Max Couling

Cybersecurity Consultant delivering risk assessments, governance frameworks and security architecture recommendations for a global FMCG co-operative (NZD $20B+ revenue, 10,000+ employees). Bridges hands-on technical work — SAST/SCA/DAST triage, DNS and domain analysis, vulnerability validation — with enterprise GRC: audit readiness, exception lifecycle management, vendor evaluation. A primary author and point of escalation for high-stakes risk assessments, now moving toward security architecture with a focus on AppSec, Zero Trust and GRC automation.

Contact: max@maxcouling.com · maxcouling.com  |  GitHub · LinkedIn

 Last updated: June 2026

WORK EXPERIENCE

Ernst & Young (EY) | Cybersecurity Consultant — Client Secondment, Cyber Risk & Compliance

Mar 2025 - Present

  • Client commendation: Perfect 10/10 client satisfaction score (ASQ) from Fonterra, alongside a Partner-level commendation for contribution, professionalism and responsiveness.
  • Risk assessment authoring: Authored formal cybersecurity assessments reviewed by the Head of GRC and approved by the CISO — covering SAP vulnerability management, EOL/IAM servers, guest identity lifecycles, F5 BIG-IP patching, domain/DNS security, and LIMS laboratory environments.
  • Identity governance: Led a Microsoft Entra ID guest-account risk assessment; identified a critical control gap across ~57,000 guest accounts and designed RBAC-aligned lifecycle remediation with a pathway to ongoing access reviews.
  • Exception governance overhaul: Identified 9 key deficiencies across process, tooling, ownership and architecture; authored new Exception Guidance with time-bound limits and mandatory escalation to formal risk acceptance when no remediation path exists.
  • Firewall policy & exposure reduction: Managed and triaged ~30 firewall policy exemptions per month across QA/DEV/PROD; independently extracted and analysed the full historical dataset after the incoming CISO flagged volume as systemic, supporting a complete policy rewrite to reduce cross-domain exposure.
  • AppSec operating model: Coordinated assessments triaging 50–1,000+ SAST/DAST/SCA findings per engagement; authored a Key Decision Document presented to the CISO recommending a phased shift from a hand-off-heavy managed service (2–5 week turnaround) to centralised scan execution, and led a multi-vendor AppSec evaluation.
  • GRC automation: Designed and spearheaded a Microsoft Copilot Studio agent that validation-checks exception submissions against governance criteria (time-bound duration, named controls, mitigation availability) before human review.
  • Audits & frameworks: Drove a zero-finding SWIFT CSP audit across 25 mandatory controls (verified through Dec 2026); processed 10+ concurrent NIST 800-53 risk assessments across IT, OT and third-party environments; delivered an RBNZ Cyber Resilience baseline engagement (NIST CSF 2.0) for an insurance client, with a gap assessment, remediation roadmap and C-suite workshops that secured increased security investment.

Ernst & Young (EY) | Intern Cybersecurity Consultant

Nov 2023 - Feb 2024

  • Covered the Technical Business Analyst role for an enterprise SailPoint IdentityNow rollout.
  • Executed UAT, validated least-privilege access controls, and coordinated deployment tracking across 22,000+ identities.

Exzel IT Consulting | Part-Time IT Specialist

Sep 2022 - Jun 2023

  • On-site and remote support for small businesses and education centres: network troubleshooting, hardware repair, system configuration, secure data destruction.

CORE COMPETENCIES

Risk & Governance

  • Cybersecurity Risk Assessment Authoring
  • Exception Lifecycle Governance
  • Audit Closure & Evidence Management
  • Policy & Standards Alignment
  • IRM / ServiceNow Workflows

Technical Security

  • SAST/SCA/DAST Review & Triage
  • DNS / Domain Security Analysis
  • Vulnerability Validation & False-Positive Analysis
  • Pen-Test Remediation Coordination
  • Certificate Expiry & DNSSEC Review

Strategy & Delivery

  • AppSec Operating Model Design
  • Key Decision Documents (KDDs)
  • Vendor Evaluation & Selection
  • Process Automation (Copilot Studio, Power Apps)
  • Stakeholder Engagement (CISO, Leadership, Auditors)

Tools & Platforms

  • ServiceNow (IRM)
  • Microsoft Entra ID
  • SailPoint IdentityNow
  • Burp Suite
  • PowerShell
  • Python
  • Proxmox
  • Cloudflare Zero Trust
  • Tailscale
  • LeanIX
  • Power Apps
  • SharePoint

PROJECTS

Home Security Lab | Build log

  • Proxmox hypervisor (KVM/LXC) on a Dell OptiPlex 7070 hosting services in isolated Linux containers.
  • Raspberry Pi running a Tailscale subnet router and Pi-hole for network-level DNS filtering.
  • Cloudflare Zero Trust tunnels expose public services on a custom domain with no inbound firewall ports — mirroring enterprise patterns.

MisManageMyHealth — OWASP API Security Demo | GitHub

  • Forked and reskinned OWASP Juice Shop into a mock healthcare portal demonstrating Broken Object Level Authorization attack chains (OWASP API1:2023).
  • Built live attack proofs-of-concept in Burp Suite; delivered as a hands-on security awareness session to the EY New Zealand team.

Pete's Rescue Mission — Pixel-art platformer, 100% procedural | Play it here

  • Complete browser platformer in vanilla JavaScript: every sprite, song and sound effect generated by code — zero asset files, zero dependencies.

SurveyHustle — Privacy-focused survey platform | Details

  • Full-stack Flask & PostgreSQL platform with Differential Privacy, self-hosted on a Raspberry Pi behind Cloudflare Tunnels.

EDUCATION & CERTIFICATIONS

University of Auckland | BSc, Computer Science & IT Management

Graduated Nov 2024 | GPA 6.83

  • Top Achiever Scholarship ($20,000)
  • Highest grade in INFOMGMT 399 (top of cohort); Class Representative
  • Certifications: Microsoft Azure Fundamentals (AZ-900) · Azure AI Fundamentals (AI-900) · EY Bronze — Cyber & Solution Architecture
  • In progress: Microsoft Azure Security Engineer Associate (AZ-500)