What I do

Every engagement, scoped before it starts.

You'll always know what you're getting, what it costs, and when it's done. No open-ended retainers dressed up as strategy, and no surprise invoices.

Private AI Readiness Assessment

The question this answers: Can we run AI on our own data — safely, compliantly, and on infrastructure we control — and what will it actually take?

Everyone wants the productivity of modern AI. Few have looked honestly at what feeding sensitive data to an outside model does to their risk and compliance posture. This assessment closes that gap before you’ve committed a dollar to building anything.

What you get:

  • A review of your candidate use cases — which are worth doing, which aren’t, and which carry hidden data-exposure risk
  • A recommended on-premise / private architecture, grounded in a working reference design rather than theory
  • A data-protection and compliance assessment mapped to your actual obligations
  • A phased roadmap with a realistic implementation cost estimate
  • A written report and a live walkthrough with your team

Format: Fixed fee. Two to three weeks. Defined deliverable.

What it is not: This engagement decides whether and how — it doesn’t start building. Implementation is a separate, clearly scoped engagement, so this stays honest and bounded. You leave with a plan you own, whether you build it with me or on your own.

Start with an assessment


Encryption & Key Management Advisory

The question this answers: Is our sensitive data genuinely protected — and will it still be protected in five years?

This is the foundation everything else sits on, and it’s where I’ve spent my career. It’s rarely urgent until it suddenly is: a failed audit, a breach, a regulator’s letter, a merger’s due-diligence review.

Where I help:

  • Encryption architecture reviews — is data actually protected at rest and in transit, or only on paper?
  • Key management strategy — because who controls the keys determines whether your encryption means anything
  • Hardware security module (HSM) guidance and design
  • Post-quantum readiness — the migration your organization will be required to make, started before it becomes an emergency. Most teams have no inventory of where their cryptography even lives. That’s where this begins.

Format: Scoped to the engagement — from a focused architecture review to a full key-management strategy.

Book a review


Ongoing Security Advisory

The question this answers: Who do we call when a security decision is bigger than our team but smaller than a new hire?

For organizations that need senior security judgment available on a regular basis — reviewing decisions, pressure-testing vendors, keeping the roadmap honest — without carrying a full-time security architect on payroll.

Format: Monthly retainer, sized to how much of me you need. Often the natural next step after an assessment or a review.

Talk about ongoing support


Not sure which fits? Most engagements start with a short call to figure out what you actually need — which is sometimes less than you feared, and occasionally something you hadn’t considered.

Book a working call