Notes from the field.
Field reports, advisories, and the occasional unsolicited opinion on offensive security, AI, and the bits of GRC that actually matter.
- // ai-security 2026-03-22 · 6 min
Prompt injection is not a bug. It's the architecture.
Most LLM products treat prompt injection as a vulnerability to be patched. It isn't. It's the natural consequence of the architecture, and the only durable fix is to stop pretending instructions and data can share a context.
- // grc 2026-03-04 · 7 min
ISO 27001 without the theatre
Most ISO 27001 implementations fail engineering culture before they fail the audit. They produce binders nobody reads, controls nobody respects, and a certification that doesn't make the company any safer. The 2022 revision is your chance to stop doing that.
- // telecom 2026-02-18 · 8 min
Anatomy of a SIM-swap: how fraud crews actually do it
After running adversary emulations against carriers, the SIM-swap kill chain is depressingly consistent. It almost never starts with the technical attack everyone braces for. Here's what actually happens, and the controls that stop it.
- // ai-security 2026-02-02 · 9 min
Securing RAG pipelines: the threat model nobody draws
RAG turns every document in your knowledge base into a potential instruction set for your agent. Most teams don't draw the threat model that follows from that. Here's the one I use.
- // ai-security 2026-01-21 · 7 min
AI red team field notes: patterns we keep finding
Across a year of LLM and agent red team engagements, the same five vulnerability classes keep showing up. None of them are bugs in the model. All of them are architectural choices that could have been made differently.
- // consulting 2026-01-08 · 5 min
Fractional CISO vs in-house: when to hire vs retain
Founders ask me this question constantly. The answer depends less on company stage than on what the role actually has to do this quarter — and it's usually different from what you think.
- // cloud 2025-12-15 · 8 min
Cloud IAM privilege escalation: the patterns that keep working
AWS, GCP, and Azure all have rich permission models. Every one of them has a half-dozen escalation paths that work depressingly often. Here are the ones I check first on every cloud pentest.