Security & Governance

FILE:
Security & Governance
STATUS:
Active engagements; accepting new
CAPABILITIES:
Virtual CISO · Security Architecture · Audit Prep · Compliance Programs · Risk & Governance Frameworks
FRAMEWORKS:
NIST CSF · ISO 27001 · SOC 2 · HIPAA · PCI DSS · CMMC · FedRAMP · GDPR · PIPL
TYPICAL ENGAGEMENT:
Retained or fractional; 90-day stand-up or rolling

Advice is easy. Anybody can hand you a slide deck. Sometimes the answer is coaching and knowledge, so you come out of the engagement sharper than you went in and the problem stays fixed because you actually understand it. Other times the answer is a product or platform that just automates the whole thing for you. I do both. Most of what's below started the same way: I ran into something broken, or stupid, or missing, and figured I could do better. Some of it protects elections and runs compliance for the people who answer to the board. Some of it just sounded fun at 2 a.m. All of it is mine, built start to finish, and it's the reason I can tell a client "yeah, that's possible", because I've usually already built the thing that does it.

Cyber governance and compliance — every risk, on the record.

Every security tool on the market is built for the people at the keyboard. RiskTape is built for the people who sign. When the board, a regulator, or your cyber-insurance carrier asks "are we compliant, who's accountable, and can you prove it," the honest answer is usually a two-week fire drill of screenshots and panic. RiskTape sits above the stack you already own and turns the firehose of technical noise into the handful of grades, named owners, and dollar figures the boardroom actually wants, with a defensible record so "prove it" takes one click instead of one fire drill.

Always current. Your compliance posture goes stale the second you measure it. RiskTape watches your real telemetry continuously, so what you see is what's true right now, not what was true the last time someone scrambled to reconstruct it.

Built on what's actually there. You can't secure, score, or defend what you can't see. It finds and evaluates the real assets on your network, so the whole picture is built on reality instead of the spreadsheet somebody swears is up to date.

risktape.io

EDGAR

You can't secure what you can't see. EDGAR sees all of it.

You can't secure what you can't see, and almost nobody can see all of it. The inventory is a spreadsheet somebody swears is current, the network has boxes on it nobody remembers standing up, and every tool downstream is quietly built on that bad data. EDGAR is the layer that fixes the foundation: agentless discovery that finds what's actually on your network and pulls the real configuration off it, so everything above it is built on reality instead of a guess.

The real inventory, not the spreadsheet. Agentless discovery finds the endpoints actually on your network, including the ones nobody put in the inventory, without installing software on every machine.

Configuration from the source. EDGAR authenticates to each endpoint and pulls real configuration data, so you're working from what's actually there, not the spreadsheet somebody swears is up to date.

The layer everything builds on. The forgotten box, the stray service, the thing a contractor stood up two years ago and never tore down, EDGAR finds it, and feeds the discovery-and-configuration picture every other tool depends on.

[ Open the file ]

CGAP

Governance maturity, measured from real evidence instead of a slide deck.

Compliance maturity usually gets measured the dishonest way: a questionnaire somebody fills out the week before the audit, drifting toward whatever the org wants to show its board. CGAP measures it from real evidence instead. It computes your governance posture from the security telemetry you already generate, maps it across every framework at once, and produces a single executive-facing score you can actually defend, because it's built from what's true, not what's convenient.

Evidence, not self-assessment. CGAP pulls from the telemetry you already generate, scanners, SIEM, and the rest, to compute compliance status from real evidence instead of self-assessment questionnaires that drift toward whatever looks good in the board deck.

Every framework at once. It maps your posture against four current-revision frameworks simultaneously, NIST CSF 2.0, ISO 27001:2022, CMMC 2.0, PCI DSS v4, with a cross-framework crosswalk so one piece of evidence is cited everywhere it's asked for. No double entry, no auditor confusion.

One score, fully reproducible. A single executive-facing score with full drill-down to control-level evidence, and every score is a timestamped, reproducible snapshot, so "what did we look like last quarter" is one click away.

[ Open the file ]

SourceIQ

Disinformation got cheap. SourceIQ tells you what you're actually looking at.

Disinformation got cheap, fast, and good. A convincing lie now costs almost nothing to manufacture and almost nothing to spread, and by the time anyone asks "wait, is this real," it's already done the damage. SourceIQ is built for the people whose job is to answer that question before it matters, not after. It takes the raw material of a modern influence campaign, the memes, the posts, the links, the story that's suddenly everywhere, and tells you what it's actually made of.

The stuff that actually moves. Not press releases, the real vectors: memes, social posts, shared links, the screenshot making the rounds, the narrative three different accounts started pushing on the same afternoon. SourceIQ ingests what people actually see and share, not the sanitized version.

Where it really came from. Provenance, not vibes. SourceIQ traces a piece of content back toward its origin instead of taking the label on the front at face value, so a "grassroots" story that started in one coordinated place stops looking grassroots.

Organic, or manufactured. There's a difference between a thing people are genuinely saying and a thing built to look that way. SourceIQ reads the pattern, the timing, the coordination, the amplification, and tells you which one you're staring at, and who's working the levers.

[ Open the file ]

Recon

The people who know your attack surface best are the ones trying to get in. Recon levels the field.

Before you can defend the perimeter, you have to know where the perimeter actually is, and right now the people who know that best are the ones trying to get in. Attackers map your whole attack surface for a living, the technical one and the human one. Most organizations have never done it once. Recon closes that gap: it looks at you the way an adversary does, from the outside, with no inside knowledge, and hands you the picture while you can still do something about it.

Your real footprint, not your assumed one. The assets you forgot you had are the ones that get you. Recon finds the exposed technical surface that isn't in anyone's inventory, the forgotten subdomain, the stray service, the thing a contractor stood up two years ago and never tore down.

The humans are an attack surface too. The easiest way in is rarely a server, it's a person. Recon does the same OSINT an attacker runs on your company and your leadership: who your executives are, what's public about them, which ones make the obvious phishing and social-engineering targets, and how much of the org chart can be reassembled from the outside.

Seen the way they see it. No agents, no credentials, no cooperation from the target. Recon works from the outside in, because that's the only honest test of what an attacker can actually reach, then hands back what's exposed, why it matters, and what to do about it.

[ Open the file ]