I build the security, cryptographic provenance, and audit infrastructure that agentic AI systems need to be trusted — backed by 15 years of keeping production alive when things break.
Austin, TX → relocating to NYC · incident response · endpoint & multi-cloud · 15+ years
I'm a security and systems engineer with 15+ years across enterprise IT, multi-cloud architecture, and security operations. My day-to-day is keeping production systems healthy and defensible across AWS, GCP, and Azure; my nights are spent building the autonomous security tooling shown below.
Hands-on with EDR-driven incident response (SentinelOne across 100+ environments), cloud security hardening, and high-tempo production incident work. Deep operator history in the gaming and media industry. Former U.S. federal Confidential clearance. I like problems where security, automation, and scale meet.
Independent security R&D — original systems I designed and built. Concept-level; no client data, targets, or findings.
Autonomous Security Research
Meridian
A containerized pipeline that chains reconnaissance → vulnerability analysis → exploit validation, built to understand how automated adversaries operate at scale.
Findings / triage queue — target hostnames and counts redacted
Problem
Modern attack surfaces are too large to assess by hand, and defenders rarely see how an automated attacker actually prioritizes and moves.
Approach
A multi-stage, WAF-aware pipeline with CVE-first prioritization and breadth-then-depth heuristics that decide when to pivot vs. go deep — with evidence capture and structured reporting built in.
Impact
Turns days of manual recon into continuous, prioritized signal, and doubles as a defender's lens on attacker tooling, tempo, and decision-making.
Cryptographic provenance for AI-agent prompts — replacing brittle "injection detection" with signatures that fail closed, defined as a language-agnostic protocol with native implementations in Python, Rust, Go, and TypeScript.
Problem
Prompt-injection defenses based on reading language are guesswork; an attacker only has to phrase it differently.
Approach
Every prompt carries an Ed25519-signed Verified Prompt Envelope proving who authorized it, its scope, and that it wasn't tampered with. Turns an NLP problem into key management. The VPE is defined by its wire format and signature scheme rather than any one runtime, so the same authorization mints and verifies natively in Python, Rust, Go, and TypeScript.
Impact
A defense-in-depth primitive for agent systems that rejects unauthorized instructions by construction, not by vibes. Multi-language ports mean the protocol integrates at any layer of the stack.
A hierarchical multi-agent system with durable episodic memory and a full audit trail of autonomous work.
Problem
Multi-agent systems lose context across sessions and leave no record of who did what, when, or why.
Approach
A coordination layer (lead → supervisor → specialized agents) over four-level episodic memory, with an HTTP API that checkpoints every task and outcome.
Impact
Cross-session memory plus a forensic, replayable audit trail — observability and accountability for agents.
PythonHTTP APIepisodic memorybi-temporal records
OSINT · Attack-Surface Visualization
DECK
A 3D cosmos you fly through where the visualization is the scan — point it at a domain and that target's full internet footprint reconstructs live, in real time, from passive OSINT.
Live scan of github.com — autonomous systems (suns), subdomains, IPs and prefixes as they resolve
Problem
Reconnaissance output is a flat text dump, and the public internet maps are frozen archives that each render one layer of the whole internet — neither gives you a live, navigable view of a single target's complete footprint, or of the shape and timing of its attack surface.
Approach
An async, latency-tiered OSINT engine streams every probe result the millisecond it returns over a WebSocket to a 3D force-graph: domains, subdomains, IPs, prefixes and autonomous systems render as stars, planets, moons and suns, with BGP and DNS relationships drawn as gravitational lanes. Everything is keyless, and passive by default (DNS, Certificate Transparency, BGP whois, local GeoIP), and each node ignites the instant it arrives — so probe latency becomes the choreography rather than a loading bar. A 'home base' mode turns the same engine inward, mapping your own host outward in concentric shells and flagging live egress that falls outside your normal network neighborhood.
Impact
Turns recon from a static list into a live, explorable map where an attack surface's topology and timing are legible at a glance — and, pointed inward, into a defensive instrument that surfaces anomalous egress by construction.
Certificate-Transparency monitoring that surfaces new and anomalous infrastructure from internet-scale CT noise.
