Max Couling
Cybersecurity Consultant delivering risk assessments, governance frameworks and security architecture recommendations for a global FMCG co-operative (NZD $20B+ revenue, 10,000+ employees). Bridges hands-on technical work — SAST/SCA/DAST triage, DNS and domain analysis, vulnerability validation — with enterprise GRC: audit readiness, exception lifecycle management, vendor evaluation. A primary author and point of escalation for high-stakes risk assessments, now moving toward security architecture with a focus on AppSec, Zero Trust and GRC automation.
Contact: max@maxcouling.com · maxcouling.com | GitHub · LinkedIn
Last updated: June 2026
WORK EXPERIENCE
Ernst & Young (EY) | Cybersecurity Consultant — Client Secondment, Cyber Risk & Compliance
- Client commendation: Perfect 10/10 client satisfaction score (ASQ) from Fonterra, alongside a Partner-level commendation for contribution, professionalism and responsiveness.
- Risk assessment authoring: Authored formal cybersecurity assessments reviewed by the Head of GRC and approved by the CISO — covering SAP vulnerability management, EOL/IAM servers, guest identity lifecycles, F5 BIG-IP patching, domain/DNS security, and LIMS laboratory environments.
- Identity governance: Led a Microsoft Entra ID guest-account risk assessment; identified a critical control gap across ~57,000 guest accounts and designed RBAC-aligned lifecycle remediation with a pathway to ongoing access reviews.
- Exception governance overhaul: Identified 9 key deficiencies across process, tooling, ownership and architecture; authored new Exception Guidance with time-bound limits and mandatory escalation to formal risk acceptance when no remediation path exists.
- Firewall policy & exposure reduction: Managed and triaged ~30 firewall policy exemptions per month across QA/DEV/PROD; independently extracted and analysed the full historical dataset after the incoming CISO flagged volume as systemic, supporting a complete policy rewrite to reduce cross-domain exposure.
- AppSec operating model: Coordinated assessments triaging 50–1,000+ SAST/DAST/SCA findings per engagement; authored a Key Decision Document presented to the CISO recommending a phased shift from a hand-off-heavy managed service (2–5 week turnaround) to centralised scan execution, and led a multi-vendor AppSec evaluation.
- GRC automation: Designed and spearheaded a Microsoft Copilot Studio agent that validation-checks exception submissions against governance criteria (time-bound duration, named controls, mitigation availability) before human review.
- Audits & frameworks: Drove a zero-finding SWIFT CSP audit across 25 mandatory controls (verified through Dec 2026); processed 10+ concurrent NIST 800-53 risk assessments across IT, OT and third-party environments; delivered an RBNZ Cyber Resilience baseline engagement (NIST CSF 2.0) for an insurance client, with a gap assessment, remediation roadmap and C-suite workshops that secured increased security investment.
Ernst & Young (EY) | Intern Cybersecurity Consultant
- Covered the Technical Business Analyst role for an enterprise SailPoint IdentityNow rollout.
- Executed UAT, validated least-privilege access controls, and coordinated deployment tracking across 22,000+ identities.
Exzel IT Consulting | Part-Time IT Specialist
- On-site and remote support for small businesses and education centres: network troubleshooting, hardware repair, system configuration, secure data destruction.
CORE COMPETENCIES
Risk & Governance
- Cybersecurity Risk Assessment Authoring
- Exception Lifecycle Governance
- Audit Closure & Evidence Management
- Policy & Standards Alignment
- IRM / ServiceNow Workflows
Technical Security
- SAST/SCA/DAST Review & Triage
- DNS / Domain Security Analysis
- Vulnerability Validation & False-Positive Analysis
- Pen-Test Remediation Coordination
- Certificate Expiry & DNSSEC Review
Strategy & Delivery
- AppSec Operating Model Design
- Key Decision Documents (KDDs)
- Vendor Evaluation & Selection
- Process Automation (Copilot Studio, Power Apps)
- Stakeholder Engagement (CISO, Leadership, Auditors)
Tools & Platforms
- ServiceNow (IRM)
- Microsoft Entra ID
- SailPoint IdentityNow
- Burp Suite
- PowerShell
- Python
- Proxmox
- Cloudflare Zero Trust
- Tailscale
- LeanIX
- Power Apps
- SharePoint
PROJECTS
Home Security Lab | Build log
- Proxmox hypervisor (KVM/LXC) on a Dell OptiPlex 7070 hosting services in isolated Linux containers.
- Raspberry Pi running a Tailscale subnet router and Pi-hole for network-level DNS filtering.
- Cloudflare Zero Trust tunnels expose public services on a custom domain with no inbound firewall ports — mirroring enterprise patterns.
MisManageMyHealth — OWASP API Security Demo | GitHub
- Forked and reskinned OWASP Juice Shop into a mock healthcare portal demonstrating Broken Object Level Authorization attack chains (OWASP API1:2023).
- Built live attack proofs-of-concept in Burp Suite; delivered as a hands-on security awareness session to the EY New Zealand team.
Pete's Rescue Mission — Pixel-art platformer, 100% procedural | Play it here
- Complete browser platformer in vanilla JavaScript: every sprite, song and sound effect generated by code — zero asset files, zero dependencies.
SurveyHustle — Privacy-focused survey platform | Details
- Full-stack Flask & PostgreSQL platform with Differential Privacy, self-hosted on a Raspberry Pi behind Cloudflare Tunnels.
EDUCATION & CERTIFICATIONS
University of Auckland | BSc, Computer Science & IT Management
- Top Achiever Scholarship ($20,000)
- Highest grade in INFOMGMT 399 (top of cohort); Class Representative
- Certifications: Microsoft Azure Fundamentals (AZ-900) · Azure AI Fundamentals (AI-900) · EY Bronze — Cyber & Solution Architecture
- In progress: Microsoft Azure Security Engineer Associate (AZ-500)