Saqlain Momin

I see 3risk at the 4enterprise level, and I build the 5tools to close the 6gaps I find.

Four years building controls at enterprise scale — I know why a control exists, who owns it, and what breaks when it doesn’t.

ISO 27001 · ISO 27701 · ISO 22301 — Lead Auditor

The argument

The window is closing.

Defenders run on human cycles. Quarterly scans, annual pentests, patch SLAs measured in weeks. Attackers now run on machine cycles. The gap between the two is the story of my work.

Two timelines, same starting point.

A decade ago, defenders and attackers moved at roughly the same pace. Both bounded by human effort, human review, human salaries.

Then one of them stopped being human.

AI task autonomy is doubling every 89 days. Vulnerability discovery windows collapse from months to minutes.

source / METR task-horizon data

The defender's line barely moves.

Frameworks lag reality by three to five years. ISO 27001 was updated in 2022, a decade overdue. NIST CSF only added Govern in 2024.

source / ISO 27001:2022, NIST CSF 2.0

This shaded gap is the risk.

Every defensive delay is now measured against autonomous iteration. The structural disadvantage compounds daily. This is the space I build into.

89 days

The time it takes for AI task autonomy to double. Your patch cycle did not get twice as fast this quarter.

METR
97M

Downloads weaponised in a single PyPI supply-chain attack. It was caught only because it had a bug that crashed machines. That is luck, not a control.

PyPI transitive dependency attack
3-5 yrs

How far compliance frameworks lag the threats they are meant to govern. The standards exist. The migration does not.

ISO 27001:2022 / NIST CSF 2.0 / post-quantum

The work

The response.

Four years auditing controls at enterprise scale taught me where they fail. I build into the lag instead of writing about it.

full-scope audit platform

Built for the way an auditor actually works — not the way software vendors assume they do.

CyberAssess reads the evidence before it asks a single question. Every uploaded document is reviewed first — the tool arrives with a picture of what’s already answered, what’s partial, and what’s missing. Questions then adapt to what actually requires human judgement. Controls that map to multiple frameworks are assessed once, not once per standard. The result is end-to-end coverage across an organisation’s compliance landscape without the time it would normally cost.

DPDPA · ISO 27001 · GDPR · HIPAA · NIST CSF · PCI-DSS · SOC 2 + GLBA planned
GitHub →
vendor pre-onboarding screen

Know what a vendor’s external signals say before you open the door.

Before a vendor questionnaire, before a contract, before access is granted — Recon reads what’s already publicly visible. Six scanners run against a domain simultaneously: DNS configuration, SSL/TLS posture, tech stack, breach exposure, security headers, and organisational signals. A red-flag detector runs before any AI interpretation. No access required, no questionnaire to fill. One domain, 60 seconds.

6 scanners · public signals only · 60 seconds
GitHub →
reinforcement learning · game theory

What happens when you let a system learn from rules alone.

A snake that taught itself to survive. A prisoner’s dilemma you can play — pick a strategy, run it against a population, watch cooperation emerge or collapse. A landing sequence a reinforcement agent learned without being told what “landing” looks like. These are experiments, not products. Simple environments, emergent behaviour, and the occasional surprise when the agent finds something you didn’t plan for.

Python · PyTorch · reinforcement learning
GitHub →
personal AI signal tracker

I track AI capability the way I track a threat landscape — against what actually affects my work.

AI developments are everywhere — posts, threads, announcements, most of it hype, very little of it signal. And almost none of it helps you work out what any of it means for your specific work. Velocity filters against a professional profile: each development is scored as an opportunity, a disruption, or a knowledge gap — relative to what you actually do. Before taking on work AI might already handle, a calibration test answers it directly.

relevance scoring · personal profile · weekly digest
GitHub →

Field notes

I publish a position, with the data attached.

Fifteen articles for security and GRC practitioners. The recurring thesis: this is not IT security for AI tools, it is systems security for synthetic cognition.

Who

The audit grounding.

Pre-certification readiness for ISO 27001, 27701, and 22301. Third-party risk program design for financial services and fintech. Technology risk assessments and board-level reporting.

Role
Assistant Manager, Cyber Strategy & Governance, at KPMG
Certifications
ISO 27001, ISO 27701, ISO 22301 Lead Auditor
Education
B.Tech in Information Technology and MBA in Finance, NMIMS
Sectors
Financial services, fintech, SaaS
Download CV (PDF) ↓

Outside the work

The rest of it.

Reading

What I'm chasing

Everything I'm building comes from trying to understand something I don't yet. I've landed on the belief that the best moment to have a hard problem is today. Not because it gets easier, but because you're already in it.

Off the clock

I surf when the ocean cooperates. I take coffee too seriously and I collect Hot Wheels — the latter started in childhood and I've never found a good reason to stop.