How I assess security work.

Understand what exists, who owns it, what data is involved, what systems matter, and what should not be touched. Scoping sets the boundary for everything that follows — without it, a review produces findings without context.

Look at what an attacker, vendor, user, or misconfigured integration can actually reach — from the outside first, then the inside. Most actionable findings come from understanding the realistic attack path, not the theoretical one.

Separate real risk from scanner noise, stale findings, false positives, and theoretical issues that don't apply to the specific environment. Validation is where most of the actual judgment lives — this step determines what makes it into a report.

Rank issues by exploitability, blast radius, business impact, compensating controls, and remediation effort. A CVSS score is not a priority. Prioritization requires understanding the environment well enough to know which findings, if left open, create the most realistic path to serious damage.

Turn technical findings into plain-English risk descriptions, owner-ready remediation steps, and executive-level summaries. Technical depth is there when needed — plain language is the default. The goal is findings that the responsible person can understand and act on without a translation meeting.

Confirm fixes, document what changed, and identify what should become a repeatable control or monitoring alert. A security review without a retest is a recommendation without verification. Retesting also surfaces partial fixes and regressions.