No active detection pipeline
Knowing a CVE exists in the NVD is not the same as knowing it is being actively exploited. Without correlation against CISA KEV, the CRA Article 14 notification clock starts running without the organisation knowing.
Cybersecurity Governance Advisory · Application Security · Intelligence-to-Operations bridging
Portugal
I help technology teams prepare the evidence that regulators, auditors, and investors require — without slowing down delivery.
My work sits at the intersection of security governance, GRC, and engineering. I build systems that connect detection output, compliance controls, and release gates into audit trails that are ready when the regulator asks.
Everything I produce is grounded in the EU Cyber Resilience Act (CRA), ISO 27001, NIS2, and DORA.
problems I solve
No decision evidence
Regulators do not ask for the patch — they ask for the record of who assessed the risk, when, with what criteria, and what was decided. A Jira ticket and a git commit are not that record.
Knowing ≠ demonstrating
An organisation can have solid internal processes and still fail CRA compliance — because it did not produce the artifacts the regulation requires as proof. Annex VII must exist on paper.
projects
Wardex
Risk-driven release gate engine. CRA Art. 14 notification artifacts, KEV correlation, and HMAC-chained audit trail.
Brimmed Hat
CTI aggregator with temporal knowledge graph.
I2O (Intelligence-to-Operations)
Practical lab bridging CTI and operations — evolving from misp-playground into a full intelligence-to-operations workflow environment.
latest writing
Release Decisions as Audit Evidence
Securing the chain of custody in software releases. How the Apache Struts2 CVE-2017-5638 response exposed the gap between patching and proving you patched — and why release gates need cryptographic audit trails.
The Commit Is Not Recoverable
Why credential exposure timing depends on scanner placement — and why that placement is a categorical security decision, not a deployment preference.
Prioritizing Adversaries, Exposing the Back Door
How inaccurate threat modeling diverts resources and compromises defence, with lessons from the 3CX supply chain attack.
Your CI Pipeline is Blocking the Wrong Deployments
That well-intentioned security gate in your CI pipeline? It is probably annoying developers without actually protecting systems. A look at what makes release gates effective vs performative.