Services

FILE:

Services Overview

STATUS:

Open, accepting engagements

INSIDE THE FILE:

Security & Governance · Solving Real Problems · Mad Scientist Lab

ENGAGEMENT:

Project, fractional, or retained

Here's what I actually do, all of it at a level your last vendor charged double for and delivered half of. Every one starts with a free conversation, because I'd rather tell you what's actually broken than sell you something that isn't the fix.

• Security Architecture

  Zero-trust the right way. Identity, network, data. Designed so your auditors can't argue with it later.

• Security Posture Evaluation

  Any script-kiddie can run nmap and Burp Suite and hand you a report. I follow up with the hard questions: how are you controlling traffic inside your Azure cloud? What's your AI and LLM security strategy? The ones nobody wants on the record.

• Compliance & Regulatory

  I've worked across 25 global security frameworks, from NIST CSF in the States to GDPR in the EU to PIPL in China. I know how to map them to each other and present one unified compliance picture, audit-ready, and for less than your auditor will charge.

• Incident Response

  Containment, forensics, regulator comms, carrier comms. I've run national-scale IR and managed incidents in over 75 countries. I protected Churchill Downs on Kentucky Derby race day, securing the payment environment behind $4B in card transactions across a single afternoon. Your bad day is something I've already seen.

• Virtual CISO

  Senior-altitude security leadership without the full-time price tag. Board presentations, vendor calls, the awkward conversations no one wants to have. I'm not afraid to be the bad guy when I have to be, and I'll make you smile while I do it.

• Executive Advisory

  Strategic advice for boards, founders, and General Counsel on what their security program actually needs, not what their vendors are selling them. Think of me as your advocate in a security negotiation. I've sat on the other side of that table too, and I know how they think.

// WHAT I'VE BUILT

The board: every product across the three buckets. Hover (or tap on touch) to read the file; the open-file link lands you on the product's deep page.

Security & Governance

REDACTED

The compliance platform with a name I can't show you yet.

• Built for the people who sign, not the people at the keyboard. When the board, a regulator, or a cyber-insurance carrier asks "are we compliant, who's accountable, can you prove it," this answers in one click instead of a two-week fire drill.
• Sits above the security stack you already own and turns technical noise into the handful of grades, named owners, and dollar figures a boardroom actually wants.
• Watches real telemetry continuously, so what you see is true right now, not what was true the last time someone scrambled to reconstruct it.
• Keeps a defensible record, so "prove it" is a click, not a panic.

Details under NDA

EDGAR

You can't secure what you can't see. EDGAR sees all of it.

• Agentless. Discovers the endpoints actually on your network, including the ones nobody put in the inventory, without installing software on every machine.
• Authenticates to each endpoint and pulls real configuration data, so you're working from what's actually there, not the spreadsheet somebody swears is current.
• Finds the forgotten box, the stray service, the thing a contractor stood up two years ago and never tore down.
• Feeds the rest of the picture: the discovery-and-configuration layer everything else builds on.

[ Open the file ]

CGAP

Governance maturity, measured from real evidence instead of a slide deck.

• Pulls from the security telemetry you already generate, scanners, SIEM, and the rest, to compute compliance status from real evidence instead of self-assessment questionnaires that drift toward whatever the org wants to show its board.
• Maps your posture against four current-revision frameworks at once: NIST CSF 2.0, ISO 27001:2022, CMMC 2.0, PCI DSS v4.
• Cross-framework crosswalk: one piece of evidence, cited across every framework that asks for it. No double entry, no auditor confusion.
• Single executive-facing score with full drill-down to control-level evidence, and every score is a timestamped, reproducible snapshot, so "what did we look like last quarter" is one click away.

[ Open the file ]

SourceIQ

Disinformation got cheap. SourceIQ tells you what you're actually looking at.

• Ingests the real vectors of a modern influence campaign, the memes, the posts, the shared links, the screenshot making the rounds, not the sanitized press-release version.
• Traces content back toward its origin, so a "grassroots" story that started in one coordinated place stops looking grassroots.
• Reads the pattern, timing, coordination, amplification, and tells you whether a thing is organic or manufactured, and who's working the levers.
• Built for the people whose job is to answer "wait, is this real" before it matters, not after.

[ Open the file ]

Recon

The people who know your attack surface best are the ones trying to get in. Recon levels the field.

• Maps your real external footprint the way an adversary does, from the outside, no inside knowledge, no credentials, no cooperation from the target.
• Finds the exposed technical surface that isn't in anyone's inventory, the forgotten subdomain, the stray service, the thing nobody remembers standing up.
• Runs the same OSINT an attacker runs on your leadership: who your executives are, what's public, who makes the obvious phishing target, how much of the org chart rebuilds from the outside.
• Hands back what's exposed, why it matters, and what to do about it, while you can still do something about it.

