SEBASTIAO "SEB"
FRESCO

Diagnosed and resolved network-edge outages across multiple sites — straight to the interface logs, routing tables, and switch telemetry. Rebuilt enterprise VM connectivity in 30 minutes during a live production incident. Hardened security posture through firewall ACL management, least-privilege enforcement, and vulnerability correlation.

Maintained IT infrastructure for the 233rd Space Group — the Air Force's only strategic survivable mobile ground system, used to receive early-warning data. Refreshed the SIPR server stack with a three-person team: site survey, relocation, fiber and Ethernet reconfig, Visio documentation. Helped deploy Cisco VoIP to 150+ users on base inside a 15-member integration team, tuning QoS and preserving legacy system compatibility. Drill status concurrent with civilian infrastructure roles.

Supported DISA CESO systems inside a Special Access Program IT environment serving executive leaders and mission partners across DoD and the Intel community. Administered Windows Server, VMware, and AWS workloads at classification. Automated inactive-user disablement and OU relocation, reducing manual workload by 25%.

Tier 2 operational support for CCS-C — command and control for the WGS and AEHF satellite constellations at Schriever and Vandenberg SFB. Backups and restores, VM provisioning, OS patches and COTS updates, mission software installs, storage allocation. Alongside the Kratos Defense engineering team in the escalation path.

Administered USAFE private cloud: 49,000 users, 1,300 virtual servers, 39 storage arrays, 121 ESXi hosts, 98.7% uptime. Fortified an overseas NSA intelligence site in direct support of Ukrainian crisis response operations. Resolved a SAN latency fault that cut mission response time by six hours. Maintained C2 capabilities for a deployed bomber task force supporting NATO Russian deterrence along the eastern flank. Not a simulation.

Multi-stage build. Non-root runtime. Scanned in the registry. Containerized a Flask + Redis stack with a builder/production Dockerfile, custom bridge network for service discovery, and an ECR repository managed by a reusable Terraform module — scan-on-push, encryption at rest, lifecycle policy. ~130 MB image. Verified layer caching, port conflicts, network isolation, HEALTHCHECK, and CVE scan output before the first push.

19 AWS resources. One command. Under five minutes from an empty account. Rebuilt a multi-AZ web tier — ALB, ASG, CloudWatch alarms, SNS — entirely in Terraform with reusable VPC and security group modules. Non-overlapping CIDRs. Dev and prod off the same codebase with one variable file swap. No Console clicks. No drift.

A private AI assistant running on his own hardware — Mac mini M4, not somebody else's SaaS. Tailscale mesh for remote access, loopback-only gateway for local isolation, file-level credential separation across every integration. Cron-scheduled agents drive daily briefings, weekly reviews, and system health heartbeats with conditional escalation and multi-channel delivery (iMessage, webchat). OAuth2 Gmail and Google Calendar pipelines feed context-aware morning triage. Your own stack. Not a subscription.

Three-bucket tiered S3 architecture for a 10 TB environment. 25% annual cost reduction — $695/yr at current scale, $70K/yr at 1 PB. SSE-KMS encryption, Object Lock in Compliance mode, 7-year retention. NIST 800-53 controls mapped: SC-28, AC-3, SI-12, AU-2, AU-11.

Multi-AZ EC2 web tier behind an Application Load Balancer and Auto Scaling Group. Killed instances on purpose to validate self-healing. Tuned ALB target group health checks to distinguish instance health from application health — traffic never lands on a sick process. Documented the recovery curve and the cost of the extra nines.