🔍

About This Site

Built on a gap nobody else closed.

The practitioners with the most relevant real-world security knowledge — the ones assessing banks, writing compliance reports, implementing international standards — almost never share what they know publicly. This site exists because that silence has a cost.

35 ISO 27001 Engagements · 27+ PCI DSS ROCs · CISA · SWIFT CSP Assessor · 3+ Years Financial GRC

There is a specific kind of silence in the cybersecurity industry that has always bothered me.

The professionals who do the highest-stakes security work — who assess banks against international standards, write the reports that regulators act on, sign off on compliance attestations — almost never say anything publicly. They consult. They sign NDAs. They move to the next engagement. The knowledge stays locked inside boardrooms and audit reports.

Meanwhile, the people publishing content are vendors selling software, consultancies generating leads, or career coaches helping people pass certification exams. None of them have sat in front of a bank's evidence package and assessed whether a financial institution actually meets the controls — not just whether they have the documentation. None of them know the difference between what a standard says and what an assessor actually looks for.

"The people who do the work don't publish.
The people who publish haven't done the work."

That gap is why Threat Manifest exists.

Who built this

I'm a GRC consultant who has spent 3+ years working exclusively with financial institutions — banks, non-bank financial institutions, payment service providers. The work is not theoretical. It's done in the systems that regulators audit and that real banks depend on.

35 ISO 27001 engagements — all in banks, NBFIs, or financial institutions
27+ Full PCI DSS Reports on Compliance written for banks, PSPs, and PSOs
3+ Years of active GRC consultancy — exclusively in financial institutions

My certifications span the frameworks I cover: CISA · CEH · ISO 27001 Lead Implementer · CC (ISC²) · Active SWIFT CSP Assessor. These aren't decorative. Each one appears in this site's content because it's directly relevant to what's being discussed.

This site operates without my name attached to it. Deliberately. The content should stand on its own. If you want to know whether to trust it — read the SWIFT CSP articles and see if they match your real-world experience. That's a better test than any credential listing.

The bridge nobody was building

Three years inside financial institution security work teaches you something that doesn't appear in any certification curriculum: the threats are not fundamentally different across audiences. The methodology is.

WhatsApp job scams use the same social engineering psychology as targeted spear-phishing against banking staff. The credential stuffing attacks that breach enterprise systems run on the same password reuse patterns affecting personal Gmail accounts. The unauthorized access tactics I assess in banking control environments mirror, almost exactly, the social media account takeovers hitting regular people every week.

Enterprise compliance specialists — the people with the most relevant real-world security expertise — almost never turn around and say: use this. Apply this. Protect yourself with what we know.

That is the specific gap Threat Manifest is built to close.

Think about what it means if the methodology that protects financial institutions starts reaching everyday people. Someone securing their homelab using ISO 27001 implementation principles is operating at a level that most consumer security content never approaches. Two thousand people doing that represents a measurable shift in how resilient the digital world is against the people trying to break it.

What you'll find here

Threat Manifest runs two content lanes simultaneously. They share one voice and one credibility foundation.

Lane 1 — Professional

Banking & Financial Institution GRC

Practitioner-level content for in-house compliance teams, IT auditors, and GRC consultants working in financial institutions.

  • SWIFT CSP independent assessment guidance
  • PCI DSS ROC preparation — from an assessor's view
  • ISO 27001 implementation for banks and NBFIs
  • Risk governance and IT audit methodology
Explore professional content →
Lane 2 — For Everyone

Practical Security for Real Life

Actionable security guidance for everyday people and tech-aware professionals who want real methodology applied to real threats.

  • Device security — phones, laptops, home networks
  • Scam awareness — how they work, how to spot them
  • Privacy tools — practical, not paranoid
  • Account security — from someone who audits it professionally
Explore security guides →

Both lanes share one voice. A Lane 2 reader who wants to go deeper will find the professional content written at the same level of specificity. A Lane 1 reader who wants to understand the consumer-facing side of the threats they assess will find it treated with the same rigour. The bridge goes both ways.

Credentials

Listed because they're relevant to the content — each one appears in specific articles where it matters.

SWIFT CSP Independent Assessor — Active

Directly relevant to all SWIFT CSP content. Every article reflects real assessment experience, not theoretical framework reading.

CISA — Certified Information Systems Auditor (ISACA)

Relevant to IT audit methodology, control testing, and evidence evaluation across all frameworks covered here.

ISO 27001 Lead Implementer

Directly underpins all ISO 27001 content — and the broader framework of thinking applied to practical security guidance in Lane 2.

CEH — Certified Ethical Hacker (EC-Council)

Informs the attacker-perspective content in Lane 2 — understanding how threats work, not just how to defend against them.

CC — Certified in Cybersecurity (ISC²)

ISC² foundational credential — relevant across both lanes.

How this site works — transparently

What's free

All content on this site is free. No paywall, no gated access, no login required to read anything in Lane 1 or Lane 2. The professional GRC content is not a lead generation funnel — it's published because it's useful and because nothing like it exists publicly.

How the affiliates work

Some Lane 2 articles contain affiliate links to tools I recommend — Bitwarden for password management, Malwarebytes for device security. If you buy through those links, I may earn a commission at no cost to you. Every link is disclosed clearly in the article. I link to tools because they're genuinely useful — not because of the commission.

Where to go from here

Two paths. Pick the one that fits.

For Professionals

Working in banking or financial institution GRC?

SWIFT CSP assessments, PCI DSS readiness, ISO 27001 implementation for financial institutions. If you're hitting a wall on a specific engagement, I may be able to help.

Enquire about consulting →

For Everyone

Get practical security guidance in your inbox

New articles, scam alerts, and tool recommendations — written with the same practitioner depth as everything else on this site. No filler. No sales cadence.

No spam. Unsubscribe any time.

ThreatManifest

Real-world cybersecurity — for professionals and people. From the assessment floor, not the textbook.

Professional
Security
Behind the Firewall
Learn
About
Credentials & Affiliations
SWIFT CSP Assessor CISA CEH ISO 27001 Lead Implementer CC (ISC2) 35 ISO 27001 Engagements 27+ PCI DSS ROCs
Affiliate Disclosure

Some articles on this site contain affiliate links. If you purchase a product through one of these links, Threat Manifest may earn a small commission — at no extra cost to you. We only recommend tools and services we have independently evaluated. Read full disclosure.

Privacy Policy Terms of Use Disclaimer Affiliate Disclosure Content Policy Accessibility
© 2026 Threat Manifest. All rights reserved.