I work on independent cyber security testing, evaluation methodologies and the assessing the practical limits of defensive products in real environments.
My focus is on how security controls actually behave under attack, as well as why many testing approaches are misleading. I am also interested in how organisations interpret (and misinterpret) security metrics.
Cyber security is a practical discipline, not a product
Current work
- SE Labs – independent security testing and research
- The-C2 – cyber security threat intelligence conference
- Cyber Security Decoded – podcast on security testing and decision-making