Selected work

Receipts, not slides.

Anonymised by default, sharable on request with NDA. A sample of what six months of FirmBit looks like.

Fintech · Series B

Stopped a $2.4M wire-fraud path before the SOC 2 audit

Uncovered an IDOR in the payout engine and three BAC findings in admin routes. Fixed before the auditor opened the laptop.

204
hours
14
findings
0
critical in retest
Healthtech · HITRUST r2

HITRUST r2 Certified in 104 days

From gap assessment to certification, including 311 CSF controls mapped and 47 evidence artifacts authored.

104
days
311
controls
0
findings at audit
AI SaaS · Series A

Patched prompt-injection and RAG data-exfil paths

Three jailbreak chains + a vector-store RCE. Shipped a hardened RAG pipeline and an eval harness to keep it hardened.

6 wk
eng.
3
jailbreak chains
Eval harness shipped
GovTech · StateRAMP

StateRAMP moderate authorized in one submission

SSP authoring, 3PAO coordination, and continuous monitoring setup — first-pass accepted by state PMO.

Mod.
StateRAMP
1st
pass
ConMon live
Retail · PCI-DSS v4

Scope reduction cut PCI footprint by 74%

Tokenisation + P2PE pathway reduced in-scope systems from 143 to 37. RoC issued without compensating controls.

-74%
scope
Clean RoC
0
compensating
B2B SaaS · Red team

Assumed-breach in 4 hours, domain admin in 18

Purple-team exercise mapped to MITRE ATT&CK. Delivered 23 detection improvements to blue team.

4h
initial
18h
DA
23
detections