Short, opinionated pieces on the questions that come up most in client engagements and classrooms. Read them all, then come back when you've got a question we haven't covered yet.
Active testing on a live plant is not the same exercise as running an IT red team. The blast radius is physical and the safety case has to come first. A breakdown of when pen testing genuinely helps your OT security posture — and when it's just IT-flavored tradition that risks hurting people.
Read article →You can't always patch. Sometimes the patch itself is the threat — revalidation, downtime, and the risk of breaking a deterministic process that's run untouched for fifteen years. Compensating controls, patch windows, and how to make this conversation with operations work.
Read article →The path I wish someone had handed me when I started: which fundamentals to attack first, where IT experience helps and where it'll mislead you, and how to build the kind of hands-on intuition that no certification on its own gives you.
Read article →A rough cadence of one piece a month. No spam, no funnels.
