Asyraf

Security professional by day, builder by night. Based in Singapore — writing about AI risk, enterprise governance, and shipping things in public.

Latest posts

Threat-Modelling Your First MCP Server: STRIDE for the Agent Era

7/3/2026

MCP servers hand an AI agent real tools and real access. Here's how to run a classic STRIDE threat model over one before you wire it to anything that matters.

Machine Identity Is the New Perimeter

6/17/2026

Human logins are well defended. The unguarded door now is the service account, the API key, and the AI agent. A baseline for treating non-human identities as first-class.

PCI DSS 4.0, Part 2: How the 12 Requirements Ladder Up to 6 Goals

6/13/2026

A practitioner's map of PCI DSS 4.0 — the 6 control objectives, the 12 requirements beneath them, and how to read the standard as a security model rather than a checklist.