r-sec

Expertise

Three disciplines, one goal: operations that hold.

Security, AI and infrastructure are usually treated as separate worlds. In practice they only work together — a detection is only as good as the infrastructure it runs on, and automation is only as trustworthy as the security around it. These are the three areas I keep coming back to.

Abstract radar rings over a dark grid

01

Security operations & SOC

A Security Operations Center is not a product you buy — it is an organism of people, processes and technology that has to survive contact with real incidents. I have spent years on the question of what makes SOCs actually work: how detection engineering becomes a managed lifecycle instead of a pile of rules, how playbooks and automation take the repetitive weight off analysts, and which few metrics genuinely tell you whether you are getting better.

How I think about it:

  • Detection quality beats detection quantity — alert fatigue is a design failure, not an analyst failure.
  • Process before tooling: a SIEM migration fixes nothing if the use-case lifecycle is broken.
  • Measure what changes decisions — time to detect and respond, coverage against real threat models, automation rate.
Abstract neural lattice of light filaments

02

AI automation & strategy

Most AI initiatives start with a model and search for a problem. The ones that work start the other way around: a process that hurts, data that exists, and a clear answer to “what changes when this works?”. I build AI-supported automation — from agentic workflows that take real work off people’s plates to decision support that leaders actually trust — and the strategies around them: where AI creates value, where it creates risk, and how to govern the difference.

How I think about it:

  • Automation first where work is repetitive and verifiable — that is where AI pays for itself.
  • Strategy means saying no: a small number of use cases done properly beats an AI program slide deck.
  • AI systems are attack surface — security and evaluation belong in the design, not the audit.
Abstract isometric server topology with light paths

03

IT infrastructure

Everything above runs on infrastructure — and most outages and breaches trace back to it. I care about environments that are resilient by architecture: segmented networks, automated and reproducible configuration, observability that shows what is actually happening, and recovery paths that have been tested before they are needed. Security is a property of the design, not a product added later.

How I think about it:

  • Boring is a feature — predictable, automated, documented beats clever every time.
  • Segmentation and least privilege are the cheapest incident response you will ever buy.
  • If recovery has never been rehearsed, it does not exist.

Want to talk about any of this? →