For technology startups and scale-ups

I help growing technology companies bake security into their architecture, development practices, and decision-making before speed turns into technical debt with legal consequences. That means threat modelling that reflects how modern companies actually get compromised, secure-by-default platform choices, and development workflows where security is an enabler rather than a late-stage blocker.

The focus is on building systems that scale safely: clear trust boundaries, sensible identity and access controls, defensible cloud and SaaS architectures, and incident-ready processes that do not rely on heroics at 3 at night. As a result, compliance frameworks such as ISO 27001, NIS2 alignment, or customer security questionnaires stop being disruptive side projects and become a side effect of doing engineering properly. Growth stays fast, security stays boring, and audits stop being existential events.

For critical (National) infrastructure operators

Using bespoke OT/ICS simulations, I model credible adversaries and failure chains to expose hidden risks across people, process, and technology.

This controlled “stress-testing” reveals weak assumptions, unsafe dependencies, and brittle recovery paths before attackers or accidents do. The outcome is measurable operational resilience: fewer surprises, clearer decision-making under pressure, and compliance with NIS2 and ISO 22301 as a consequence of systems that are designed to survive disruption.

My approach: intelligence-led resilience

I close the loop between threat intelligence, realistic testing, and system design. I do not just describe risks; I surface them through simulation, validate them through architecture, and eliminate them through durable technical and organisational controls.

In short: I turn real attack knowledge into practical testing and architectures that hold up under pressure. No theory. No theatre. Systems that work when it matters.