Proof over promises.
Nothing here without a trace.
GRC / RISK
BLUE TEAM / DEFENSE
- Stormshield: CSNA certified · firewalling
- Wazuh
- Zabbix
- Wireshark: Traffic analysis · labs & CTF
- Log & Traffic Analysis
OFFENSIVE / RECON
- Burp Suite: Web pentest labs · Root-Me
- Metasploit: Exploitation labs · Root-Me
- Kali: Daily offensive toolkit
- Nmap: Recon & service mapping
- cURL: API testing & recon
- OSINT: Footprinting & recon
then documented.
I don't build fortresses. I find where they leak.
Two years through computer science at EPSI — DevOps, systems and networks — before cybersecurity at Guardia. The early work was infrastructure and build pipelines, which turns out to be the most direct preparation for security there is: you cannot reason about how a system fails until you have built one under time pressure and watched it strain. The security focus sharpened into a specific interest at Guardia — the space between compliance documentation and operational reality, where most security programmes produce activity rather than outcomes.
The apprenticeship at Arvato is second-line GRC inside Internal Control: EBIOS RM risk analyses, ISO 27001 and ISREG alignment, PSSI and policy drafting, supplier assessments, vulnerability management. The work is governance-layer — translating frameworks into decisions an organisation can actually execute, then keeping the evidence that it did. What I am building toward is a hybrid profile: enough GRC to be credible on governance, enough technical depth for detection engineering and pipeline security. A Mastère in offensive and defensive cybersecurity starts in September 2026. The throughline is secure by design — policy without operational instrumentation is assumption, detection without governance accountability is noise no one owns, and the connective tissue between them is where security actually lives.
From shipping features to securing them.
Assistant LISO — Local Information Security Officer
Flutter Development Intern
Web Developer Intern
Notes from the noise floor.
What second-line GRC actually does all day
The org chart says: frameworks, policies, oversight. The calendar says: translation. Between what a standard requires and what a warehouse can execute, somebody has to carry the meaning across.
What a firewall certification actually tests
I passed the CSNA in March. The exam verified that I can configure a Stormshield appliance. It could not verify the thing that matters: whether a firewall run by me would still be trustworthy a year later.
On the fragility of EDR assumptions
EDR vendors sell you a dashboard. The dashboard shows what the tool caught. The data you actually need is everything it didn't.
Zero Trust is a posture, not a product
Buying a Zero Trust product does not move you toward the condition the phrase describes. Seventeen vendors will tell you otherwise.
What side-channel attacks taught me about patience
The first 300 traces produced a uniform noise floor. The next 4,500 produced a key. The difference was not more data.
Same focus, different targets.
MOTO
same focus, different throttle.
DRAWING
pencils, ink, and the occasional tablet.
MANGA & ANIME
raised on panels, arcs and late episodes.
TECHNOLOGY
where the day job and the hobby blur.
GAMING
competitive when it counts, chill when it does not.




