Public previews of recent work across security, agentic AI, custom builds,
and data infrastructure. Full challenge / approach / outcome writeups are
gated —
or use the unlock control.
Public preview only
SecurityWealth Management
Salesforce Permission-Set Pentest
A 1,200-user FSC org with 8 years of permission sprawl. We mapped every permission-set assignment, third-party app scope, and sharing-rule edge case.
78Dormant permission sets revoked
Challenge
Eight years of unchecked permission-set growth had left the org with 234 permission sets, 78 of which had zero current assignments — but were still assignable. A third-party connected app held read access to 14 fields outside its documented scope. Sharing rules combined under one specific edge case to leak wealth-profile data across what should have been an opaque partition.
Approach
Two-week engagement following our Probe playbook: enumerate every permission set + assignment, OAuth scope review on every connected app, sharing-rule graph traversal to find leakage paths, FlexiPage visibility-rule audit. Findings ranked CVSS + business-impact, with a remediation engineer paired against each high-severity item.
Outcome
78 dormant permission sets revoked, 2 connected apps had OAuth scopes tightened, 1 sharing rule rewritten to close the partition leak. Internal attack-surface score reduced 41%. Zero functionality lost; zero user complaints. Org now holds less ammunition.
Five AI agents, four MCP servers, twelve tool surfaces. We mapped what each agent could actually reach versus what the policy said it could.
4.2xReviewer-queue throughput gain
Challenge
A fast-moving fintech had stood up five agents on a shared MCP server with broad tool grants. The fraud-detection agent had read access to commission tables it had no business touching. The scheduling agent could trigger writes through a tool the team had forgotten about. No replay log existed.
Approach
One-week Conduit engagement: tool-surface enumeration across all MCP servers, per-agent permission scoping recommendations, prompt-injection adversarial pass, replay audit of last 30 days of agent trajectories. We rewrote the MCP server config to scope each agent to its minimum tool set.
Outcome
Each of the 5 agents now has its own MCP namespace with the minimum tool grants its job requires. Reviewer queue shrank as type-safe responses eliminated false-positive escalations. Throughput up 4.2x. Auditors verified the boundary by reading the typed schemas.
PydanticAIMCPA2APrompt-injection testing
Custom BuildHealthcare Network
Custom SIEM + SOC Reporting
A native SIEM built around the client's stack — not a bolt-on. Auto-emits SOC 2, HIPAA, and GDPR evidence on every deploy.
11→2Compliance analysts → engineering hours
Challenge
A regional healthcare network was burning eleven analysts a quarter assembling SOC 2 + HIPAA evidence packages. Their commercial SIEM produced reports the auditors didn't accept; everything was being re-derived by hand from raw logs in spreadsheets.
Approach
90-day Ledger build: architecture against the client's data sources (cloud + on-prem), detection ruleset tailored to their HIPAA threat model, automated control validation that runs on every deploy, dashboards for SOC + executive view, 90-day handoff with paired engineering.
Outcome
Manual compliance burden cut from 11 analysts to 2 (those 2 now do meta-review of automated output instead of compiling it). Continuous SOC 2 control validation runs on every deploy. Audit prep time dropped from 6 weeks to 3 days.
Custom SIEMHIPAASOC 2OpenSearchCloud Run
DataFintech
Snowflake RBAC Hardening
A four-year-old Snowflake account with 38 functional roles, 12 service accounts, and three quietly over-permissioned BI tools.
−63%Role-graph traversal depth
Challenge
Functional roles had been bleeding into account roles; the BI service account could read tables it never queried; default warehouses had USAGE granted to PUBLIC. Everything technically worked — and that was the problem.
Approach
Two-week Lattice audit: walked the role graph from sysadmin downward, documented every grant and the request that justified it, ran an anomaly hunt across 90 days of query history, mapped lineage for every sensitive join.
Outcome
14 role inheritances flattened, 23 unjustified grants revoked, 3 BI service accounts rescoped to the datasets they actually surface. Role-graph traversal depth from PUBLIC to sensitive tables reduced 63%.
SnowflakeSigmaRBAC reviewLineage tracing
Custom BuildLogistics
Zoho Creator Field-Service Portal
A custom Creator portal where field reps log site visits offline, then sync to Books for invoicing on reconnect.
2.1dAvg. invoice-cycle reduction
Challenge
Field reps were filling paper forms, photographing them, and emailing the photos to back-office staff who re-keyed everything into Zoho Books. Errors compounded; invoices took 4-6 days to issue from completion of work.
Approach
Four-week Forge sprint: spec workshop with two field reps + the Books admin, three engineering weeks building a Zoho Creator portal with offline-capable forms, Deluge bridge to Books with deduplication and approval routing, security review by our pentest team before deploy.
Outcome
Average invoice-cycle time dropped from 4-6 days to 1-2 days. Field rep adoption: 89% in week 1. Zero data loss in 6 months of operation. Code reviewed against the same security bar as a Probe engagement.
Zoho CreatorZoho BooksDelugeOffline-first design
Agentic AIFintech
Type-Safe Fraud Triage Agent
An agentic workflow that reads a transaction, queries 4 data sources via MCP, and produces a typed fraud verdict with full audit trail.
0.4sMedian p50 verdict latency
Challenge
A fintech's fraud reviewer queue was overwhelming the team. Existing rules engine missed novel patterns; existing chatbot proof-of-concept couldn't justify its decisions. They needed something auditable.
Approach
Built a type-safe agent on PydanticAI with MCP-mediated access to four data sources (transaction history, KYC, sanctions, device fingerprint). Every tool call is typed and replayable; every verdict is justified with the source data the agent actually used.
Outcome
Reviewer queue cut by 71% — agent handles 73% of transactions autonomously, escalates 27% with full justification. Median verdict latency 0.4s. Auditors approved the system because they could read the typed schemas and replay any decision.
PydanticAIMCPA2AReplay audit
Take the next step
Innovate without technical debt.
A one-hour discovery call. We map your stack, surface the bleed, and tell you exactly what
Stop-Drop-Roll-Out would touch first. No deck. No sales engineer.
