What we've learned shipping security and software work into firms where the worst case is privileged material in the wrong hands. Short. Specific. Posted when there's something to say.
- CYBERSECURITY · FOUNDER-LED
Founder-led companies need security before they need a CISO
Pre-IPO companies carry mid-market threat models with worse staffing. The fix is not hiring a security organisation; it is buying the right scoped engagement at the right moment.
6 min read - CYBERSECURITY · INSURANCE
Cyber insurance underwriting in 2026 — what changed
Cyber insurance premiums are now tightly indexed to documented controls. A firm that cannot produce written evidence of basic security hygiene is paying a premium that absorbs most of the budget that would have funded those controls in the first place.
7 min read - PRIVATE AI · STRATEGY
When private AI is actually the right call (and when it isn't)
Private AI is a real architecture with real trade-offs. The firms that get it right have a specific reason. The firms that get it wrong are usually paying for a constraint they did not actually have.
8 min read - LEGAL TECHNOLOGY · ETHICS
ABA Model Rule 1.6 — what 'competence with technology' actually means now
The technology-competence comment to ABA Model Rule 1.6 was adopted in 2012. Fourteen years later, state-bar opinions have given it real teeth. Most firms are still operating against the version of the rule from before that happened.
7 min read - CYBERSECURITY · POSTURE
The questionnaire you should have already answered
Every enterprise client will eventually send a two-hundred-question security questionnaire. The firms that win the work answered it once, in writing, before the question was asked.
6 min read - PRIVATE AI · LEGAL
The hallucination problem is a retrieval problem
When a model invents a citation, the failure is almost never the model. It is the system that decided what the model was allowed to see.
6 min read - SOFTWARE · ENGINEERING
The first commit decides the threat model
Security retrofits cost roughly ten times what security from line one costs. An honest accounting of why, written for engineering leads.
5 min read - AI · GOVERNANCE
An AI acceptable-use policy that survives a deposition
Most AI policies are written for marketing. The version that matters is the one a lawyer can read back into the record without flinching.
5 min read - PRACTICE MANAGEMENT · LEGAL
The five-vendor stack is a security problem
Every additional SaaS vendor in a firm's stack is a multiplier on attack surface, breach probability, and the cost of getting an answer when something goes wrong.
6 min read - PRIVATE AI · LEGAL
Private language models for law firms
On-premises model deployment is no longer exotic. Three constraints decide whether it is right for your firm.
6 min read - CYBERSECURITY · STRATEGY
Digital resilience, not perfection
Invulnerable systems do not exist. The discipline worth investing in is the speed at which you detect, contain, and recover.
5 min read - CYBERSECURITY · DETECTION
AI in threat detection — what actually works
Generative models are everywhere in the security marketing layer. The detection capability that justifies the spend is narrower.
5 min read - CYBERSECURITY · RISK & COST
The real cost of weak cybersecurity
Headline breach numbers are easy to dismiss. The operational cost of an under-invested security posture is the harder argument.
5 min read
We respond within two business days. Scoping calls are obligation-free and run thirty minutes.

