Thoughts, research, and practical experiences from the intersection of cybersecurity, IT audit, GRC, AI, and technology. Written to learn, document, and share.
A 5-minute walkthrough of a probability-of-default project — from risk question to monitored model — built so credit, finance, and audit can all sign off.
Topics
Pick a track to see every article in it — from audit playbooks to clause-by-clause ISO breakdowns.
Latest
12 pieces and counting — fresh field notes, deep dives, and playbooks.
227,845 transactions, 394 frauds, a 0.17% base rate. An end-to-end study from EDA to a calibrated, dollar-aware threshold.
Two of the most consequential Linux vulnerabilities of the modern era hit within four months of each other. What actually happened, why your patching cadence almost certainly missed one of them, and the five-minute defender's checklist to run today.
Forty years of BIA research, three standards, and one uncomfortable finding: most organisations run the activity backwards — collecting RTOs as opinions instead of deriving them from quantified loss curves.
A Monte Carlo simulation of a fictitious Telco shows the architecture was structurally incompatible with the business promise — 71% of scenarios breached the 8h RTO, median ALE USD 442K without treatment.
A working crosswalk between Annex A.8 technological controls and the five NIST CSF functions, plus what auditors actually look for.
The end-to-end workflow of a black-box web app pen test, and what makes a finding survive client pushback.
The Lab
Each one a different angle on risk, controls, and security craft — built and maintained alongside the writing here.
LiveCyber control center — playbooks and live dashboards.
LiveEnterprise risk management workbench and registers.
LabHands-on ISO 27001 / 27002 walkthroughs and mappings.
NotesNotes, essays, and side experiments.