How I got here
I came up the way most of the people I respect in this field came up — five years of independent security research before any of this was a firm. Home labs built and broken on my own hardware, across every layer I now charge to engineer for clients. Hack The Box, CTF work, the long quiet hours of reading source, running tools against systems I built to be attacked, watching the defender side of my own offense to understand what telemetry actually catches and what slips past. Small engagements along the way for people who needed the work done and didn't care that I hadn't formalized yet. That's the foundation everything else is built on.
Two years ago I started a Bachelor of Science in Cybersecurity at Texas A&M University–San Antonio. The degree is in progress. I'm in it because there are things structured coursework teaches better than self-study does — database design, network architecture, software engineering in Python, the formal grammars of how distributed systems get built and broken. School is filling in real layers. I'm grateful for it. But the things I actually do for clients — the adversarial reasoning, the seam analysis, the operating across layers without handing off — school mostly doesn't teach. I learned those on my own first. The PJPT and CPTS are also in progress. The certs matter and I'm completing them. They aren't the reason I do the work.
Why I started the firm now
I started Barr Cyber when I did because I stopped waiting for permission. The doctrine this firm is built on says security is a property of the whole system, engineered across every layer at once, not assembled from credentialed specialists who each own a slice and let the seams between them rot. That theory has consequences. One of them is that the market this firm serves — small and mid-sized organizations the industry mostly underserves because they don't fit a SOC 2 sales motion — cannot wait for any one operator to finish their institutional climb. So I'm operating now, with the discipline the work demands, while the credentials complete on their own schedule.
What I want for the clients I take on
What I want for my clients is what I would want for myself if I were them: someone who actually understands every layer of what they're protecting, who doesn't hand off the parts they don't feel like dealing with, who documents the work in a way the client can audit independently, who licenses the tooling rather than renting it back to them in perpetuity, and who tells the truth — including when the truth is I haven't figured this part out yet. I am the security person I would have wanted in the room for every organization I've ever watched get breached through a seam nobody owned.
What I'm building toward
The firm isn't a static deliverable. It's a methodology being turned into tooling, engagement by engagement, so the work compounds rather than evaporates after every invoice. The lines I'm actively developing:
-
Digital forensics and incident response
For small and mid-sized organizations whose investigators currently spelunk through admin CSV exports by hand. Senior-grade chain of custody, graded findings, courtroom-defensible packaging. Built around a forensic platform purpose-built for the cloud-platform environments most SMBs actually run on — the only one of its kind in this market.
-
An endpoint hardening framework
Delivered as software a client can license and re-run themselves, not as billable hours that vanish when I leave. Senior-grade defense-in-depth, idempotent operation, layered controls tied to my own published advisories. Designed so the client owns the configuration of their own machines, not the vendor.
-
A fleet management platform
For organizations with more than one endpoint who want their configuration to be data-driven, transparent, and re-deployable — and a control layer on top of it so I can manage client fleets from a dashboard while the client retains the platform itself. The structural inverse of the standard MSP arrangement: the client owns the tool, I operate it with them, and if they ever leave they keep the configured platform intact.
-
A published advisory line
That documents what my tooling defends against, in language a small-business owner can read and a peer can verify, so the work is legible to both audiences at once.
The underlying ambition is straightforward: bring senior-grade security engineering — the kind that's normally reserved for organizations large enough to afford a full security team or an enterprise vendor — to the small and mid-sized organizations the industry has decided aren't worth serving directly. The doctrine prescribes it. The tooling makes it deliverable at a price the market can actually carry. The case studies document that it works.
How the firm is structured
I work with counsel when engagements require it. I partner with Deming by Design when work crosses into physical security, drone production, or creative software development — that's Hunter Deming's studio, an independent firm I trust at the layers his discipline owns. I bring in subject-matter advisors where specialized depth helps. I retain personal responsibility for the security engineering on every engagement Barr Cyber accepts. Nothing leaves this firm without my name on it.
Read what's here. If the work speaks to what you actually need, get in touch.