Services

Most of my work sits where the technical and human layers of a system meet, for organisations running critical or regulated infrastructure that has to stay standing under pressure: an audit, an incident, a change the organisation is quietly resisting. The tooling is rarely the hard part. Whether the controls survive contact with real conditions, and the people operating them, is.

Critical infrastructure and OT

On an ICS or OT estate you cannot test the way you would test IT: a live scan can trip a safety system, and nothing here reboots to order. So I threat-model and review the architecture, and where an attack has to be proven I stand it up in a simulator that mirrors the estate closely enough to be causally honest. The ics-access-simlab is one such build: the disaster on demand, the lights left on.

Assurance, audit and incident response

A NIS2, DORA, CER or ISO audit measures what you can show, not whether the controls stand up on a bad day. I work the half it misses: controls that survive operational pressure and not just an assessor, incident-response programmes built and then exercised, resilience and continuity that hold when conditions turn awkward. Compliance follows real security; it rarely leads it.

Advisory on the hard decisions

The hard security calls are the ones where the trade-offs are real and the technically correct answer is not the one you can implement. I work those with the people who have to make them: framing the options so the middle one does not win by default, calibrating how much confidence the evidence actually carries, and stress-testing the decision before it lands. And when one goes wrong, the retrospective looks at the organisation, not just the timeline.

How I work

Where it helps, I build simulations and run exercises: realistic environments where a team can make decisions that fail, watch what breaks, and understand why, with nothing real at stake. The debrief is where the value accumulates; a simulation without one stays in the room. The method is the same in any setting: I set up the environment, pose the problem, step back, and ask the questions that help people see what they are learning rather than being told the answer.

Whether that is an engagement or a role is open. The work is the same either way.

See the work behind this