Why this site exists

I built this to show how I think about security.

I’m Rakesh Bhavandlapelli, a Security Engineer at Amazon. My work sits across application security, AI and GenAI governance, third-party security assessments, cloud risk, vulnerability management, and incident response.

The short version: Virginia Tech taught me how real systems fail. AWS taught me what happens when security decisions have to scale. Amazon is where I’m applying that thinking to AI adoption, vendor trust, and builder-safe security.

AI Trust Application Security Third-Party Risk Cloud-Scale VM
3

Three chapters built the lens: live-system security research at Virginia Tech, scale and prioritization at AWS, and AI/vendor/application trust work at Amazon.

Follow the journeyView proof of work
01 / Origin
Virginia TechLive-system security research, offensive and defensive work, IR, secure code review, and protocol-level thinking.
02 / Scale
AWSHost OS vulnerability management, prioritization, ownership mapping, automation, and SLA pressure at cloud scale.
03 / Now
AmazonApplication security, AI and GenAI governance, third-party security, cloud risk, VM, CSPM, and incident response.
04 / Next
OrisanAI trust, sensitive-data boundaries, vendor exposure, and governance workflows.
01 / Virginia Tech

Virginia Tech is where I learned security on live systems.

I spent three years inside Virginia Tech’s IT Security Office. That mattered because the work was not theoretical. The systems were live, the users were real, and the defenders had to make decisions with incomplete signals.

Worked across red team, purple team, incident response, vulnerability management, and secure code review.Studied how attacks move through real authentication flows, browser behavior, API boundaries, and vulnerable code.Learned to treat attacks as paths through assumptions, not isolated checklist items.
02 / AWS

AWS is where vulnerability management became a scale problem.

At AWS, the issue was not a lack of findings. The issue was making the right prioritization call across cloud-scale infrastructure, where one bad assumption can propagate across teams and remediation timelines.

Worked on host operating system vulnerability management across AWS-scale infrastructure.Built data alignment, automation, forecasting, and dashboard workflows to make risk easier to act on.Learned that scalable security looks more like product engineering than manual ticket routing.
03 / Amazon

Amazon is where I work on AI, applications, vendors, and cloud risk together.

Today I’m a Security Engineer at Amazon. The role is broad by design, but the center is clear: help teams move fast without losing control of trust, data, and risk.

Review applications, architecture, and security design before production decisions harden.Evaluate third-party vendors before sensitive data crosses into systems we do not operate.Help define practical AI and GenAI governance patterns so builders can adopt AI safely.
04 / Orisan

Orisan is where I’m turning that thinking into a product direction.

Orisan comes from the same question I’m working on professionally: how can teams adopt AI without losing control of sensitive data? The goal is a trust layer, not another dashboard.

Make data boundaries visible before AI adoption becomes irreversible.Map vendor exposure, retention paths, and governance obligations.Turn AI trust from policy language into an operational workflow teams can actually use.
Virginia Tech / origin
AWS / scale
Amazon / current work
Orisan
AI trust / product direction
05 / What I'm building

Orisan is the problem I work on every day, turned into a product.

I'm building Orisan, an AI trust platform that sits between enterprises and every AI tool their employees use. The problem is one I encounter daily: organizations are adopting AI faster than their security teams can govern it, and the tools to close that gap do not exist yet.

Orisan makes data boundaries visible before AI adoption becomes irreversible. It sanitizes what goes into AI tools, governs which tools are approved, and keeps security teams in control without blocking the productivity that made AI worth deploying.

I'm looking for security leaders who want to be involved early as design partners, advisors, or early users. If that's you, reach out.

Talk to me about Orisan
06 / How I think

Why blocking AI tools doesn't work, and what to do instead.

Every security team I talk to has the same instinct: when employees use an AI tool we haven't approved, block it. It makes sense. The problem is it doesn't work. Blocking creates shadow usage: employees find workarounds, use personal accounts, or switch to mobile. You lose visibility entirely. The data is still leaving. You just can't see it anymore. The answer is not permissive either. It's governance that moves at the speed of adoption. Approve a set of tools with clear data handling requirements. Route usage through a layer that sanitizes sensitive data before it reaches the model. Give security teams the audit trail they need without giving developers a reason to route around the controls. That is what makes AI adoption sustainable, not a policy that employees work around by lunchtime.

07 / Case files

Proof that the story is not just positioning.

These are the failure modes and work patterns that make the background credible.

Case 01

AI adoption without data control loss

SystemAI tools entering internal workflows.
PressureSensitive data moving through prompts, vendors, logs, and retention paths.
WorkReview usage, data flow, vendor behavior, and governance rules.
ProofAI security is a systems problem.
Case 02

Fleet-scale vulnerability prioritization

SystemHost OS risk across cloud infrastructure.
PressureScanner noise, ownership ambiguity, SLA misses.
WorkAutomation, forecasting, dashboards, remediation workflows.
ProofVM is data and product engineering.
Case 03

Third-party trust before data movement

SystemVendors entering business workflows.
PressureCustomer/sensitive data crossing into systems we do not operate.
WorkAssess evidence, architecture, access, encryption, incident maturity.
ProofTrust must be verified at the boundary.
Case 04

Security research in live systems

SystemUniversity infrastructure and web/app protocols.
PressureReal users, real defenders, incomplete signals.
WorkRed team, purple team, IR, code review, protocol analysis.
ProofI understand defense because I learned attack paths.