|
"Simple can be harder than complex. You have to work hard to get your thinking clean to make it simple."
— Steve Jobs
About me
Platform Architect with 20+ years of progressive experience — from 1st line support to Lead Architect roles across enterprise infrastructure, cloud-native platforms, and AI/GenAI deployments.
Currently at IONITY, Munich in a dual role as Product Owner and DevOps Lead — owning the platform roadmap and backlog while hands-on architecting, engineering and operating enterprise Kubernetes infrastructure for Europe's fastest growing EV charging network.
// location & contact
// available for
Core expertise
You've probably seen it before — a technology adopted because the engineering team wanted to try it, not because the business needed it. Or a platform with no automation, where every deployment is a manual ritual. Maybe a developer portal that exists as a Confluence page nobody reads, or on-call rotations that fire at 3am because nobody defined what "healthy" actually means.
I bring the other side of the equation. Before anything gets built, I map the options, model the trade-offs across cost, complexity, risk and maintainability, and put forward structured proposals with explicit SLA, SLO and RTO/RPO commitments — including full build cost breakdown covering labour, estimated ongoing maintenance, operational overhead, and the cost of switching to an alternative if the chosen technology turns out to be the wrong bet. Automation is not a nice-to-have — it's the baseline. Self-service is the goal. Observability and monitoring patterns are part of the delivery, not an afterthought. And engineering enthusiasm, however genuine, is never a substitute for a business case.
I also personally believe that architecture and engineering are two distinct disciplines — and treating them as one is where most complexity debt originates. An architect defines the boundaries, makes the decisions that are expensive to reverse, and owns the long-term consequences. An engineer executes within those boundaries with skill and precision. When the same person does both without conscious separation, the result is systems optimised for what was fun to build — not for what the business needs to operate, scale, and eventually change.
And equally important: an architect who doesn't understand the business is just an engineer with a fancier title. Real architecture requires continuous, honest dialogue with the people running the business — not to gather requirements and disappear, but to truly understand what is needed for the business to grow. Without that, IT ends up delivering what it thinks the business needs. And in the majority of cases, it doesn't match reality. Features nobody uses. Platforms nobody asked for. Infrastructure that solves yesterday's problem at tomorrow's cost.
Kubernetes is the new Linux — the question is no longer whether to run it but how to run it well. Designing and operating EKS, AKS and self-managed clusters with GitOps delivery, event-driven autoscaling via KEDA and Fargate profiles that cut cloud bills without sacrificing reliability.
Self-hosted LLMs are the answer to data sovereignty, cost predictability and customisation. Running CodeLlama, Qwen and Gemma on Kubernetes for production workloads — developer assistants, helpdesk automation and real-time analytics — with RAG pipelines grounded in your own data, not the public internet.
Security that moves at the speed of cloud — not checkbox compliance bolted on at the end. Designing CNAPP-aligned architectures with runtime threat detection, MITRE ATT&CK detection engineering, WAF with OWASP rule sets and CIS hardening baked into CI/CD pipelines from day one.
Deployment frequency and MTTR are the metrics that matter. Building GitLab CI pipelines from commit to production with automated performance tests (k6), contract validation (Pact Broker), security scanning and multi-environment promotion — engineered around the four DORA key metrics.
Modern observability is not about more dashboards — it's about SLOs, error budgets and knowing exactly what to page on at 3am. Implementing OpenTelemetry-aligned stacks with Prometheus, Grafana, Thanos and Loki, enriched with Datadog and Dynatrace AI that detects anomalies before users do.
Scaling engineering effectiveness faster than headcount. Growing engineers from mid to staff level, running SAFe PI planning that actually aligns product and platform, and building cultures where on-call is uneventful — because self-healing systems and runbooks handle incidents before humans need to.
Platform Engineering is Team Topologies in practice — reducing cognitive load on stream-aligned teams so product developers focus on business logic, not YAML. Building Internal Developer Platforms with golden paths, self-service pipelines and curated abstractions that make the right thing the easy thing.
Running LLMs in production is a systems engineering problem, not an ML problem. GPU utilisation, inference batching, cost-per-token budgets, RAG pipeline reliability and model performance dashboards — the operational layer that turns a model demo into a production service the business can depend on.
Perimeter security is dead — every workload, user and API call must prove its identity on every request. Implementing NIST 800-207 aligned Zero Trust with ISTIO mTLS workload identity, OIDC/OAuth2 for human access and microsegmentation that contains blast radius when — not if — something is compromised.
The XZ utils incident made supply chain security non-negotiable. Securing the full pipeline with image signing via cosign, SBOM generation and attestation, continuous CVE monitoring via Dependency Tracker, consumer-driven contract testing with Pact Broker and SLSA-aligned builds that prevent tampered artefacts reaching production.
Technical debt is a financial risk — not an engineering inconvenience — and boards need to see it that way. Bridging architecture decisions and C-suite conversations: build vs buy analysis, 3–5 year technology roadmaps, risk quantification in business terms and investment cases that actually get approved.
Cloud spend without governance is a tax on engineering velocity. Operating at FinOps maturity level Operate — real-time cost allocation by team and workload via Kube Costs, spot instance orchestration, right-sizing automation and TCO models that make the case for platform investment in language finance actually understands.
Engineering & Leadership depth
// engineering
// leadership & management
Career
Selected work
Replaced the legacy Nginx ingress layer with kgateway — a modern Envoy-based Gateway API implementation. Improved traffic management, security policy enforcement and operational flexibility at the platform level, aligning the ingress stack with Kubernetes-native Gateway API standards.
