Field notes

Field notes on serious cybersecurity.

Practical, second-hand knowledge from real engagements. Written by Karan and the team.

01 · Featured
Compliance25 min read

SOC 2 for founders: the operating manual.

The piece we wish existed when we ran our first SOC 2. What controls auditors actually open on Day 1, which evidence packets matter, what enterprise customers ask for in the procurement cycle after the report lands.

Read the piece
Compliance12 min read

The auditor opens seven documents on Day 1.

The order matters. Get the first three right and the audit hums; get them wrong and every subsequent control gets re-asked. The seven, ranked, with what each is actually being read for.

Read the piece
Sales Enablement10 min read

How to lose a board on cybersecurity in one meeting.

Four failure patterns we have watched up close. The CRQ-in-dollars-without-context deck. The NIST-IDs-on-screen deck. The two slides that quietly land instead.

Read the piece
Privacy18 min read

DPDP Right Answers: what to actually do.

₹250 crore penalty exposure. Forty-seven pages of rules. Six pages of useful interpretation, the consent-pattern table we run with clients, and the three cross-border clauses that come up in every contract negotiation.

Read the piece
Regulator22 min read

The SEBI CSCRF reading list.

Board cyber maturity attestation, audit-committee briefing, CRQ in rupees. The reference document we hand to every SEBI-regulated CISO we work with, annotated with the three questions a SEBI inspector opens with.

Read the piece
02 · Recent

Thirty days before your first SOC 2 audit.

A week-by-week prep schedule from an audit we ran last quarter. What moves a control from 'exception' to 'qualified' to 'unqualified' and the Wednesday checkpoint that decides it.

16 min read

vCISO retainer red flags.

When the retainer is just billable hours dressed up. The four signals you are buying time, not a program, and the contract clauses that flip it back.

12 min read

The vendor-questionnaire trap.

How to answer a 200-row security questionnaire from a US enterprise without overcommitting. The four-sentence framing pattern we use on every one and the three rows that sink you if you misread them.

15 min read

Pentest findings that aren't.

CVSS inflation, marketing-driven scoring, and the four common 'criticals' that quietly disappear when you ask the next question. Read the report, do not just count the colours.

14 min read

MAS TRM for India-HQ fintechs entering Singapore.

Cross-border bridge content for fintechs expanding to SG. The MAS-specific framing that most India-HQ advisors do not teach, and the three Annexes that decide whether you sail through or get sent back for a second review.

20 min read

AI security questionnaires US enterprises actually ask.

We have answered hundreds. The patterns. NIST AI RMF, OWASP LLM Top 10, and ISO 42001 inside the same procurement cycle, with the four answers that almost always need a follow-up call before they unblock the deal.

18 min read

Cryptographic Right Answers: what to use in 2026.

Post-quantum has arrived; most production stacks have not noticed. A short, opinionated table you can hand to engineering tomorrow.

35 min read

We publish field notes, not marketing content.

If we have an opinion that is not load-bearing, we do not publish it.