For fifteen years, organizations called me when their security program had to move faster than their org chart could. Most of that was at EY, where I led a team and stood up new consulting capabilities from scratch: Zero Trust architecture (stop trusting anything just because it sits inside the network perimeter — verify every request instead), cybersecurity due diligence for mergers and acquisitions, post-quantum cryptography readiness (moving encryption off the algorithms a future quantum computer could break), and AI-assisted automation for security operations. The work ran across Fortune 500 companies in nearly every industry and put me in the room with executives deciding how much risk a business could actually carry. I coached several people on that team into running their own engagements, and EY ranked me in the top 10% of its senior managers.
Six months ago I started building software products myself — solo, with AI coding agents doing most of the typing. The security instincts didn't switch off; they turned out to be the most useful thing I carried over. Deny-by-default database grants (the database refuses a call unless a role is explicitly allowed), fail-closed classifiers, audit trails, least privilege, threat modeling before a feature ships — the controls I spent fifteen years recommending to clients, I now have to actually implement, in my own code, where the distance between "documented" and "enforced" is mine to own.
This site is the honest register of that work: what shipped, what got shelved, what got killed, and the security decision behind each one. The thread through all of it is the lesson consulting and building taught me twice — a written rule is a suggestion; a gate is a control. I'd rather show you the gate.