Authentication abuse & edge controls
Rate limits, WAF signals, silent challenges, replay risk, detection paths, and customer-invisible controls.
Security Platform / Production Systems Engineer
I work on production systems where failure modes, blast radius, observability and abuse resistance matter.
Currently Senior Software Engineer at Monzo, working around authentication abuse controls, cloud identity, edge signals, SIEM visibility and safer rollout patterns. Previously AWS Networking and Skyscanner platform engineering.
Based in Scotland.
Iām most useful in the messy space between security, infrastructure and production engineering: turning ambiguous risks into controls that are observable, testable and safe to operate.
Rate limits, WAF signals, silent challenges, replay risk, detection paths, and customer-invisible controls.
Short-lived credentials, workload identity, standing-secret removal, scoped access, and blast-radius reduction.
Observability, rollout safety, failure modes, incident-shaped thinking, and boring day-two operation.
Designing controls that fail safely, produce useful signal, and do not collapse under the load they exist to handle.
Worked on login-enumeration defences, including distributed rate-limit tuning, limiter prewarming, and dynamic per-client limit design validated against production traffic.
Evaluated silent challenge options, built a fail-open AWS WAF PoC, propagated token verdicts downstream, and designed mitigations for replayable challenge tokens.
Migrated services from static GCP/GCS credentials to short-lived Security Token Exchange credentials, including workload identity and terraform IAM changes.
Improved protected-config diff readability for multi-party auth reviews, making sensitive changes easier to review correctly.
If you want to talk about platform security, production controls, or incident-shaped engineering, the contact page has the least noisy routes.
This is what I bring from platform and security engineering: fast ambiguity reduction, adversarial thinking before rollout, production controls that fail safely, and systems that are observable enough to learn from real abuse rather than merely block it.