Writing
Long-form essays on identity, AI security, CIAM, Generative Engine Optimization, and the practice of building software. 584 pieces, newest first.
Latest essay
"Is eSIM safer than a physical SIM?" has a more interesting answer than most articles give. Each SIM type, physical, eSIM, and iSIM, has a different architecture and a different attack surface. Here is how they actually work and which is genuinely more secure.
Read the article
Eighteen vendors all claim to track AI engine visibility in 2026. Their methodologies differ enough that cross-vendor numbers don't compare. Here is how to actually evaluate them.
Large language models get the headlines, but small language models are quietly winning most real enterprise workloads on cost, speed, and privacy. Here is what SLMs actually are, how they work, and a clear framework for choosing between an SLM and an LLM.
Most CIAM selection decisions get made on features at evaluation time. Six-figure migration projects 18 months later are the result. Here's the stage-fit framework that prevents it.
A stranger emails saying they found a security hole in your site and would like a reward. Is it a genuine researcher, a low-effort "beg bounty," or extortion? Here is how to tell the difference and exactly what to do and not do.
Most engineers think about data storage and data processing as one technical problem. Regulators treat them as two very different things, and the gap between those views is where compliance violations quietly accumulate. Here is what the distinction actually means.
OWASP and NIST get mentioned in the same breath, but they answer different questions. One tells you what to fix in your code; the other tells you how to run a security program. Here is what each framework actually does and how to use them together.
Most best-podcasts lists are SEO-driven, not editorial. Here are the 12 cybersecurity and B2B SaaS podcasts I listen to weekly, plus the 6 I quit.
Most data breaches don't come from sophisticated zero-day attacks. They come from stolen credentials, misconfigurations, and unpatched systems. Here is a practical, prioritized playbook for preventing the breaches that actually happen.
Eleven sub-portals around the apex blog, each addressing a specific buyer-side pain. What each one is, why it exists, and the reader it serves.
CISA is operating at 40% capacity with 1,000 vacancies. Six threat hunters resigned in one day. The timing couldn't be worse for American cybersecurity.
Most tech predictions are click-bait with no accountability. I made 47 in early 2024 and tracked them. Here is the scoreboard with receipts.
A critical SQL injection in Ghost CMS turned 700+ sites into malware launchers. Harvard, Oxford, DuckDuckGo compromised. Here's what happened and what to do.
Generic founder reading lists do not map to cybersecurity-startup reality. Here is the 16-book list I would hand any cybersecurity founder, ranked by stage.
Attackers are forging authentication cookies to bypass Palo Alto GlobalProtect VPN logins. CISA KEV listed, Rapid7 confirms active exploitation since May 17.
G2, TrustRadius, and Gartner Peer Insights are commercially captured. Buyers know it. Nobody published a replacement. Here is the 7-step framework I use.
A poisoned LiteLLM package led to 4TB stolen from Mercor, the AI training startup serving Meta, OpenAI, and Anthropic. Class action lawsuits filed.
DarkSword silently compromises iPhones through website visits alone. 270M devices affected. Apple breaks its own policy with a rare iOS 18 security backport.
FBI classifies breach of its surveillance network as a 'major incident.' Salt Typhoon suspected. Wiretap targets and investigation data potentially exposed.
An annual research piece based on 12 months of monitoring 200+ CIAM vendor changelogs. The 14 trends shaping customer identity in 2026 and the vendors leading each shift.
Google's Knowledge Graph is the entity layer beneath AI Overviews, ChatGPT, and Perplexity. Here is the exact playbook for becoming a recognized, citable entity, and how AEO and GEO build on top of it.
Most "use bcrypt" posts are from 2014. Argon2 won the Password Hashing Competition in 2015 and nobody updated. Here is the actual 2026 decision framework for picking a password hashing algorithm.
Founders apply for credits in random order and get rejected because they tripped a referral-required gate they could have unlocked first. Here is the sequence that unlocks $250k+ in 90 days.
The five CIAM contenders in 2026 don't compete head-on. Each wins for a different stage and buyer. Here's the framework I use, with the honest tradeoffs each carries.
Your ISP logs every site you visit through unencrypted DNS lookups. Three free tools (Cloudflare 1.1.1.1, Google 8.8.8.8, Apple Private Relay) fix most of it. Here's how each one works and what it can't do.
I tracked 50,000 citations across ChatGPT Search, Perplexity, Claude, Gemini, Google AI Overviews, and Bing Copilot for 90 days. What actually moved citation share, and what didn't.
A founder's practical travel security checklist for 2026: realistic threats, what to actually do before, during, and after a trip, and where to skip the paranoia.
A founder's guide to the difference between authentication and authorization in 2026, with passkeys, agent auth, JWT pitfalls, and the mistakes I see at scale.
Most GEO buying decisions start with the wrong question: which tool monitors the most AI platforms. Here is a practical checklist for evaluating whether a GEO solution actually fits your industry.
How to build a cybersecurity product roadmap that survives AI security, compliance deadlines, and threat-driven emergencies. A founder's four-lane framework.
Security buyers research vendors in AI tools before a sales rep ever hears from them. The way a CISO interrogates ChatGPT looks nothing like how a marketer does. Here is what GEO actually looks like for cybersecurity.
