↓ Download Resume (PDF)
Matthew Nebiyou
Cybersecurity · Systems · Networking
Profile
Analytically driven professional transitioning into cybersecurity, with a strong foundation in data analysis, scientific research, and self-directed technical learning. Built and operate a personal homelab running Fedora Server, Docker, and a Tailscale mesh network — hosting a Wazuh SIEM, penetration testing lab, and multiple self-hosted services. Conducted an authorized penetration test on a live small business network, identified critical vulnerabilities including default-credential camera access, and personally designed and built the remediated network infrastructure using OPNsense, managed switching, and VLAN segmentation. Pursuing CompTIA Security+. Comfortable working across offensive and defensive security domains, Linux administration, and network engineering.
Technical Skills
Security & offensive
Defensive & monitoring
Networking
Systems & infrastructure
Data & analysis
Homelab Projects & Security Research
Authorized Network Penetration Test & Full Remediation — Small Business
Real-world engagement
Stack: Nmap · OPNsense · Managed switch · VLANs · WPA2 · Lorex IP cameras
- Conducted an authorized penetration test on a live coffee shop network; identified a flat, unsegmented topology exposing security cameras, POS terminals, and staff devices to any guest WiFi user
- Gained full administrative access to three Lorex IP security cameras via default credentials left unchanged since installation — demonstrated access to live feeds and camera controls from the guest network
- Produced a structured findings report with severity ratings and plain-language risk descriptions for non-technical business owners; immediately changed default credentials on all affected devices during the engagement
- Designed and physically built a replacement network from scratch: OPNsense firewall on a repurposed Dell Optiplex, managed switch with VLAN tagging, three isolated VLANs (guest, staff, IoT/cameras), and separate SSIDs per segment
- Wrote explicit inter-VLAN firewall rules enforcing a default-deny policy — guest devices have internet-only access; cameras are fully isolated from all other segments
Wazuh SIEM Deployment — Security Monitoring & Vulnerability Detection
Defensive security
Stack: Wazuh · Docker Compose · OpenSearch · Fedora Server · Tailscale
- Deployed the full Wazuh SIEM stack (manager, indexer, dashboard) via Docker Compose on a self-hosted Fedora Server; installed and configured a Wazuh agent directly on the host OS for real-time system monitoring
- Vulnerability scanner flagged real CVEs in installed packages including a high-severity finding in
pyasn1— a transitive dependency not explicitly installed; verified against the NVD and removed affected packages from the live system - Used the Wazuh Dashboard (OpenSearch-backed) for alert triage, vulnerability prioritisation, and log analysis across system and application event sources
- Demonstrated the value of automated scanning for supply chain / transitive dependency risks that are invisible to manual review
Self-Built Home Server — Fedora Server, Tailscale Mesh & Host Hardening
Infrastructure
Stack: Fedora Server · SELinux · Tailscale · LUKS · RAID 1 · firewalld · Docker
- Built and maintain a headless Fedora Server on a self-assembled AMD FX-8320 desktop; configured all services, networking, storage, and security from scratch with no GUI
- Implemented full-disk LUKS encryption on the boot drive and a software RAID 1 array for Nextcloud data storage — addressing data-at-rest and hardware-fault-tolerance threat models independently
- Deployed a Tailscale zero-trust mesh network with MagicDNS for hostname-based routing and Tailscale Funnel for HTTPS exposure of select services — zero open ports on the router
- Maintained SELinux in enforcing mode, configured firewalld with a default-deny policy, disabled SSH password authentication, and restricted SSH access to the Tailscale network only
Self-Hosted Penetration Testing Lab — Docker-Isolated Vulnerable Environments
Offensive security
Stack: Docker · DVWA · OWASP Juice Shop · WebGoat · bWAPP · Nmap · Nikto · SQLmap · Burp Suite · Metasploit
- Built and operate a four-container penetration testing lab on an isolated Docker bridge network with no internet egress — targets accessible exclusively over the private Tailscale network
- Practised structured attack methodology across OWASP Top 10 vulnerability classes including SQL injection, XSS, command injection, file inclusion, and broken authentication across DVWA, Juice Shop, WebGoat, and bWAPP
- Executed reconnaissance-to-exploitation chains using Nmap for port scanning, Nikto for web vulnerability scanning, and SQLmap for automated injection exploitation — with full database credential extraction
- Designed the network isolation architecture to model a realistic engagement: attacker machine connects over Tailscale, containers have no route to the internet or main LAN, preventing unintended lateral movement
Self-Hosted Cloud Platform & Local AI — Nextcloud + Ollama
Systems / Docker
Stack: Nextcloud · MariaDB · Ollama · Open WebUI · Docker Compose · Tailscale Funnel
- Deployed Nextcloud with a MariaDB backend via Docker Compose, replacing Google Drive, Photos, Calendar, and Slack with fully self-hosted equivalents storing all data on a local RAID array
- Exposed Nextcloud securely to the internet using Tailscale Funnel for automatic TLS termination — no manual certificate management and no open router ports required
- Deployed Ollama + Open WebUI for fully local LLM inference using Meta’s Llama models — all queries processed on local hardware with zero data sent to external APIs, enabling privacy-safe AI assistance for coding and research
- Managed multi-container orchestration with Docker Compose including named volumes, internal networks, environment variable injection, and container dependency ordering
Work Experience
Data Analyst
DC Health
2023 – Present
- Managed the integration of new technologies across Divisions to complement and enhance mission-critical workflows
- Led periodic reviews of the Bureau’s population health portfolio and collated important data-related updates to be included in timely reports for senior CHA leadership
- Collaborated with stakeholders across bureaus in multiple forums (CoP, DAWG, C_DAWG) to establish new (and improve existing) rules of practice and procedure as it pertains to data collection, management, maintenance, and analysis across CHA
- Conducted Data and IT Updates portion of monthly Bureau meetings as well as provided TA to program staff to build capacity
Post-baccalaureate Fellow
National Institutes of Health (NIH)
2020 – 2023
- Conducted novel in vitro experiments using induced pluripotent stem cells (iPSCs) to investigate the molecular mechanisms underlying neurodegeneration as it pertains to ALS, Alzheimer’s Disease and Parkinson’s Disease.
- Automated unstructured data analysis pipelines using FIJI for both routine and specialized analysis, saving both time and energy from lengthy and tedious analysis.
- Analyzed structured in vitro experimental data using Microsoft Excel and GraphPad Prism for inclusion in multiple publications on neurodegeneration development.
- Utilized RStudio to transform and visualize data, gleaning new insights that were either previously unknown or corroborated established information, thus leading to further knowledge gain.
Education & Certifications
Bachelor of Science — Biochemistry, Molecular Biology & Bioinformatics
Towson University
summa cum laude
Bioinformatics specialisation — computational analysis, biological data pipelines
2019
CompTIA Security+
CompTIA
In progress — actively studying
Expected 2026
Full project documentation, architecture diagrams, screenshots, and write-ups for all projects above are available at mnebyou.com/projects