I didn't start in security. I started in a server room.
For five years I was a systems administrator at the Belgian Federal Police — PowerShell, Active Directory, SCCM, the unglamorous plumbing that keeps an organisation running. It taught me how real systems actually break, and that nobody thanks you when they don't. I also learned how government infrastructure really works — and how a political decision, made far from any server, can decide whether technology moves forward or stays frozen. Deep in that on-prem world, I started to hear the cloud calling from somewhere further out.
So I answered. At BePark I saw what the cloud gives a startup: speed. The freedom to ship value to customers fast, to scale almost without limit, with little or no CapEx to slow you down. But that same speed taught me something else — that speed and security rarely make easy friends. At Partenamut I crossed from running infrastructure to securing it: least-privilege IAM, multi-account AWS landing zones, incident-response playbooks, STRIDE threat models on production workloads. Somewhere in there, "the person who keeps the lights on" became "the person who makes sure no one else can switch them off."
From on-prem to cloud, from cloud to security, from security to AI. From Brussels to Málaga. One story, written in fast decisions — grounded in curiosity, a stubborn pull toward innovation, and respect for technical craft.
Today that path runs straight into the deep end of cloud, security, and AI at once. My days are the problems that didn't exist five years ago: how do you authorise an agent's tool use, scope its blast radius, contain an indirect prompt injection buried in a web page it was only meant to read?
I explore all three sides of that question. Red-teaming — breaking agentic systems to see how a deployed agent can be turned loose inside the cloud it runs in, and benchmarking how capable frontier models are getting at offensive security. Blue-teaming — turning what breaks into detections, guardrails, and defences that hold up under pressure. And GRC — mapping the whole picture to real frameworks like the EU AI Act, so what we ship can be trusted, not just shipped. The fastest way to learn to defend something is to break it first; the craft is proving the defence and making it governable.
I'm a builder by default — I learn things by shipping them.
Based in Málaga · native English & French, professional Spanish. Always up for a coffee, even a virtual one.