[ Open the file ]

Solving Real Problems

OSTRAQ

Private, accurate, tamper-proof. Elections were told to pick two. OSTRAQ refuses.

• Prove you can vote without giving yourself away: establish eligibility without handing over your identity to do it. (Cryptographic identity proofing, built on IdNFT.)
• Every vote counted right, and provably so, counted correctly and verifiable after the fact without exposing how anyone voted. (Zero-knowledge proofs.)
• Results nobody can quietly change: once it's recorded, tampering doesn't survive contact with it. (Hash-chained, tamper-evident ledger.)
• Runs on cryptography built for the threats that are coming, not the ones we already beat, while most of the country still votes on decades-old staleware.

[ Open the file ]

IQualify

The résumé-screening industry is a keyword racket. IQualify is the honest version.

• Tells you why you got screened out, before you waste the application.
• Built to audit its own bias instead of hiding it.
• Stops failing good people for the dumbest possible reasons.
• An honest alternative to the keyword theater that automated hiring turned into.

[ Open the file ]

eTrax

Where's the gear, and whose name is on it? eTrax always knows.

• Tracks athletics equipment and its chain of custody, so nothing walks off without a name attached.
• Built for school athletics, where the gear budget is real and the accountability usually isn't.
• FERPA-clean from the ground up, because it touches student data and that's not optional.
• The ledger half of the equipment-and-athlete problem nobody wanted to own.

[ Open the file ]

eCombine

Roster decisions based on something real, not a gut call and a stopwatch.

• Scores and evaluates athletes so roster and recruiting decisions rest on real data.
• Built for the combine: the measurable, comparable, defensible side of athlete assessment.
• FERPA-clean from the ground up, student data handled the way student data has to be.
• The evaluation half of the equipment-and-athlete problem.

[ Open the file ]

ConManagement

Run a convention at real scale and the tooling is either ancient or held together with tape. This is the replacement.

• The operations, the schedule, and the commerce, in one system instead of six that don't talk.
• Manages the volunteers who actually make the event run, the part everybody forgets until it falls apart.
• Built by someone who has actually run the floor, not guessed at it from a product spec.
• For events past the scale where a spreadsheet and good intentions still work.

[ Open the file ]

Mad Scientist Lab

Vector Death

Eight ships. One tunnel. Half of them coming the other way.

• Anti-grav racing where you don't dodge your rivals, you hunt them. Plasma weapons and all.
• Built on the bones of the games that ate my weekends: WipeOut XL's lethal elegance, Red Planet's cult brutality.
• Every lap is a game of chicken at impossible speed.
• The crowd didn't pay to watch you cross the line. They paid to see who's left.

[ Open the file ]

Drifter

The galaxy's wide open, the ports are unguarded, and the only law is what your guns can enforce.

• Trade rare cargo across thousands of sectors and build an empire one port at a time, or skip the paperwork and turn pirate.
• Form corporations, fight wars over hyperlanes, or quietly out-earn every fleet that crosses you.
• The BBS classic that ate my teenage years, rebuilt for your pocket.
• Persistent and ruthless. It never pauses just because you logged off.

[ Open the file ]

Trench Defense

They don't stop. They don't sleep. One trench, a few towers, and your nerve.

• Dig in with WWI machine guns, dig out with future-tech turrets, hold the line while the AI probes every weak point you left it.
• Pathfinding enemies find the gap. Status effects stack. The next wave is always worse than the last.
• I'm building this one with my kid, which makes it the most important thing on the list.
• The game is half of it. The building it together is the rest.

[ Open the file ]

Roc

Grandma's card table, rebuilt for your phone.

• Roc is Rook reborn: bid bold, call your partner's bluff, drop a trump at exactly the wrong moment for everybody else.
• Play solo against AI that runs from "kindly aunt" to "the cousin who counts every card and never lets you forget it."
• Or go online against real people in real time.
• Every regional house rule your family argued about at Thanksgiving is in there. Play it the way you grew up swearing was the only correct way.

[ Open the file ]

D20 Craps

Craps is just odds and probability. So what happens if you run the whole thing on d20s?

• A full rule set worked out from scratch: roll 2d20, and 21 becomes the new 7.
• Point bands, hardways from 1-1 all the way to 20-20, field bets, true-odds plays with zero house edge.
• Same heartbeat as the felt in Vegas, rebuilt for people who'd rather roll a d20.
• Started as a Dragon Con afterparty argument with a friend who teaches math. Neither of us could let it go.

[ Open the file ]

Grim Reaper Whiskey

Got tired of paying for a bottle to keep in the desk drawer for the C-suite, so I made my own.

• The bottle that earned its place in the desk drawer.

grim-reaper-whiskey.com

"The first round is on me." No pitch deck. No sales team.