Problem
New subdomains, certs, and look-alike infrastructure appear constantly — phishing and shadow assets hide in the volume.
Approach
Continuously ingest public CT logs, extract and normalize domains, correlate against tracked roots, and surface only the new or anomalous as actionable intel.
Impact
Early warning on phishing infrastructure, subdomain sprawl, and shadow assets — attack-surface monitoring that runs unattended.
A fully-wired AI security evaluator — all four engines (seed/jailbreak, garak probes, defense delta scoring, results dashboard) integrated into one pipeline, with defense-lift measurement as a first-class primitive.
Problem
All AI evaluation tools score a model's vulnerability, but none measure whether a defense middleware actually helps or by how much — you get a baseline and a prayer.
Approach
Point at any Ollama-hosted model, run all four engines in sequence (deterministic seed probes → NVIDIA garak probes → inline defense re-scoring → delta-driven report), then compare baseline vs. defended scores as a first-class CLI primitive: 'assay delta baseline defended.' Ships a premium HTML report and a multi-run dashboard, so the whole evaluate → delta → dashboard pipeline is reproducible and auditable end to end.
Impact
Turns 'is it secure?' from vibes to a letter grade, and 'does the defense help?' from guesswork to a measured percentage-point lift. The delta wedge makes it the only honest defense-evaluation tool in the OSS AI-security space.
An autonomous research-to-decision engine that reads primary-source filings, forms structured theses, and routes every candidate through hard risk gates before anything acts — designed to survive being wrong, not merely to be right.
Midas operations dashboard — demo data
Problem
Automated decision systems optimize for being right and forget to optimize for surviving being wrong — a single bad sizing call ends the game.
Approach
A research-to-decision pipeline behind a layered risk gate, paper-trade execution, and a live operations dashboard. Most candidates are rejected by design; the system acts only when conviction and risk both clear.
Impact
Capital-preservation-first automation: it does nothing unless conviction and risk both clear — 'no decision' is the default, not a failure.
A boundary investigation of extraction-resistant sequencing — adversarial mechanism design proving that content-blind safety mechanisms cannot simultaneously bound attacker extraction and pass legitimate throughput under market stress.
Problem
Every permissionless blockchain suffers MEV/front-running. Proposed defenses claim extraction resistance, but none are systematically tested under adversarial stress. The space has no framework for auditing a mechanism's boundary conditions before deployment.
Approach
Rigorous iterated adversarial mechanism design: propose a hypothesis, simulate it (Python stdlib-only, deterministic and reproducible), subject it to adversarial review, then falsify or refine it. The output is a set of formal impossibility results, a catalog of dead ends, an audit checklist for any extraction-resistance claim, and an honest shippable spec built on existing batch-auction and threshold-encryption protocols.
Impact
The constraint framework is the product — a general design methodology for any protocol claiming extraction-resistant sequencing. Turns 'is it MEV-resistant?' from marketing copy into a falsifiable audit. A monetary-base extension applies the same safety principle as a minting rule for an engine-backed currency, where the impossibility does not bind.
A boutique AI-security consultancy — adversarial red-team assessments, agentic-system security reviews, and prompt-injection defense design — live at greyridgesignals.ai.
Problem
Most organizations adopt AI systems without understanding their security surface. Incumbent security firms treat AI risks as a checkbox — generic penetration tests miss agent-specific threat models, injection surfaces, and supply-chain vectors.
Approach
Advisory-altitude assessments that go deeper than a checklist: architecture reviews with threat models drawn from production AI stacks, adversarial red-team evaluations using custom injection-evaluation harnesses, and prompt-injection defense designs informed by first-principles research. Each engagement delivers a concrete findings catalog with ranked mitigations, not a scorecard. The firm's own R&D platform (Meridian, Division, Sentinel, Seal) provides direct operational insight into how autonomous adversaries think and move.
Impact
Turns AI security from a checkbox exercise into a defensible architecture — organizations understand their real attack surface, not the one a generic checklist covers. The consultancy itself is a working proof that the practitioner's own research pipeline is the strongest signal of true expertise.
