30 years of breaking and building things. Still curious.

I started in hardware security in the mid-nineties, pulling apart embedded systems to understand why the assumptions designers made didn't hold under adversarial conditions. The technology has changed completely. The skill — finding the gap between what a system designer thinks is true and what's actually true — hasn't.

The journey from hardware to software to web to APIs to AI has been less a career plan than a series of "this is the interesting problem right now" decisions. Each transition involved learning a new domain while carrying forward the same adversarial mindset. That turns out to be reasonably portable.

For the last decade I've been focused on API security — specifically the gap between how APIs are built and how they should be secured. I'm CTO and co-founder of LibertiTec, a UK startup building privacy infrastructure for sensitive data. We build secure data systems for organisations with a duty of care to the people whose data they collect — humanitarian NGOs, journalists, law enforcement, and safeguarding teams.

I also run Defending Dev — resources for developers who want to take security seriously without becoming full-time security engineers. And Createk Design is my personal consulting limited company.

Outside of work: cycling — road and Spin (suffering required), reading (broadly), travelling and exploring, and opinions (many, held with appropriate uncertainty except where noted on the values page).