About

I work on the boundary between software security, engineering practice, and organisational knowledge.

My background is in application security and software delivery, but over time my work has shifted away from tools and checklists toward a more persistent problem: how software is actually maintained, who really understands it, and what risk accumulates when that knowledge is uneven or invisible.

What I focus on

A lot of what I do today centres on Git history as evidence — not just for code quality, but for understanding maintenance patterns, developer contribution, tenure, ownership, and knowledge distribution over time. This includes questions like key person risk, long-lived system fragility, and open-source dependency health.

I currently work across two closely related efforts:

Kospex

Kospex is where this thinking is formalised into analysis and tooling. It focuses on extracting meaningful signals from Git repositories to help organisations reason about software maintenance, knowledge risk, and engineering sustainability using real contribution data rather than assumptions.

Sabbaticas

Sabbaticas is how I do advisory and consulting work. It’s deliberately small and hands-on, and is where these ideas are applied directly with teams — helping engineering leaders, security teams, and executives make sense of technical evidence and turn it into practical decisions.

When people work with me

People usually work with me when:

• software “works”, but no one is confident it’s well understood
• key engineers have left (or might), and knowledge risk is unclear
• security and engineering conversations are stuck between theory and compliance
• there’s plenty of data, but no shared interpretation of what it actually means

I’m most useful in ambiguous spaces — where technical systems, people, and long-term risk intersect — and where clarity matters more than certainty.