Enterprise workflow automation connecting monitoring systems, ticketing platforms, CI/CD pipelines and notification services. Eliminated manual operations across multiple business processes and data pipelines.
Comprehensive query optimization and database performance tuning for non-performing Spring Boot and Java applications. Implemented indexing strategies, query rewriting, connection pooling and database configuration tuning — resulting in significant response time improvements.
Enterprise Kubernetes platform for UNICORN with hybrid cloud + bare-metal. Complete multi-tenant isolation, security overlay and unified management via Unicorn Application Framework.
Enterprise SIEM with custom detection rules aligned to MITRE ATT&CK, active response mechanisms, Falco K8s integration, Docker out-of-band auditing and multi-tenant log segregation.
Complete IaC for INT / Stage / Production EKS with VPC design, subnet segregation, IAM roles, managed node groups and Fargate profiles for optimal cost and performance balance.
Rancher-based multi-cluster management for centralised control of on-premises and cloud clusters. RBAC policies, namespace quotas and network policies for full workload isolation in multi-tenant environments.
ISTIO deployment for mTLS pod-to-pod communication with cert-manager, CSR auto-signing and automatic certificate rotation for sidecar proxies. Traffic management, observability and security policies across microservices.
Multi-layered monitoring with Prometheus, Grafana, Thanos for long-term metrics and cross-cluster querying, Loki for log aggregation, Dynatrace for APM and Datadog for predictive analytics.
Automated CIS hardening framework with continuous compliance scanning at 6-hour intervals and automated reporting to responsible teams. Remediation tracking dashboards for RHEL, CentOS and Oracle Linux.
Azure tenant design with RBAC policies, resource policies and network segregation. Automation stack including VPN Gateway, hardened VM images with SIEM integration and cost-optimised provisioning via IaC.
Open-source IDS/IPS based on Suricata with Emerging Threats rules for Azure and on-premises public-facing components. Network-level monitoring for Swarm and Kubernetes with SIEM integration and automated threat blocking.
End-to-end GitLab infrastructure including runner configuration across multiple environments, CI/CD pipeline orchestration, user management, repository governance and GitLab API automation for external integrations.
Multi-database architecture with Postgres RDS, DocumentDB and MySQL — serverless managed services with HA, automated backups, point-in-time recovery, encryption at rest/in transit and multi-tenant user management via Terraform.
Multi-tenant MongoDB database-as-a-service with filesystem-level separation for capacity reselling. 3-node replica set with In-Memory storage engine on primary for peak performance, automated backups and monitoring.
Shared vector database service for AI/ML workloads with security segregation, stateful disk encryption, comprehensive monitoring and full RTO/RPO disaster recovery planning for production workloads.
Automated vulnerability scanning using OVAL definitions for RHEL, CentOS and Oracle Linux with NVD database integration. Automated PDF reporting with detailed vulnerability info, remediation guidance and priority scoring.
Private container registry with automated vulnerability scanning, image signing and retention policies. CI/CD integrated pipeline for automated image building, scanning and environment promotion across INT/Stage/Prod.
Multi-layered WAF protection with Azure WAF and Apache mod_security using OWASP Core Rule Set. Custom rule development, false positive tuning and SIEM integration for security event correlation.
Kubernetes environment spanning Azure AKS and bare-metal with unified control plane. Horizontal pod autoscaling, dynamic node adjustment based on performance metrics and Azure Application Gateway with AGIC ingress.
Design, installation and operations handover for NGENA OpenStack VNF environment including Virtual Network Functions orchestration, SDN architecture and network stack design for telecom-grade service delivery.
Kube Costs deployment for real-time cost monitoring with granular visibility by namespace/team. KEDA event-driven scaling based on message queue depths, database connections and external API metrics.
HA RabbitMQ clusters for reliable microservice messaging with automatic failover, message persistence and monitoring. Request queuing for traffic spike handling during peak load with consumer performance alerting.
Enterprise password management with OpenID authentication, multi-tenant team/department segregation, last-resort account management, comprehensive backup/restore and RTO/RPO compliance.
Legacy mail infrastructure upgrade to modern standards for 2500+ users. SPF, DKIM and DMARC policy implementation with integrated antivirus/antimalware scanning and domain configuration management.
Full migration of Philips enterprise workloads from legacy bare-metal IBM Power infrastructure to cloud environment. Covered storage re-architecture, network redesign, LPAR decommissioning and operational handover to second-line support with full documentation and knowledge transfer.
Credentials
// certifications
SAFe 6 Certified Architect
PRINCE2 Foundation — Project Management
ITIL Foundations — IT Service Management
Berlitz Business English — Level 5
IBM Certified Advanced Technical Expert — Power Systems AIX v3
IBM Certified Systems Expert — Enterprise Technical Support AIX & Linux v2
IBM Certified Systems Expert — High Availability for AIX
IBM Certified Systems Expert — Virtualization Technical Support AIX & Linux
IBM Certified System Administrator — AIX 7
IBM Certified System Administrator — AIX 6.1
IBM Certified Specialist — System x Technical Fundamentals V11
IBM Certified Specialist — eServer p5 & pSeries Administration
// technical training
// continuing education
Let's work together
I'm open to senior platform architecture, DevOps leadership and GenAI infrastructure roles.
Feel free to reach out directly.
Košice, Slovakia · Remote-friendly