Paulo Martins

Principal AI Security Engineer @ GitLab

Zug, Zug, Switzerland

About

Principal Security Engineer focused on agentic/LLM security and platform security for a large SaaS environment. I work on high-priority security problems and help turn them into changes teams can actually make. A big part of my role is bridging leadership and ICs, and turning broad risk into architecture guidance, guardrails, and concrete requirements. My current focus is agentic security: tool use, workflow and permission boundaries, prompt-injection risks, and evaluation approaches that hold up in production. My background is in infrastructure security at scale across cloud, Kubernetes, and infrastructure-as-code: standards and automation, visibility, vulnerability and exposure management, audit signals for SIEM, and compliance work including FedRAMP. I have also done substantial work on application-layer authn/z, and still do where it intersects with agentic and platform work.

Experience

  • GitLab (Remote)
    • Principal AI Security Engineer
      Jan 2026 - Present · 7 mos

      I secure agentic/LLM capabilities and the platform they run on for GitLab’s SaaS. My work is to turn emerging AI risk into security direction, guardrails, and concrete changes teams can implement. Work I lead or drive includes: - Defining the security vision and standards for GitLab Duo Agent Platform, and helping teams implement them - Defining security approaches and controls for agent workflows, tool use, permission boundaries, prompt-injection risks, and evaluation methods that work in production - Continuing to work on infrastructure and application-layer authn/z where it intersects with platform and agent workflows

    • Principal Security Engineer
      Jan 2025 - Dec 2025 · 1 yr

      I worked on platform areas that needed security direction, clear requirements, and coordination across teams. My role was to turn product and platform needs into security architecture and requirements that engineering teams could act on. Work I led or drove includes: - Working on application-layer authn/z and related platform security architecture - Connecting security risks and incidents from the past decade to gaps in GitLab’s authn/z model, and turning that into a clearer security vision and concrete requirements - Defining requirements for more granular permissions for personal access tokens and helping shape GitLab Gate, a broader redesign of GitLab’s authn/z architecture - Continuing some infrastructure and cloud security work, especially around the Wiz rollout and GitLab Cells - Starting work on Duo Agent Platform security in late 2025, before formally moving into the AI security role

    • Staff Infrastructure Security Engineer
      May 2021 - Jan 2025 · 3 yrs 9 mos

      I joined GitLab to build the Infrastructure Security function and partner closely with both Infrastructure and other Security functions. My focus was scaling security across cloud and Kubernetes - making the secure path the easy path through standards, automation, and visibility. Work I led or drove includes: - Defining the initial security vision and standards for GitLab Dedicated, GitLab’s single-tenant managed offer - Helping bootstrap early environments that became the Public Sector offer, including FedRAMP-related needs - Security standards for infrastructure development - policy and automation around scanning and guardrails - Endpoint security and detection, including Wiz - Improving visibility, ownership, vulnerability and exposure management, and cloud security baselines across environments - Getting audit signals and logs reliably into the SIEM for detection, investigation, and compliance needs, including FedRAMP - Helping scale GitLab’s broader security and infrastructure capability by defining the need for adjacent teams, partnering across management and leadership, supporting recruiting and team formation, and helping establish early ownership boundaries and direction for Security Logging, Data Security, and Public Sector infrastructure I also reviewed and influenced infrastructure changes end-to-end - from design docs to Terraform and Kubernetes specs - helping teams ship faster with safer defaults.

