cat ./about
I'm a security architect based in Bengaluru. Thirteen years in, the work I find interesting is the part where the model breaks: agent reasoning over untrusted text, ML pipelines no one threat-modeled, infrastructure that wasn't built to be defended. The rest is craft.
The career path was unromantic. Started in 2012 with infrastructure and security work, moved through consulting at Tanishi, Acquisory, and Mahindra Special Services Group through the 2010s, then spent three years at Prudent Insurance Brokers as Senior Manager, building their vulnerability management and AppSec programs from scratch. Picked up a Data Science M.Tech at BITS Pilani somewhere in there, which lets me read the ML math behind the security headlines. Now leading security architecture work where banking, AI systems, and the awkward boundary between them intersect.
What I believe: most security frameworks were written before LLMs and assume code and data are separable. That assumption no longer holds for systems built around language models. The methodology I work from starts there.
Thirteen years on a single line, with the boring parts deliberately left in.
Banking · Insurance · AI Systems
Architecture reviews across application security, DevSecOps, cloud security, ML security, core banking. Threat modeling for agentic AI is where most of the recent work sits.
Prudent Insurance Brokers
Built and ran vulnerability management and application security end to end for a regulated insurance practice. Secure SDLC, remediation governance, the boring program work that compounds.
Tanishi · Acquisory Risk Consulting · Mahindra SSG
Hands-on pentesting, threat modeling, secure code review. Financial services, telecom, large-enterprise clients. The decade that taught me what the work actually is.
Foundation years
Where I learned that most security problems are not security problems. They're architecture problems with a security blast radius.
BITS Pilani
The math literacy that lets me read the ML papers behind the security headlines, and find the gap between what the paper says and what practitioners ship.
Five threads that show up across the writing, the lab work, and the day job.
STRIDE assumes code and data separate cleanly. They don't, for agentic systems. The five-zone method I use covers what STRIDE can't see.
Not "running tools." A method for finding the chain of legitimate actions that becomes a catastrophe. Applies to apps. Applies more to agents.
MAESTRO and the OWASP Agentic Top 10 are the practitioner's frameworks. Most of the field is still arguing about taxonomy while EchoLeak ships in production.
Vulnerability management, secure SDLC, the boring metrics that actually move the needle. Glamour-free, load-bearing.
A Data Science M.Tech doesn't make you a security person, and a decade of pentesting doesn't make you literate in ML. The interesting work is where both are needed.