July 17, 2026
From SOC to GRC Engineering: Part 1
Building Something Bigger Than a Portfolio

By David ONeal
4 min read
Building Something Bigger Than a Portfolio
"Every expert was once the person wondering if they were even on the right path."
For most of my career, I've worked on the operational side of cybersecurity.
I've spent time in a SOC, worked with compliance frameworks like NIST 800–53, managed security projects, and helped deliver security services for customers. Along the way, I learned a lot about security operations and governance.
But over the last few months, I've realized something.
I don't just want to assess security controls anymore.
I want to build them.
That realization led me to AJ Yawn's GRC Engineering Club and started me down a path I honestly didn't know existed a year ago.
Learning by Building
I've always learned best by getting my hands dirty.
Reading documentation has its place, but I remember things a lot better after I've spent hours troubleshooting why something isn't working.
So instead of trying to memorize cloud services and compliance concepts, I started building projects.
Some of them are small.
Some have turned into much bigger projects than I expected.
Every one of them has taught me something.
The first project started with a simple Python application that mapped controls across NIST 800–53, ISO 27001, and SOC 2.
GRC Control Mapper
From there I built a web-based risk register, a compliance evidence collector, and an AI-powered policy generator that runs completely locally.
Looking back now, I realize those weren't just Python projects.
They were the beginning of a GRC engineering toolkit.
GRC Evidence Collector
GRC Policy Generator
Then Things Started Moving Into the Cloud
Once I finished those first projects, it was time to leave my local machine and start working in AWS.
That changed everything.
Instead of working with sample data, I was interacting with real cloud infrastructure using Python, Terraform, boto3, AWS Config, CloudTrail, Security Hub, and Policy as Code.
Some of the things I've worked through so far include:
- Deploying secure infrastructure with Terraform
- Writing Policy as Code using OPA and Rego
- Building GitHub Actions workflows
- Signing compliance evidence with Cosign and Sigstore
- Deploying a NIST 800–53 baseline and collecting Security Hub findings before tearing everything down
The GRC Engineering Club Challenges
Each week's challenge built on the one before it. Looking back, I can see how every lesson laid the foundation for the next one.
Week 1 Challenge
Week 2 Challenge
Week 3 Challenge
Week 4 Challenge
Week 5 Challenge
The Mistakes Were the Best Teachers
If there's one thing this journey has taught me, it's that the mistakes are where the real learning happens.
I've had Terraform deployments fail because resources had to be created in a certain order.
I've written policies that worked perfectly in testing but broke against real infrastructure.
I've spent entire evenings tracking down problems that turned out to be something completely unexpected.
One lesson I'll never forget happened while destroying my Terraform deployment.
Everything looked successful until I realized I had also removed my Security Hub configuration.
That meant rebuilding part of my environment from scratch.
Frustrating?
Absolutely.
Worth it?
Without question.
Those are the lessons that stick with you.
Building Something Beyond the Weekly Challenges
While the weekly challenges have been a huge part of my learning, they've also inspired me to start building projects of my own.
One of those is OracleRecon Shield, a platform designed to help small organizations better understand and manage cybersecurity risk.
It's still growing, but every feature I add teaches me something new about building practical security tools instead of just talking about them.
OracleRecon Shield Demo
https://drive.google.com/file/d/1NVgkUZrEN3_dzNLkJuyTP7sbqvVO3nJx/view?usp=drive_link
OracleRecon Shield is one of the personal projects that grew out of this learning journey.
Why I'm Sharing This
One of the reasons I'm documenting everything is because I know I'm not the only person trying to make this transition.
There are plenty of cybersecurity professionals who understand governance, risk, compliance, or security operations but aren't sure how cloud engineering, automation, DevSecOps, and GRC Engineering all fit together.
I'm figuring that out one project at a time.
I'm documenting what works.
I'm documenting what doesn't.
And I'm documenting the lessons I wish someone had explained before I started.
If something I learn saves another person a few hours — or even a few days — then sharing this journey is worth it.
What's Next
I'm continuing to build my GRC Engineering portfolio with projects focused on cloud compliance, Terraform, AWS Config, Security Hub, automated evidence collection, and AI-assisted governance.
I also plan to keep writing about each weekly GRC Engineering Club challenge in more detail, sharing not just what I built, but what I learned along the way.
This is only Part 1.
There's still a lot more to build, a lot more to learn, and plenty more stories to tell.
Follow the Journey
If you're making a similar transition — or you're just curious about what GRC Engineering looks like in practice — I hope you'll follow along.
Future articles will take a deeper look at each project, each challenge, and the lessons that came with them.
See you in Part 2.