About

Three decades in cybersecurity, from hands-on technical work to executive advisory. The experience informs the guidance — practical, measured, and grounded in what actually works.

Background

Experience that shapes perspective

Over 30 years in cybersecurity provides something that certifications and frameworks cannot: pattern recognition. The ability to see what works, what does not, and why organizations struggle to move from reactive security to proactive programs.

That experience spans the full spectrum of security work — vulnerability research, penetration testing, security operations, program development, team leadership, and executive advisory. Each phase built on the last, creating a perspective that connects technical reality to organizational strategy.

Perspective

The most valuable security advice does not come from knowing the latest tools. It comes from having seen enough organizations succeed and fail to understand the patterns that separate the two. Technology changes constantly. The organizational dynamics that determine security outcomes are remarkably consistent.

Philosophy

Mentorship and development

Advisory work is teaching work. The goal is not to create dependency on external expertise — it is to develop the knowledge and judgment within your organization to make good security decisions independently.

Every engagement includes a mentorship component. Whether working with a new security hire learning to manage vulnerability programs or coaching an executive on how to evaluate security investments, the focus is always on building your team's capability alongside solving the immediate problem.

Commitment

A good advisor works themselves out of a job. If your organization still needs the same help a year from now, the engagement has not succeeded. The measure of effective advisory work is your team's growing ability to operate independently.

  • Knowledge transfer embedded into every advisory activity
  • Team development plans that grow internal security capability
  • Coaching on decision-making frameworks, not just technical solutions
  • Documentation practices that preserve institutional knowledge

Expertise

Industry and framework experience

Frameworks are tools, not destinations. The value of framework experience is not in rigid compliance but in knowing when to apply which elements and how to adapt them to your organization's specific context.

Security Frameworks

  • NIST Cybersecurity Framework (CSF)
  • CIS Controls
  • ISO 27001/27002
  • NIST 800-53 / 800-171
  • OWASP Testing Guidelines
  • MITRE ATT&CK Framework

Domain Experience

  • Vulnerability management and remediation
  • Penetration testing and red team operations
  • Security operations and incident response
  • Security awareness and workforce development
  • Risk assessment and governance
  • Security program development and maturity

Mindset

The advisory engagement mindset

Good advisory work requires honesty, even when the honest assessment is not what the client wants to hear. Organizations do not benefit from advisors who validate assumptions rather than test them, or who propose solutions before understanding problems.

Our advisory approach is built on a few non-negotiable commitments:

  • We will tell you what we actually think, not what we believe you want to hear. Honest assessment is the foundation of useful advice.
  • We will not recommend solutions we do not believe in. If a vendor or approach is not right for your situation, we will say so.
  • We will prioritize your organization's long-term capability over short-term engagement revenue. The relationship matters more than any single project.
  • We will adapt our approach to your reality. Your organization is not a case study — it has unique constraints, capabilities, and priorities.

Let's discuss your security challenges

The best way to understand if we are a good fit is to talk. No pitch deck, no proposal template — just a conversation about where you are and how we might help.

Start a Conversation