peter bassill · operator
peter@hardened:~$ whoami

Peter
Bassill.

British cyber security Non-Executive Director and board advisor — the CEO who still writes the code, the advisor who has actually carried the pager. Cyber, IT and AI risk explained to the board in plain English, by someone who has operated all three. Kernel to chair, in the same conversation.

NED & advisor · cyber · IT · AI CEO · UK Cyber Defence CREST · European Council · IR Pan Europe 29 years · in cyber since 1996 Status · open to NED & advisory
$ cat /var/log/now
00 / Now

What's on the desk this week.

No smoke. The brief says transparency, so here is the actual state of things. Updated when something changes, not when a content calendar says so.

RUNNING
UK Cyber Defence, year one.
The firm I founded as Hedgehog Security in 2009, rebranded UK Cyber Defence in 2025 — same people, same mission. The arguments now are about what we stop doing, not what we start.
WRITING
The Small Business Cyber Strategy.
A four-part plan for UK SMEs, aligned to Cyber Essentials, Cyber Essentials Plus and ISO 27001. Just shipped, in the writing.
READING
Post-quantum cryptography, at the source.
NIST, the NCSC and the Nature papers rather than the trade-press version. The write-up is here.
SHIPPING
A PHP rewrite of an old triage tool.
Yes, PHP. No, I won't apologise for it. Ubuntu, Apache, MySQL, fail2ban.

LAST UPDATED — 2026-07-11 · drift since update: 8 days

$ man peter.bassill
01 / About

Operator. At the board. Both at once.

Most people pick a side: the hands or the room. I've spent twenty-eight years refusing to.

I run a small British cyber defence company. I still write the production PHP, harden the Ubuntu boxes, and configure the Apache and MySQL myself. I also sit on the CREST European Council and CREST IR Pan Europe, where the people in the room have read the same incident reports I have, and we argue about what to do next.

The combination is rarer than it sounds. Most CEOs at this end of the industry have stopped touching the consoles. Most engineers good enough to run the consoles haven't sat in a regulator's office. I do both, deliberately, because the gap between those rooms is where most cyber security goes wrong.

If you're a board chair, I can brief you in plain English on Tuesday. If you're a CISO, I can argue with you about detection engineering on Wednesday. If you're a tier-three responder, I can stand at the back of the bridge on Thursday and not get in your way. The brand is just the shape of that.

2026CREST · IR Pan Europe (advisory)third year on the body.
2025CEO · UK Cyber DefenceHedgehog Security, rebranded UK Cyber Defence.
2023CREST · IR Pan Europe (joined)incident response, Europe-wide remit.
2022CREST · European Council (joined)the accrediting body for much of the industry.
Hedgehog Security · Founder / CEOtwenty years on the consoles before this.
1998First production box, first pagera Sun box in a basement.
$ ls -l /etc/roles
02 / Work

Three positions. One job.

An executive role, two advisory ones. They share an audience and a remit: keep European cyber defence honest, and keep practitioners in the room.

EXECUTIVE

Chief Executive Officer

UK Cyber Defence

Day-to-day operator of a British cyber defence firm — the company I founded as Hedgehog Security in 2009 and rebranded UK Cyber Defence in 2025. Strategy, delivery, and yes — still the one writing the more interesting bits of the platform.

SINCE — 2025·11
ADVISORY

European Council Member

CREST

One of the seats on the European Council of the body that accredits much of the industry. Policy, standards, and arguing on behalf of operators who'd rather be on the console than in the room.

SINCE — 2022
ADVISORY

IR Pan Europe

CREST

Working with the pan-European incident response scheme — the shape of how IR is practised, accredited, and held to a standard across borders. Less ribbon-cutting; more rota and runbook.

SINCE — 2023

what I do for boards — NED & advisory  ·  the credentials, in full  ·  writing for boards

$ ls writing/ -t | head
03 / Writing

Some things I've written down.

Notes from the desk, not thought leadership. Specifics over slogans.

2026·07·19 Buying the breach: cyber due diligence, a board read In a deal you don't just buy revenue — you buy the unpatched servers, the undisclosed incidents, and whoever is already inside the network. A board read on cyber due diligence: what's at stake, what to ask before signing, and why a court just put a PE sponsor on the hook. 10 min 2026·07·19 DORA, a board read: the rulebook that followed you home The UK left the EU. DORA did not leave the UK. A plain-English board read on the Digital Operational Resilience Act — who it reaches on this side of the Channel, why Article 5 puts it on your desk personally, and what a director should be able to evidence. 10 min 2026·07·19 So what do I actually do? Seven parts on why the government's plan to protect children online will leak. So here is the other side of the ledger: the evidence-based, do-it-this-weekend guide to protecting your own child — ordered by what genuinely works, not what merely feels reassuring. 15 min 2026·07·18 A curfew you can switch off The government's midnight social media curfew for 16 and 17-year-olds is a default, not a control — and after 29 years of telling boards the difference, I can't un-see it. Part 1 of a series on what happens when good intentions meet the technical reality of the teenage internet. 7 min 2026·07·18 The AI security starter kit for small business Seven free documents that take a small firm from "people are quietly using ChatGPT" to governed, defended and drilled in ninety days. A roadmap, a wall chart, a two-page policy, an agents & MCP guide, a board briefing, a self-assessment and a DPIA guide. No email gate. 5 min 2026·07·18 Lessons from the age gate we already built We don't have to predict how a national age-verification scheme performs. We switched one on last July for pornography, and a year of data is in. Part 6: what the porn age gate actually did — who it stopped, where the traffic went, and the identity honeypot it built along the way 9 min

all posts  ·  subscribe by email  ·  rss

$ cat talks.tsv
04 / Talks

Where I've spoken. Where I'm speaking next.

I keep this list short on purpose. I'd rather give one good talk a quarter than four mediocre ones.

$ contact --advisory

If you need someone who's actually done the thing.

I take on a small number of advisory engagements at any given time — board briefings, IR-readiness work, the occasional NED conversation. Not retainers I won't use. Not panels I haven't read for.

replies within 2 working days · en_GB · pgp on request · no agency intros
$ finger peter
05 / Contact

Direct channels.

No contact form funnels, no calendly. If you'd write to a colleague, write the same way to me — or use the form below.

Email is fastest. If your message includes who you are, what you'd like, and a rough sense of when, you will get a useful answer within two working days.

EMAILcomms [at] peterbassill {dot} com
GITHUB@pbassill
CRESTEuropean Council · IR Pan Europe
LOCATIONUnited Kingdom · en_GB
no tracking · no third parties · stored only in my inbox