AI Systems Engineering
Agents, RAG pipelines, LLM integrations, and document automation, taken from idea to production. 20+ systems shipped end-to-end: self-hosted, Dockerised, and built to run every day, not to demo once.
I build AI systems. Then I secure them.
I’m Nick Falshaw. I’ve shipped 20+ production AI systems, agents, RAG pipelines, and document automation, and I’ve spent 17+ years securing enterprise networks in banking, automotive, manufacturing, and regulated infrastructure. Building AI and securing AI are usually two hires. Here they’re one.
LIVE
17 years, distilled
$ whoami Nick Falshaw, AI Engineer & AI Security Consultant $ cat focus.txt AI systems engineering AI security engineering Firewall automation at scale Cloud, zero trust & ISO 27001 $ ls ./proof RogueAI # 20+ production AI systems fwchange.com # firewall change automation $ cat creds.txt AI-102 · AZ-500 · ISO 27001 LI · CEH · TOGAF 9 · CCIE Sec (written) $ _
Build the system, secure the stack, prove it in audit.
Need an AI system built, or an existing one secured? I do both: agents and pipelines that ship, controls that survive production pressure, and the evidence to prove it. Firewall automation and ISO 27001 stay in the toolkit.
AI Security Engineering
Agents take action, RAG pipelines expose context, and MCP servers expand the attack surface. I threat-model agentic systems, lock down ingestion, and harden self-hosted LLM stacks before they reach production.
Firewall Automation
Vendor-agnostic change automation grounded in 280+ real migrations across Palo Alto, Check Point, Cisco, Fortinet, and F5. Rule sets that survive audit, segmentation that holds, and automation that removes the human bottleneck.
Cloud & Zero Trust
Identity-first security for Azure and hybrid estates: conditional access, segmentation, and least privilege, prioritised by the risk each control actually removes rather than the logo on the box.
ISO 27001 & Compliance
ISO 27001 from gap analysis through certification, plus NIS2 and DORA readiness for regulated sectors. Passing the audit is the easy part, the goal is a programme that still holds the day something breaks.
Proven, not slideware
Two live platforms back the claims: production code, real deployments, and audit evidence you can inspect. The work is public enough to judge before we speak.
20+production AI systems shipped
17+years in enterprise cyber
280+firewall migrations delivered
Seventeen years close to production.
Production firewalls, regulated audits, and AI systems shipped end-to-end, the record, not the pitch.
-
2025, now
Independent AI Engineer & AI Security Consultant
Building and securing AI systems: agents, RAG pipelines, and document automation on the build side, agentic threat modelling and self-hosted LLM hardening on the defence side. Firewall automation and ISO 27001 programmes for regulated estates. Two live platforms built end-to-end, FwChange.com and RogueAI.
-
2010, 2025
Senior / Lead Network Security Contractor
Fifteen years contracting into DAX-30 and enterprise environments, banking, automotive, manufacturing, payments and the public sector. Delivered 280+ firewall migrations and the security architecture behind them, multi-vendor and audit-ready.
-
earlier
Network & Security Engineering
Enterprise routing, switching and perimeter security, the grounding that seventeen years of firewall, compliance and now AI-security work is built on.
Certifications
AI-102, Azure AI Engineer
AZ-500, Azure Security Engineer
AI-900, Azure AI Fundamentals
ISO 27001 Lead Implementer
CEH, Certified Ethical Hacker
TOGAF 9
CCSP
CCIE Security (written)
CCNP
CCDP
CCSA · CCSE (Check Point)
JNCIA-FWV · JNCIS-FWV (Juniper)
Palo Alto EDU-201/205/311/121
F5 BIG-IP LTM
ITIL v3 Foundation
Live systems, not credentials alone.
Two live platforms and two regulated specialisms. Open them, read the public evidence, and judge the work before a call.
Portfolio
RogueAI
20+ production AI systems built end-to-end: RAG pipelines, autonomous agents, LoRA fine-tuning, and document automation. Self-hosted, Dockerised, and written by one operator.
