Field notes

Field notes on serious cybersecurity.

Long-form pieces, technical reference material, and the occasional rant. Written by Karan and the team.

01 · Featured
Compliance25 min read

SOC2 for founders: the operating manual.

The piece we wish existed when we ran our first SOC2. What controls actually matter, what auditors actually want, what enterprise customers actually ask for after the report lands.

Read the piece
Privacy18 min read

DPDP Right Answers: what to actually do.

₹250 crore penalty exposure. 47 pages of rules. Six pages of useful interpretation. We have the six pages.

Read the piece
Regulator22 min read

The SEBI CSCRF Reading List.

Board cyber maturity attestation, audit committee briefing, CRQ in rupees. The reference document we hand to every SEBI CISO we work with.

Read the piece
02 · Recent

MAS TRM for India-HQ fintechs entering Singapore.

Cross-border bridge content for fintechs expanding to SG. The MAS-specific framing that most advisors rarely teach.

20 min read

AI security questionnaires US enterprises actually ask.

We have answered hundreds. Here are the patterns. NIST AI RMF, OWASP LLM Top 10, ISO 42001 in the same procurement cycle.

18 min read

Cryptographic Right Answers: what to use in 2026.

Post-quantum has arrived. Most production stacks have not noticed.

35 min read

We publish field notes, not marketing content.

If we have an opinion that is not load-bearing, we do not publish it.