Project 1: Building a Security Operations Centre from Scratch - Keepit, Denmark
Context. Keepit is a cloud-based backup and recovery company headquartered in Copenhagen. When I joined in January 2022, the organisation had no dedicated security operations function - threat detection relied on fragmented, ad-hoc processes with no centralised visibility.
Challenge. The core difficulties were threefold. First, the SOC had to become operationally effective quickly - not just exist on paper, but actually detect and respond to threats. Second, the environment required ingesting custom log sources that no off-the-shelf connector could handle, which meant the SIEM selection process had to account for parsing flexibility. Third, Microsoft licensing costs for log ingestion were prohibitively expensive, so I had to engineer a cost-effective logging pipeline without sacrificing visibility. All of this had to be delivered within an 8/5 operational model - there was no budget for round-the-clock staffing.
My role. I was the sole architect and leader of this initiative - from SIEM vendor evaluation and deployment through to hiring, training, and managing the SOC team.
Approach. I evaluated SIEM platforms against three criteria: custom log parsing capability, cost-efficiency for Microsoft ecosystem logging, and scalability. Once the platform was selected, I built custom connectors and parsers for non-standard log sources, designed a tiered logging strategy that routed high-value Microsoft logs through cost-optimised channels, and developed detection use cases aligned with MITRE ATT&CK. I recruited and trained the SOC team, wrote all playbooks and runbooks, and structured the 8/5 model with automated alerting to cover off-hours.
Outcomes. The SOC became fully operational within the 8/5 model, incident response time improved by 30%, and real-time detection capabilities increased by 40%. Microsoft logging costs were reduced significantly through architectural decisions without compromising coverage. The team passed all compliance audits, and I later stood up a Red Team function to continuously stress-test defences.
Context. Boosta is a holding company comprising 31 business units, each operating as an effectively independent business. When I joined as CISO in September 2025, there was no security function whatsoever.
Challenge. The starting position was severe: a large pool of unmanaged devices with unrestricted admin access across the board, uncontrolled third-party integrations with no oversight, zero audit history, widespread use of unlicensed software, and a complete absence of security policies or controls. Essentially, 31 businesses were operating with no security governance at all.
My role. Sole CISO and security architect - responsible for the entire programme from risk assessment through to hands-on technical deployment, with no dedicated team.
Approach. Given the scale of the problem and the absence of any security budget for commercial tooling, I built the entire security stack on open-source solutions: Wazuh as the SIEM and endpoint detection platform, one well-known utility for endpoint visibility and forensic response, IAM for centralised identity and access management, mTLS-based logging for secure and authenticated log transport, and a DLP layer built on top of this stack. I prioritised risk-based: first gaining visibility (SIEM), then controlling access (IAM), then protecting data flows (DLP). In parallel, I launched a regular audit cycle across all 31 business units.
Outcomes. The full open-source security stack was operational within six months - deployed, configured, and maintained by a single person. Regular audits are now embedded in the holding's governance cycle, admin access has been brought under control through Keycloak, and security policies are enforced consistently across all business units for the first time in the company's history.