then documented.
I don't build fortresses. I map the blind spots.
Three years through computer science and then cybersecurity. The development internships came first — interfaces, performance work, a migration from WordPress to static HTML. They were useful for understanding how systems get built under time pressure, which turns out to be directly relevant to understanding how they fail. The security focus came after, at Guardia, and sharpened into a specific interest: the space between compliance documentation and operational reality, where most security programmes produce activity rather than outcomes.
The apprenticeship at Arvato is in ISMS management — security policy, IS audits, risk and incident processes. The work is governance-layer: translating frameworks into decisions an organisation can actually execute, then maintaining the evidence that it did. The domains I am building toward are GRC, blue team operations, and DevSecOps. The overlap between them is not an accident. Policy without operational instrumentation is assumption. Detection without governance accountability is noise that no one owns. The connective tissue between them is where security actually lives.
On the fragility of EDR assumptions
EDR vendors sell you a dashboard. The dashboard shows what the tool caught. The data you actually need is everything it didn't.
Zero Trust is a posture, not a product
Buying a Zero Trust product does not move you toward the condition the phrase describes. Seventeen vendors will tell you otherwise.
What side-channel attacks taught me about patience
The first 300 traces produced a uniform noise floor. The next 4,500 produced a key. The difference was not more data.