  • Codacy (Full-time · 3 yrs 5 mos)
    • Head of Platform & QA
      Mar 2019 - May 2021 · 2 yrs 3 mos

      I oversaw the QA & Reliability teams, responsible for ensuring quality, scalability, and security, automating engineering processes, breaking down knowledge silos, and building/maintaining tools. Some of the main projects happening during my tenure were: - Move infrastructure from elastic beanstalk (in docker) to Kubernetes: - Design the kubernetes architecture to deliver the same architecture for cloud (saas) and self-hosted - Create the first version of https://docs.codacy.com/ to guide customers on deploying and managing their own Codacy installation - Define the set of tools and standards - Create and maintain different kubernetes clusters to be used for development platforms and productive environments - Create an entire new logging pipeline in kubernetes (fluentd, elastic and kibana) - Create and entire new monitoring architecture (grafana, prometheus, thanos, s3) - Setup Selenium tests during the continuous delivery process to test the integration between different components and assure the quality of critical paths - Own security processes: - Manage a small Bug bounty program in hackerone - Answer security forms together with solution architects - Bring relevant security issues and implement or assure the implementation of mitigations Public projects: - HelmSSM: https://github.com/codacy/helm-ssm - Codacy Helm Chart: https://github.com/codacy/chart - git-version: https://github.com/codacy/git-version Technologies: - AWS EKS - Digital Ocean - Kubernetes - Helm - Fluentd - ElasticSearch - Kibana - Grafana - Prometheus - Thanos

    • Lead DevOps Engineer
      Jan 2018 - Mar 2019 · 1 yr 3 mos

      Started the DevOps department and was responsible for: - Designing the architecture and setting-up the AWS account segregation using Organizations - Implementing SAML login to AWS across the entire company - Defining a new network architecture - Educating teams on how to use cloudformation templates (giving presentations, creating examples, contributing to components repositories, tweaking components to be “cloud ready”) - Moving the entire infrastructure to infrastructure-as-code (IaaC) - Moving from Teamcity to CircleCI - Building a DevOps culture within the company (you build it you run it) - Educating the Engineering Team on DevOps methodologies - Creating an Internal handbook to centralize internal knowledge - Organizing the “Lunch and Learn” internal ceremony, which promotes knowledge sharing across the company on a weekly basis Technologies: - AWS (Cloudformation, VPC, EC2, Elastic Beanstalk, Organizations, SAML, RDS, DynamoDB, Lambda) - Docker - Python - Go - Scala - JVM ecosystem

  • Cloud Automation Developer at OutSystems
    Jul 2016 - Jan 2018 · 1 yr 7 mos

    As a member of the Cloud Automation team, I work on solutions that improve the experience of the customers that use the OutSystems's PaaS offer. I contributed directly to the following projects: - Creating a distributed and highly available monitoring ecosystem - Automation of time-consuming operations that are part of the Paas offer - Maintain and extend a Communications management tool Technologies: - Python - Amazon Web Services (IAM, EC2, RDS, Lambda, StepFunctions, DynamoDB, ElasticSearch and Kibana, Chef and OpsWorks) - Serverless (The framework) - Zabbix - OutSystems

  • Business Applications Developer at Hewlett Packard Enterprise
    Sep 2014 - Jun 2016 · 1 yr 10 mos

    As part of Communications & Media Solutions team of Hewlett-Packard Enterprise (HPE) in Portugal, I worked on different projects using HPE's business solutions for communication service providers. The most relevant: - An end-to-end orchestration solution for a brand new FTTH network (Analysis, Design, Implementation, Tests, Documentation, and Deployment) - Orchestration and inventory of VoIP products I became more proficient in several technologies such as: - Linux (RedHat mostly) - JAVA - JBoss/Wildfly - SSL - Web-services (SOAP/REST) - TL1 - FTTH architecture - Oracle databases - JSPs and HTML

  • Freelancer - Web Developer and Systems Administrator at Freelance
    Aug 2008 - Jan 2016 · 7 yrs 6 mos

    While getting my university degree, I worked with will many small businesses on developing their IT systems and web presence. Web development: - Create and maintain landing pages and web platforms for different customers - HTML, JavaScript, CSS (Bootstrap or template based mostly) - Main platforms: WordPress, Magento, Prestashop - Provide training/education on platforms usage Systems administration: - File Server administration (FTP); - Maintain different Apache LAMP (Linux, Apache, MySQL, PHP/Perl/Python) based websites