Security & Governance

FILE:
Security & Governance
STATUS:
Active engagements; accepting new
CAPABILITIES:
Virtual CISO · Security Architecture · Audit Prep · Compliance Programs · Risk & Governance Frameworks
FRAMEWORKS:
NIST CSF · ISO 27001 · SOC 2 · HIPAA · PCI DSS · CMMC · FedRAMP · GDPR · PIPL
TYPICAL ENGAGEMENT:
Retained or fractional; 90-day stand-up or rolling

Advice is easy. Anybody can hand you a slide deck. Sometimes the answer is coaching and knowledge, so you come out of the engagement sharper than you went in and the problem stays fixed because you actually understand it. Other times the answer is a product or platform that just automates the whole thing for you. I do both. Most of what's below started the same way: I ran into something broken, or stupid, or missing, and figured I could do better. Some of it protects elections and runs compliance for the people who answer to the board. Some of it just sounded fun at 2 a.m. All of it is mine, built start to finish, and it's the reason I can tell a client "yeah, that's possible", because I've usually already built the thing that does it.

// The board

REDACTED

The compliance platform with a name I can't show you yet.

  • Built for the people who sign, not the people at the keyboard. When the board, a regulator, or a cyber-insurance carrier asks "are we compliant, who's accountable, can you prove it," this answers in one click instead of a two-week fire drill.
  • Sits above the security stack you already own and turns technical noise into the handful of grades, named owners, and dollar figures a boardroom actually wants.
  • Watches real telemetry continuously, so what you see is true right now, not what was true the last time someone scrambled to reconstruct it.
  • Keeps a defensible record, so "prove it" is a click, not a panic.
Details under NDA

EDGAR

You can't secure what you can't see. EDGAR sees all of it.

  • Agentless. Discovers the endpoints actually on your network, including the ones nobody put in the inventory, without installing software on every machine.
  • Authenticates to each endpoint and pulls real configuration data, so you're working from what's actually there, not the spreadsheet somebody swears is current.
  • Finds the forgotten box, the stray service, the thing a contractor stood up two years ago and never tore down.
  • Feeds the rest of the picture: the discovery-and-configuration layer everything else builds on.
[ Open the file ]

CGAP

Governance maturity, measured from real evidence instead of a slide deck.

  • Pulls from the security telemetry you already generate, scanners, SIEM, and the rest, to compute compliance status from real evidence instead of self-assessment questionnaires that drift toward whatever the org wants to show its board.
  • Maps your posture against four current-revision frameworks at once: NIST CSF 2.0, ISO 27001:2022, CMMC 2.0, PCI DSS v4.
  • Cross-framework crosswalk: one piece of evidence, cited across every framework that asks for it. No double entry, no auditor confusion.
  • Single executive-facing score with full drill-down to control-level evidence, and every score is a timestamped, reproducible snapshot, so "what did we look like last quarter" is one click away.
[ Open the file ]

SourceIQ

Disinformation got cheap. SourceIQ tells you what you're actually looking at.

  • Ingests the real vectors of a modern influence campaign, the memes, the posts, the shared links, the screenshot making the rounds, not the sanitized press-release version.
  • Traces content back toward its origin, so a "grassroots" story that started in one coordinated place stops looking grassroots.
  • Reads the pattern, timing, coordination, amplification, and tells you whether a thing is organic or manufactured, and who's working the levers.
  • Built for the people whose job is to answer "wait, is this real" before it matters, not after.
[ Open the file ]

Recon

The people who know your attack surface best are the ones trying to get in. Recon levels the field.

  • Maps your real external footprint the way an adversary does, from the outside, no inside knowledge, no credentials, no cooperation from the target.
  • Finds the exposed technical surface that isn't in anyone's inventory, the forgotten subdomain, the stray service, the thing nobody remembers standing up.
  • Runs the same OSINT an attacker runs on your leadership: who your executives are, what's public, who makes the obvious phishing target, how much of the org chart rebuilds from the outside.
  • Hands back what's exposed, why it matters, and what to do about it, while you can still do something about it.
[ Open the file ]

// THE SERIOUS STUFF

An executive compliance platform

Every security tool on the market is built for the people at the keyboard. This one is built for the people who sign. When the board, a regulator, or your cyber-insurance carrier asks "are we compliant, who's accountable, and can you prove it," the honest answer is usually a two-week fire drill of screenshots and panic. This is not another analyst dashboard fighting for room on your SOC's wall. It sits above the stack you already own and turns the firehose of technical noise into the handful of grades, named owners, and dollar figures the boardroom actually wants, with a defensible record so "prove it" takes one click instead of one fire drill.

Always current. Your compliance posture goes stale the second you measure it. This watches your real telemetry continuously, so what you see is what's true right now, not what was true the last time someone scrambled to reconstruct it.

Built on what's actually there. You can't secure, score, or defend what you can't see. It finds and evaluates the real assets on your network, so the whole picture is built on reality instead of the spreadsheet somebody swears is up to date.

SourceIQ

Disinformation got cheap, fast, and good. A convincing lie now costs almost nothing to manufacture and almost nothing to spread, and by the time anyone asks "wait, is this real," it's already done the damage. SourceIQ is built for the people whose job is to answer that question before it matters, not after. It takes the raw material of a modern influence campaign, the memes, the posts, the links, the story that's suddenly everywhere, and tells you what it's actually made of.

The stuff that actually moves. Not press releases, the real vectors: memes, social posts, shared links, the screenshot making the rounds, the narrative three different accounts started pushing on the same afternoon. SourceIQ ingests what people actually see and share, not the sanitized version.

Where it really came from. Provenance, not vibes. SourceIQ traces a piece of content back toward its origin instead of taking the label on the front at face value, so a "grassroots" story that started in one coordinated place stops looking grassroots.

Organic, or manufactured. There's a difference between a thing people are genuinely saying and a thing built to look that way. SourceIQ reads the pattern, the timing, the coordination, the amplification, and tells you which one you're staring at, and who's working the levers.

Recon

Before you can defend the perimeter, you have to know where the perimeter actually is, and right now the people who know that best are the ones trying to get in. Attackers map your whole attack surface for a living, the technical one and the human one. Most organizations have never done it once. Recon closes that gap: it looks at you the way an adversary does, from the outside, with no inside knowledge, and hands you the picture while you can still do something about it.

Your real footprint, not your assumed one. The assets you forgot you had are the ones that get you. Recon finds the exposed technical surface that isn't in anyone's inventory, the forgotten subdomain, the stray service, the thing a contractor stood up two years ago and never tore down.

The humans are an attack surface too. The easiest way in is rarely a server, it's a person. Recon does the same OSINT an attacker runs on your company and your leadership: who your executives are, what's public about them, which ones make the obvious phishing and social-engineering targets, and how much of the org chart can be reassembled from the outside.

Seen the way they see it. No agents, no credentials, no cooperation from the target. Recon works from the outside in, because that's the only honest test of what an attacker can actually reach, then hands back what's exposed, why it matters, and what to do about it.

[ Start the conversation ]