Short, opinionated pieces on the questions that come up most in client engagements and classrooms. Read them all, then come back when you've got a question we haven't covered yet.
Statistical baselines over a rolling window aren't a baseline. The interesting capabilities - forensic, predictive, compliance, digital twins - all need a baseline most tools were never built to produce.
Read article →Active testing on a live plant is not the same exercise as running an IT red team. The blast radius is physical and the safety case has to come first. A breakdown of when pen testing genuinely helps your OT security posture - and when it's just IT-flavored tradition that risks hurting people.
Read article →You can't always patch. Sometimes the patch itself is the threat - revalidation, downtime, and the risk of breaking a deterministic process that's run untouched for fifteen years. Compensating controls, patch windows, and how to make this conversation with operations work.
Read article →The path I wish someone had handed me when I started: which fundamentals to attack first, where IT experience helps and where it'll mislead you, and how to build the kind of hands-on intuition that no certification on its own gives you.
Read article →A rough cadence of one piece a month. No spam, no funnels.
