Building security programs from zero_

Security programs don't fail because of bad tools or misconfigured alerts. They fail because they were designed for a different organization than the one that has to run them — shaped around compliance frameworks instead of engineering workflows, written in a language that only makes sense inside a security team, and treated as infrastructure when they're actually a relationship with every team in the company.

I spent eight years inside incident response at Sucuri and GoDaddy. At the scale we operated — thousands of incidents per year, live malware campaigns, e-commerce skimmers running in production, intrusions on critical infrastructure — the gap between security theater and security practice becomes impossible to hide. You either build things that work under pressure or you don't.

At Patchstack, I built the security program from scratch. Not a policy document dropped into a shared drive — a functioning program: secure development lifecycle, threat modeling embedded in engineering, incident response playbooks, vulnerability intelligence workflows, and coordinated disclosure operating at the scale of the global #1 CNA in 2023 and 2025, ahead of GitHub and Kernel.org. The hardest part was never the technology. It was the organizational negotiation: making security useful instead of obstructive, translating risk into decisions that product and engineering teams can act on.

This site is a working archive. Essays on security program design, talks from 25+ international conference appearances, and the thinking behind the work.