ISO/IEC 27001GDPRLFPDPPPOWASPGRCMicrosoft PurviewWazuhSIEMAWSRisk AssessmentISC2 CCSecurity+
Cybersecurity · Governance · Risk · Compliance

Alfonso Mallozzi

Cybersecurity student at Tec de Monterrey — I turn security controls, data governance and risk into clear, defensible compliance.

Scroll
01 — Profile

The short version

I'm Alfonso — a cybersecurity student who fell for the unglamorous half of security: governance, risk, and the rules that decide whether a control actually counts. I learn by building (a data-governance lab in Purview, a SIEM on AWS) and by competing, which is how I landed top-5% in Latin America's biggest cyber contest. What drives me is making risk legible — turning messy systems into something a business can trust, and writing it down so it holds up.

0Top — OAS Cyberamerican Cup, LatAm
0Users on TomoTexture ↗
0CTF competitions
02 — Focus

Where I work best

  1. F-01

    Data Governance & Privacy

    Microsoft Purview, LFPDPPP & GDPR — taxonomy, regulatory glossaries, PII classification (CURP, RFC, CLABE), consent & retention.

  2. F-02

    Risk Assessment

    GRC risk — likelihood × impact analysis, risk registers and treatment plans that turn scattered findings into decisions a business can act on.

  3. F-03

    Security Monitoring & SIEM

    Wazuh & AWS SIEM — insider-risk alerts, audit logs for traceability, and triage with chain of custody.

  4. F-04

    Compliance & Controls

    ISO 27001 & GRC fundamentals — mapping technical controls back to the regulation that justifies them.

  5. F-05

    Cloud Security

    AWS with Infrastructure-as-Code (CDK) — serverless detection pipelines and least-privilege by default.

  6. F-06

    Network Security

    VLAN segmentation, pfSense / OPNsense firewalls and encrypted site-to-site tunnels across multi-branch networks.

  7. F-07

    Offensive Security

    CTF exploitation, enumeration and privilege escalation — understanding the attacker to defend the control.

  8. F-08

    Security Awareness

    Leading a university security club — talks on threat analysis, malware and data-protection culture.

03 — Risk & skills

I make risk legible

Skill map — focus × proficiency
Focus →
Proficiency →
  • Exploring
  • Learning
  • Solid
  • Strong

Skills — by the focus I put into each

  • Risk assessment (GRC)90
  • SIEM & monitoring88
  • Data governance (Purview)84
  • ISO 27001 / GRC82
  • Offensive security78
  • Python / SQL scripting76
  • Networking (Cisco)74
  • Cloud security (AWS)72
04 — The path so far

How I got here

  1. 2026Now

    Director — Cybersecurity Club

    Tec de Monterrey (ITESM)

    Lead talks and initiatives on threat analysis, malware and data protection — building a security culture across the student community.

    • Leadership
    • Awareness
    • Talks
  2. 2026

    Data Governance & Compliance

    Microsoft Purview · simulated Mexican fintech

    Built a governance lab: collection taxonomy, an LFPDPPP-aligned glossary and PII classification (CURP, RFC, CLABE, email). Scanned ~1,350 records and flagged 20% of clients with no documented consent, plus expired vendor contracts and a missing retention policy.

    • Purview
    • LFPDPPP
    • Privacy
    • Remediation
  3. 2025

    Cloud-Native SIEM

    AWS · compliance monitoring & insider risk

    Deployed a serverless SIEM (CDK → Kinesis → S3 → Lambda → OpenSearch) detecting after-hours access, bulk transfers and exfiltration, with audit logs for traceability. ~700 events/day across 5 endpoints; one incident taken through full triage and a formal findings report.

    • AWS
    • SIEM
    • Insider risk
    • IaC
  4. 2025

    Network Infrastructure Consulting

    DDD Impressions · 3 branches, 52 employees

    Designed a segmented corporate network (VLANs, Inter-VLAN routing), hardened the perimeter with pfSense/OPNsense and encrypted tunnels between CDMX, Monterrey and Mérida, applying VLSM with a 25% scalability margin. Delivered at $26,371 USD.

    • Network
    • Firewalls
    • VLSM
    • HA
  5. 2025

    OAS Cyberamerican Cup — Top 5%

    OAS · cybersecurity competition (Latin America)

    Evaluated security controls in simulated environments using OWASP, documenting findings with impact, probability and remediation. Analyzed access-control & credential-management gaps and produced severity-classified reports. Ranked 45th of 845.

    • CTF
    • OWASP
    • Risk
    • Reporting
05 — Credentials

Certifications & training

06 — Selected projects

What I've built

Data Privacy · LFPDPPP0clients w/o consent found

Data Governance Lab — Purview

Taxonomy, LFPDPPP glossary and 4 PII classification rules over ~1,350 records; remediation memo mapped to LFPDPPP Arts. 3, 15–18 & 37.

Microsoft PurviewRisk-ranked
Cloud · AWS0events / day

Cloud-Native SIEM

Serverless SIEM (CDK, Kinesis→S3→Lambda→OpenSearch) for compliance monitoring & insider-risk detection, with full incident triage and audit logs.

Infrastructure-as-CodeInsider risk
Network · Consulting0users · 3 sites

Multi-Site Network

VLAN-segmented network with pfSense firewalls and encrypted tunnels across CDMX, Monterrey & Mérida; VLSM with 25% growth margin. Delivered at $26K.

pfSense / OPNsenseHigh availability
Competition · LatAm0of 845 · Top 5%

OAS Cyberamerican Cup

Control evaluation in simulated environments with OWASP; impact/probability scoring and severity-classified vulnerability reports.

OWASPFindings reports
Data · Power BI0incident MTTR SLA

Stream Ops Dashboard

End-to-end ops dashboard (Python → PostgreSQL → Power BI) tracking SLAs, incidents and retention for Borregos Gaming, with auto-filled postmortems.

SLAs & MTTRPostmortems

Don't be scared of the delta, embrace it.

GovernanceRiskComplianceData GovernanceSIEMRisk AssessmentSecurity Awareness