not sure what to do about them” problem is one I solve regularly. Risk isn’t just a number reported from a tool, arbitrary and meaningless without context. It’s about identifying your vulnerabilities, building a framework that mitigates the risk – and it’s not just about patching.
Compliance & GRC Alignment NIST 800-53 and 800-171, SANS, audit readiness, policy standardization. Particularly relevant if you’re in a regulated industry — pharma, biotech, financial services, healthcare — where security and compliance have to coexist with operational reality.
Regulated & Complex Environments Clinical IT, OT environments, GxP-validated systems — if you’re operating in a space where compensating controls and risk-based decision making are part of the daily vocabulary, I’m comfortable there. Most people aren’t. Like I said earlier, risk isn’t just about patching, and vulnerabilities come in many forms – it’s not just the unpatched machines, it’s the sad configuration settings on a vendor provided system that can’t be modified, too. Those PLCs? Who wants to find out what it’s like to be breached because of an unmonitored thermostat?
Why Me, Specifically
Honestly? Because I’m not going to hand you a template and rebrand it as a strategy.
I’ve led teams, built programs from scratch, managed budgets, done multi-year roadmapping, and sat across the table from executive leadership explaining why something matters — and then gone back to my desk and actually built it. I know the difference between a security program that looks good in a report and one that actually reduces risk. And I’ve worked in enough different environments — insurance, pharma, on-prem, hybrid, full cloud, regulated, unregulated — to know that the right answer is always the one that works for your environment, not the one that worked for the last client.
I’m also the person who will tell you when something isn’t going to work, when a vendor is overselling you, and when the right answer is actually simpler than whatever’s being proposed. You’re not hiring me to agree with you. You’re hiring me to help you get it right.
Let’s Get Started
If any of the above sounds like a conversation worth having, I’d love to have it. I work remotely, I’m U.S.-based, and I’m flexible on engagement model — whether you need someone for a focused project, an architecture review, ongoing advisory, or just a second set of eyes on something that’s been bothering you.
📩 Connect on LinkedIn and let’s set up a time to talk through what you’re working on.
No sales deck. No discovery call script. Just a conversation between two people who take this stuff seriously.
And if you haven’t checked your storage account permissions yet — seriously, go do that first. I’ll be here.
Xenodyne Technologies 