On Consulting
5 posts · a series — start at 01
The Problems Nobody Talks About in Security Consulting
There’s a version of security consulting that looks great on paper. A pentest gets scoped, executed, and delivered as a PDF. The client receives it, files it somewhere, maybe fixes a few things, and everyone moves on until next year. The tools are there. The frameworks are there. The compliance checkboxes get ticked. And yet […]
- On Consulting · 30 Mar 2026
The Pentesting Delivery Problem
Ask any pentester how their findings get delivered and the answer is almost always the same: a PDF. Sometimes polished with a cover page and an executive summary, sometimes a Word doc hastily converted. But the mechanism hasn’t changed in decades — a document gets produced at the end of the engagement, emailed to someone […]
- On Consulting · 30 Mar 2026
The Dev-Sec Friction Problem
There’s a meeting that happens in almost every organisation with both a security team and a development team. Someone from security presents a list of findings. The developers sit there, arms folded — literally or figuratively. The findings get acknowledged, maybe assigned, and then nothing happens for weeks. Or months. Or ever. Security blames dev […]
- On Consulting · 31 Mar 2026
The Tool-Dependency Problem
Every CISO I’ve ever spoken to has a version of the same conversation at least once a quarter. A vendor calls. The pitch is some variation of: “Our platform finds vulnerabilities faster, with fewer false positives, and integrates with your existing workflow.” The demo looks good. The dashboard is clean. The marketing says it’ll reduce […]
- On Consulting · 31 Mar 2026
The Play-Pretend Problem
Walk into any large enterprise’s security team and ask them to show you what they’ve built. You’ll see tools. Lots of them. A SAST platform, an SCA scanner, a CSPM dashboard, maybe a GRC suite, probably a SIEM. You’ll see policies — information security policy, acceptable use, data classification, incident response. You’ll see frameworks — […]