Cybersecurity, AI & data science leader — 20+ years building production cyber-analytics platforms across enterprise, defense, and federal.

I build production-grade cyber data and analytics platforms — applying AI/ML, data science, and cloud engineering to defend networks and turn high-volume telemetry into decisions. Ph.D. in Computer Science, 20+ years across enterprise, defense, and federal environments.

Focus Areas

AI for Cyber

Offline/air-gapped LLM fine-tuning, MCP & agentic AI workflows, and ML-based anomaly detection on live network telemetry.

Network Defense & Forensics

Real-time situational awareness, threat detection at scale, and cyber-topology visualization for analysts and operators.

Data Science & Pipelines

Large-scale analytics pipelines, cloud data engineering on AWS/GCP, and ML modeling over messy, high-volume data.

Recent Posts

Can a Local Coding Model Do Threat Intel? Benchmarking Qwen3-Coder-Next on AthenaBench

A lot of the work I do lives in a place cloud LLMs can’t go. Incident writeups, reverse engineering, artifact analysis, internal vuln-triage notes — the threat-intel workflows that would benefit most from an AI assistant are exactly the ones where pasting text into somebody else’s API is a no-go. Most LLM benchmarking quietly ignores this, because the benchmarks assume you can just call GPT. In my world you often can’t.

Read more →

Treating Your Agents as Insiders: Lessons from the GDM AI Control Roadmap

I build and think a lot about cyber agents — AI systems that read code, call tools, touch infrastructure, and increasingly do real work without a human watching every step. So when Google DeepMind published GDM AI Control Roadmap (v0.1) (Phuong, Jenner, Simon, Ho, Shah, Farquhar & Coull, 2026), it piqued my interest. It’s the clearest articulation I’ve seen of a simple, slightly uncomfortable idea: the most useful framing for securing AI agents is to treat them as a potential insider threat — and to borrow, almost wholesale, the playbook we already use against malicious employees.

Read more →

Anatomy of a Backdoor: The XZ Utils Supply-Chain Attack (CVE-2024-3094)

On Friday, March 29, 2024, a Microsoft engineer named Andres Freund sent an email to the oss-security mailing list that quietly averted what might have been the most consequential supply-chain compromise in the history of open source. He had been chasing a performance oddity — SSH logins on a Debian test system were running about half a second slower than they should have, and liblzma was burning suspicious amounts of CPU. What he found at the bottom of that rabbit hole was a deliberately planted backdoor in XZ Utils, a compression library that ships in virtually every Linux distribution on Earth.

Read more →

Walkthrough: VulnHub 42Challenge — LFI to Root

A condensed walkthrough of the 42Challenge boot-to-root box from VulnHub. The fun of this one isn’t a single CVE — it’s chaining a chain of small weaknesses: a client-side filter, a local file include, log poisoning, a backup file, and a little reverse engineering. The methodology generalizes well beyond this box.

Read more →
Commodore 64 home computer
Sooner or later, someone has to shut-up and row. — Steve Henderson