Security Architecture Review

A security architecture review steps back from individual vulnerabilities and asks whether the design itself is defensible. It's the work I do when an organisation wants to understand its security posture as a system rather than as a list of bugs — and it's usually where the highest-leverage changes hide.

Reviews typically combine document analysis, interviews with the people who actually run things, and hands-on inspection of cloud accounts, network designs, identity systems, and CI/CD pipelines. I work against frameworks where they apply — NIST CSF, ISO 27001, CIS Controls, the cloud-specific well-architected guidance — but the output is grounded in your business, not a generic checklist. Risk only matters in context.

Common areas I dig into: identity and access management (this is where most cloud breaches actually start), network segmentation, secrets management, logging and detection coverage, third-party and supply chain risk, and the gap between written policy and what's actually deployed. I'll point out where you're spending money on controls that don't move the needle, and where small architectural changes would absorb a whole class of attacks before they become incidents.

For organisations that need ongoing strategic input rather than a one-off engagement, this work fits naturally into a vCISO arrangement — board-level reporting, roadmap planning, vendor reviews, and sitting in on the architecture decisions that matter before they ship. Some clients keep that going for a few months around a specific transition; others run with it long-term. Both work.