Active projects
Regulation, audit and response
Where the rulebook meets the wiring. The European regime (NIS2, DORA, CER and the audit standards behind them), the detection that has to earn its keep, and an incident programme built to report inside the deadline. Compliance read as behaviour observed under load, not documentation filed on time.
Critical infrastructure and OT
The part of the estate that predates the internet and cannot be rebooted at will. A power utility taken apart from the attacker's side, the same ground held from the defender's, and a lab you can actually run. Energy, protocols, safety systems, and the long half-life of equipment installed when the plans were still on paper.
Policy, data protection and systems
The wider garden, where the landscaping decisions get made somewhere else. EU data-protection policy and its national-security holes, an open-data aggregation study built from real public records, the systems reasoning underneath (leverage points, incentives, why sound counsel keeps losing to the status quo), and the craft of the thirteenth chair, where analysis either stays honest or turns into cover. Diagnosis more than checklist.