I lead application security, love automation, and dive into everything else on the side.
My day job is leading the AppSec program at Penguin Random House. The other half of my brain is usually buried in a side project, a half-finished Python script, or a new AI solution that came out 5 min ago. This site is where I keep what I’m working on and the stuff I write down so I can share that with others.
What I'm into
Three areas I keep ending up in, whether I'm at work or not.
Running an AppSec program
I look after security across roughly 400 apps, in six regions. That's a lot of places things can go wrong, so most of my time goes into the boring-but-important stuff: governance, threat modeling, vuln management, and getting people unblocked.
Figuring out AI safely
I lead our AI security review at PRH. Some of it's hard problems, some of it's just convincing people to think before plugging an LLM into something. I've ended up fairly deep in MCP servers and agentic tooling lately.
Writing the script instead
I'd rather spend a weekend writing the script than spend a year doing the task. A lot of what I've shipped (an MR security bot, an internal ASPM, a WordPress vuln crawler) started exactly that way.