Open the portfolio ProductFwChange.com
Vendor-agnostic firewall change automation. Rule analysis, drift detection, and audit-ready evidence built from 280+ migrations across Palo Alto, Fortinet, Cisco ASA, and Check Point.
Open the platformField notes.
Practical writing on firewalls, compliance, and shipping AI systems that survive real users.
Two Authentication Bypasses, One Bug Class: The VPN Edge and the AI Stack
A Check Point VPN zero-day and the BadHost flaw in Starlette are the same CWE-287 mistake, one stack apart: trusting attacker-controlled input to authenticate.
ReadFrom CVSS to ASR: Putting a Number on AI Agent Risk
For 17 years I scored security risk in CVSS. Anthropic just gave AI agents their own number: a 31.5% prompt-injection hijack rate. The risk discipline transfers.
ReadThe Firewall CVE and the AI-Agent Breach Are the Same Mistake
A root-RCE firewall CVE and a poisoned AI-agent skill marketplace share one root cause: no provenance, no least privilege, no change control.
ReadOWASP LLM Top 10: 5 Critical AI Vulnerabilities for 2026
Where production LLM systems break first, based on mapping the OWASP LLM Top 10 against real codebases.
ReadShipping Production AI: 20 Hard Lessons from Building RogueAI
Most AI demos die before production. After 20+ systems across RAG, agents, LoRA, and document AI, here is what cost, latency, and deployment teach.
ReadZero Trust Mittelstand: A Pragmatic 90-Day Plan
Zero Trust for the Mittelstand, not the Fortune 500: identity, segmentation, and continuous verification without a full rebuild.
ReadFirewall Change Automation: 5 Hard Lessons from 200 Audits
Seventeen years inside enterprise firewalls: why change control keeps failing, and why I built FwChange.
ReadCybersecurity Consulting Germany: What Companies Actually Need
Fifteen-plus years across enterprise firewalls, NIS2, incident response, and testing, and what good consulting has to deliver.
Read9 Enterprise Firewall Automation ROI Metrics for 2026
The nine numbers a network security leader needs to justify automation budget and prove the value to the board.
ReadVirtual CISO Services: 5 Benefits for European SMEs
How a fractional CISO closes the NIS2 + GDPR maturity gap without hiring a senior full-time CISO.
ReadSecurity Consulting ROI: 7 Metrics for the Board
The seven numbers that make security spend defensible: risk reduction, audit savings, response speed, and revenue protection.
ReadMittelstand NIS2: Why German SMEs Are Dangerously Unprepared
The backbone of Europe’s economy built its advantage through engineering, not security. Here is what BSI deadlines require and how to close the gap.
ReadWhat 15 Years of Enterprise Security Compliance Taught Me
Hundreds of assessments across TISAX, PCI-DSS, ISO 27001, and NIS2, plus the lessons that do not appear in any framework.
Read7 AI Security Consulting Strategies for European Enterprises
What European enterprises actually need across NIS2, the EU AI Act and AI risk management, what to scope, and where to start.
ReadAI Threat Detection: 7 Strategies for CISOs in 2026
How to reduce alert noise, find novel attacker behaviour, and turn detection maturity into evidence the board can understand.
ReadHow an engagement works.
The method stays consistent whether I’m building an AI system or securing one: evidence first, architecture second, implementation third, verification always.
01
Assess
Map what’s really deployed, topology, AI workloads, identity, threat surface, regulatory scope. Facts, not assumptions.
02
Architect
Design the target state and the path to it. AI controls and network defences on one blueprint, prioritised by risk and effort.
03
Implement
Build it: firewall automation, RAG controls, identity, and segmentation hardened against the vectors that actually land.
04
Verify
Prove it under real load. Useful alerting, owned runbooks, and audit evidence produced as part of delivery.
Ship AI you can
stand behind.
Building an AI system? Running one that’s never been threat-modelled? Still on firewalls and ISO 27001? Tell me what you’re building or defending and what deadline matters. I reply within one business day.
Message sent.
You’ll get a real reply from me within one business day.