About

Peter Bassill

United Kingdom · works to UTC

What I do

I help organisations build cyber defence that holds up in the real world. My work spans detection engineering, incident response, threat-led testing, and the harder problem behind all three: making security functions operate well under pressure.

I'm based in the United Kingdom and work to UTC. Most engagements are remote, with on-site time when it materially helps.

How I think about defence

The defender's job is harder than the attacker's, and the gap between we did the security thing and we'd actually catch this is where most incidents are born. I'm interested in the second.

A few practical biases that show up in everything I do:

  • Assume compromise, then design backwards. A control that only works against the threat model you wrote down isn't a control — it's a hope.
  • Adversary-centric, not control-centric. Mapping to ATT&CK is a starting point, not the destination. The destination is being able to defeat a specific set of plausible adversaries on your estate.
  • Telemetry first, tooling second. Bad telemetry makes good tools useless. Good telemetry makes mediocre tools dangerous.
  • People are the system. Detections that depend on heroics get gamed; runbooks that nobody can find get ignored. The human factor is part of the engineering, not a problem to wish away.

Areas of focus

Detection engineering. Designing, tuning, and validating detections across SIEM, EDR, and network telemetry. Test-driven detection: every rule ships with the data it should fire on, the data it shouldn't, and a measurable false-positive budget. ATT&CK coverage as a map, not a scoreboard.

Incident response. Leading active response, triage, containment, eradication, and the post-incident review that decides whether the next one goes better. Forensic readiness reviews to find the gaps before they're billable.

Threat-led testing. Adversary emulation aligned to a real threat profile rather than generic red-team theatrics. Purple teaming as a forcing function — not a one-off exercise but a way of permanently raising the floor.

Strategy and architecture. Threat modelling for systems and organisations, security architecture review across cloud and on-prem, and programme-level work to stand up or mature defensive functions. Enough time leading SOCs to know what makes them work and what makes them quietly miserable.

Hardened engineering. Building and operating defensible infrastructure end-to-end — Linux hardening, web stacks (PHP / MySQL / Redis on Apache), TLS, identity, secrets, and the boring middleware that keeps everything honest. This site is an example: PHP, hardened Apache, three-mode theming, Argon2id with TOTP-protected admin, full Content Security Policy, strict transport, audited admin actions. The posture is the product.

How I work

Engagements typically take one of these shapes, but I'll tailor to what fits:

  • Strategic advisory. Short, focused engagements to unblock a decision or stress-test a plan. Useful when the question is should we do X or is what we're already doing actually working.
  • Programme leadership. Multi-month work to design, build, or turn around a defensive function — detection programmes, incident response readiness, threat-led testing programmes, SOC stand-ups.
  • Incident response retainers. On-call when it matters. Fast triage, coordinated response, and an honest post-incident review.
  • Training and uplift. Detection engineering, threat modelling, and incident response — taught using your tooling, not generic slides.

Engagements start with a no-cost scoping call. If we're not a good fit, I'll say so.

Beyond the day job

I run a couple of things outside client work:

  • Covert Cyber Deck — a portable cyber operations workstation built around a custom carrier PCB and modular schematic. Half hardware project, half opinion about what a defender's go-bag should actually contain.
  • IP Insights — a web service that surfaces practical, defender-focused intelligence on IP addresses and the networks behind them. Built for the moments when what is this thing? needs an answer in seconds, not hours.

Get in touch

The fastest route is the contact form — hardened, rate-limited, and lands in my inbox as quickly as email. Or reach me directly at consulting@peterbassill.com.

If your message is sensitive, ask for a PGP key on first reply.