Security engineering, AI-native tooling, civic data. Based in Exeter.
I build security tools that reason about code instead of pattern-matching it, and civic infrastructure that puts public data where the public can use it. Most of my time goes to Arbiter Security, a two-product platform for finding real vulnerabilities in web applications and binaries. The rest goes to open source and to projects I think the country needs and nobody else is building.
AI-native offensive security tools, built in Rust.
Two closed-source products exposed as MCP servers for AI agents. Arbiter infers how a web application works, finds where it breaks across 52 vulnerability classes, and verifies every exploit in a real browser. Aletheia loads PE/ELF/Mach-O binaries, lifts to SSA-form IR, decompiles to typed C, and finds vulnerabilities across 14 CWE classes with concolic falsification and machine-checkable proofs.
A live dashboard of UK economic constraint.
Open-source civic data project commissioned by Looking For Growth. Markets, fiscal headroom, labour resilience, and growth delivery rolled into a single 0–100 score, recomputed nightly from primary sources (OBR, ONS, BoE, DMO). Every figure is sourced; the methodology and the codebase are public.
Code intelligence, sandboxing, and a self-evolving agent runtime.
Narsil-MCP is a 90-tool code-intelligence MCP server with taint analysis and SBOM generation, published on crates.io, Homebrew, and npm. Forgemax is an open-source V8 sandbox for secure LLM-to-MCP tool execution, scaling to ~5,000 tool connections without context pollution. Krait is a self-evolving AI agent in Elixir/OTP and Rust with AST-based security validation.