The work.

Selected projects and engagements. Each one started with a problem that needed solving and ended with a system that solved it.

Secure Architecture

Active Directory Tiering & Least Privilege Implementation

Problem

A defence organisation was running a flat Active Directory structure with no administrative tiering. Domain Admins had the same credentials across workstations, servers, and domain controllers — a lateral movement risk that any competent attacker would exploit in minutes.

Approach

Designed and implemented a full NCSC-aligned AD tiering model. Tier 0, 1, and 2 separation with dedicated admin workstations, tiered service accounts, and granular Group Policy enforcement. Stripped back every privilege to the minimum required. Built the whole model around NCSC best practice for least privilege, with CIS benchmarks applied to every tier from day one.

Outcome

Complete privilege separation across all tiers. Lateral movement paths eliminated. Passed internal security review with zero findings — a first for the programme.

Secure Architecture

CIS Benchmark Policy Across Legacy Estate

Problem

A government department had hundreds of servers running with default configurations — some dating back to the original Server 2012 builds. No baseline hardening had ever been applied. Every audit flagged the same issues, and every audit was followed by the same inaction.

Approach

Conducted a full estate audit and mapped every server against the relevant CIS benchmark. Built automated Group Policy and DSC configurations to enforce CIS Level 1 and Level 2 baselines across the environment. Applied at inception for new builds and retrofitted to the existing estate in controlled waves, with rollback capability at every stage.

Outcome

Full CIS benchmark compliance across the estate. Audit findings reduced from 200+ to zero. New servers now deploy pre-hardened — security is baked in, not bolted on afterwards.

Secure Architecture

Server 2012 to 2022/2025 Estate Upgrade

Problem

An organisation was still running critical workloads on Server 2012 R2 — end of extended support, unpatched, and increasingly incompatible with modern security tooling. Previous upgrade attempts had stalled because nobody had mapped the dependencies or planned the migration path.

Approach

Mapped every workload, dependency, and integration across the Server 2012 estate. Designed an upgrade path from 2012 through to Server 2022 and 2025 where appropriate, with AD functional level raises planned at each stage. Rebuilt services on clean installs rather than in-place upgrades — every new server deployed with CIS baselines and NCSC-aligned configurations from the start.

Outcome

Full estate migrated off end-of-life platforms. All servers running Server 2022 or 2025 with hardened baselines. Zero service disruption during migration. The environment is now supportable, patchable, and secure.

Private AI

Private AI for Sensitive Document Processing

Problem

A professional services firm needed AI-powered document analysis but couldn't send client data to external APIs. Compliance requirements made cloud AI a non-starter.

Approach

Designed and deployed a fully self-hosted AI stack. Local LLM inference, custom document ingestion pipeline, role-based access controls, and a clean internal interface. All running on the client's own hardware within their security perimeter.

Outcome

Document processing time reduced by 70%. Zero data leaves the network. The system now handles thousands of documents weekly with no manual intervention.

Automation

AI Agent System for User Onboarding & Provisioning

Problem

An IT team was spending hours every week on new starter provisioning — creating AD accounts, assigning groups, provisioning mailboxes, setting up MFA, and configuring application access. Every step was manual, every step was a chance to miss something or get it wrong.

Approach

Built a multi-agent system (MAS) where specialised AI agents handle each stage of the onboarding workflow. One agent processes the new starter request, another provisions the AD account with the correct OU and group memberships, another handles Exchange and licensing, and an orchestrator agent coordinates the sequence and handles exceptions. The entire pipeline runs autonomously — a human submits the request, AI agents do everything else.

Outcome

User onboarding reduced from 2–3 hours of manual work to under 5 minutes of autonomous execution. Zero provisioning errors in the first three months. IT team reclaimed over 15 hours per week.

Automation

AI-Driven Compliance Monitoring & Reporting

Problem

A regulated organisation was producing monthly compliance reports manually — pulling data from six systems, cross-referencing in spreadsheets, and formatting by hand. It took a full week every month, and the manual process had already missed findings that became audit issues.

Approach

Designed a multi-agent system where individual AI agents are responsible for each data source — ingesting, validating, and normalising the data autonomously. An analysis agent cross-references the outputs, flags anomalies, and generates the formatted compliance report. A review agent checks the final output against regulatory requirements before delivery. The entire pipeline runs on schedule with no human involvement unless an exception is escalated.

Outcome

Monthly reporting reduced from five days to fifteen minutes of autonomous agent execution. The AI agents caught two compliance issues in the first quarter that manual review had missed for over a year.

Consultancy

Critical Infrastructure Recovery

Problem

An organisation had lost its lead engineer mid-project. Systems were partially built, undocumented, and the team couldn't move forward without senior technical leadership.

Approach

Embedded within a week. Audited the existing environment, documented the architecture, identified the critical blockers, and took ownership of delivery. Rebuilt the team's confidence alongside the system.

Outcome

Project delivered on the original timeline. Full documentation handed over. The client's internal team was upskilled to maintain and extend the system independently.