AI Red TeamingAgentic System SecurityPrompt Injection DefenseSecurity ArchitectureCloudflare Pages
News
2026-06-21
New project — DECK: when the visualization is the scan
DECK (Digital Echo Chamber Kaleidoscope) is a new R&D project — a 3D cosmos you fly through where reconnaissance renders at the speed information arrives. Point it at a domain and that target's full vertical footprint (domain to subdomain to IP to prefix to ASN, plus nameservers and mail) materializes live as a starfield, each node igniting the millisecond its passive-OSINT probe returns. The central idea is collapsing the gap between tool and output: there is no scan-then-draw step, so probe latency itself becomes the choreography — fast data fills the space first, slow data drifts in after. It is a different axis of internet cartography from the familiar maps (Opte, Shodan, crt.sh), which each render one frozen layer of the entire internet; DECK reconstructs a single target's complete footprint, live, on demand, with zero API keys. The metaphor carries the legibility: autonomous systems become suns, prefixes planets, hosts moons, and BGP links gravitational lanes, so abstract infrastructure turns into something you navigate by eye. A 'home base' mode turns the same engine inward as a defensive instrument — it maps your own machine outward in concentric shells and treats your normal BGP neighborhood as a still-water baseline, so any live connection leaving for somewhere outside that ring reads as a wave hitting a buoy: anomalous by construction. The lineage is Gibson's Neuromancer, where the deck is the thing you jack into to see cyberspace as navigable space.
2026-06-19
Seal's provenance protocol goes language-agnostic
The Verified Prompt Envelope — Seal's Ed25519-signed authorization layer — is no longer a Python-only idea. The envelope is defined by its wire format and signature scheme rather than any one runtime, so the central claim becomes concrete: prompt provenance is a protocol, not a library feature. Native implementations now exist in Rust, Go, and TypeScript alongside Python, which means an agent written in any of them can mint, carry, and verify the same authorization. The trust boundary follows the data across every tier of a heterogeneous stack instead of stopping at whatever language the defense happened to be born in. Provenance that only works in one runtime isn't a security primitive; provenance that survives the language boundary is.
2026-06-17
Midas: designing a decision engine to survive being wrong
Most automated decision systems are built to be right. Midas is built to survive being wrong — because in capital allocation a single oversized mistake ends the game, while being right is merely pleasant. The architecture encodes that asymmetry directly: candidate theses, formed by reading primary-source filings, must clear a layered gauntlet of independent risk gates before anything acts, and 'no decision' is the default outcome rather than a failure mode. The design thesis is that the gate layer — not the prediction — is the product: a system that does nothing unless conviction and bounded downside both clear is the only kind worth letting near real capital.
Archive · 4 earlier updates
2026-06-17
Grommet concludes — three impossibility results for extraction-resistant sequencing
Grommet is an adversarial mechanism-design investigation into extraction-resistant transaction sequencing (MEV). Its terminal result is a formal impossibility: a content-blind safety mechanism cannot simultaneously bound attacker extraction and pass legitimate throughput under market stress — the two goals trade off hard. The deliverable is the constraint framework itself: it turns 'is it MEV-resistant?' from marketing copy into a falsifiable question, and ships an audit checklist any protocol making that claim should have to answer. The same safety principle has a constructive flip side — a minting rule for an engine-backed currency, the one regime where the impossibility does not bind.
2026-06-10
Seal grows to a three-axis trust layer, with Assay as the evaluator
Seal now defends all three agent-security axes — prompt provenance, injection detection, and signed memory-trust — behind a one-command install and CLI. Assay, the paired evaluator, scores a target across all three and measures the lift the defense actually adds.
2026-06-09
Live operator dashboards for Meridian & Midas
Two of the autonomous systems now ship real operator consoles — Meridian's recon → hunt → verify → report pipeline, and Midas's risk-gated decision engine with a layered safety gate. Captures are above (run on local models; targets and live data redacted).
2026-05-30
Seal: cryptographic provenance for agent prompts
Shipped the Verified Prompt Envelope — Ed25519-signed authorization that lets an agent reject unauthorized instructions by construction, turning prompt-injection defense from guesswork into key management.
