Viv.

Software engineer. 25 years understanding systems, users, and problems. It's never mattered more.

I've been writing software since the late 90s. In that time I've learned that tools change frequently but the principles of good engineering don't.

Based in South Wales, I'm a Chartered Engineer with a Computer Science degree from the University of Wales, Cardiff. I've worked remotely for most of my career, long before it was fashionable, and most of that time has been spent building systems where the stakes are high. National cyber security infrastructure, government services, child safeguarding platforms, identity verification at scale. When the cost of getting it wrong is real, how you build matters as much as what you build.

I've been working seriously with AI tools for the past couple of years. It's the most significant shift in software engineering I've seen, removing friction around applying engineering judgement. The tedious parts are faster, the interesting parts are more interesting.

What I Do

AI-native engineering

AI is a core part of how I work, managed with the same XP and engineering discipline I've applied for years. I have embraced the increased speed at which AI allows us to produce code and love how engineering discipline allows me to maintain control over what I ship. My experience managing engineering teams translates directly to orchestrating agent teams, aligning goals, coordinating tasks, and fostering effective collaboration.

More about my AI approach →

Building systems that last and evolve

I've spent 25+ years building software across government, finance, cyber security, and identity verification. I favour pragmatic emergent architecture, clear boundaries, and ruthless simplicity where it matters. I understand trade-offs and defer decisions until the last responsible moment. I strive to build systems that teams can understand, evolve, and own, not ones that depend on me being in the room.

Secure by design

I've spent decades working with organisations that have the most demanding security requirements — government, finance, national cyber security. I don't see security as something to be dictated from the top or bolted on at the end. It's a design discipline (asset identification, threat modelling, trust boundaries, identity, data flow, Zero Trust principles) built into the architecture from the start.

Growing teams & people

The best engineering teams are built on trust, patience, no blame, and a shared commitment to excellence. I lead by example, invest in people, and create environments where confidence grows and ideas are sharpened through challenge. Former colleagues regularly refer people to me for career advice, from A-level students to professionals changing direction entirely.

Experience

2024 – present

Agentic Software Engineering — The Current Chapter

“Everything I've learned still applies, just faster”

AI has become fundamental to how I engineer software daily. Claude Code is the primary tool at the moment, but this is a fast-moving domain and, like any good engineer, the decisions I’m making today are designed to allow change later.

Twenty-five years of learning how to manage teams (scoping work clearly, breaking down problems, TDD, pairing, code review, iterating in small increments) is proving to be exactly what’s needed to be effective with AI agents. I’m applying the tried and trusted methods of XP and software engineering to a new kind of collaborator.

Beyond the daily practice, there’s deeper thinking to be done. AI reduces the cost of producing code, but that doesn’t automatically mean better outcomes. When code is cheap, quality, security, and fitness for purpose become the real constraint. The benefits are real, but so are the trade-offs, and experienced engineers are perfectly placed to navigate them.

I’ve applied this thinking at broader scale too, leading a comprehensive research programme for a UK government department evaluating AI-powered security tools. Analysing 60+ solutions, developing a structured evaluation framework, and authoring a 50+ page technical report that senior stakeholders called “a magnificent piece of work.”

These are early days, I’m keeping a close eye on which principles will endure.

Agentic Workflows, Claude Code, LLMs, SAST tooling, MCP, AI security research, XP

2020 – present

Openfire — Mission Critical Open Source

“Quiet, careful work on systems that can't fail”

Long-term contributor to Openfire, the reference XMPP server used by military, healthcare, and defence organisations worldwide, working closely with the project’s lead maintainer. My work has spanned emergency vulnerability response (CVE-2023-32315), foundational improvements (replacing the networking framework with Netty to support TLS 1.3, certificate revocation via OCSP and CRL), and planning for post-quantum cryptography.

Most recently, a systematic overhaul of the cryptographic foundations (eliminating hardcoded IVs, replacing weak key derivation with PBKDF2, migrating from CBC to authenticated GCM mode) all while maintaining backward compatibility with years of production data across the global user base. Introduced Architecture Decision Records to give maintainers of a 20-year codebase a way to understand why things are the way they are.

Java, XMPP, Netty, TLS, PKI, Open Source, Docker, Performance Engineering, Post-Quantum Cryptography

2014 – 2024

CiSP — Technical Authority for National Infrastructure

“A decade steering the UK's national cyber sharing platform”

I served as Technical Authority for Threatvine, the platform at the heart of CiSP, the UK’s cyber security information-sharing capability. CiSP became a model that governments worldwide sought to replicate, and I was the technical lead behind the platform for a decade. That meant owning the technical roadmap, leading engineering projects, and steering the platform’s productisation across its full lifecycle.

Alongside the engineering, the role opened doors across the sector: integrating with academic research teams, exploring partnerships with international threat intelligence companies, supporting a globally significant financial services organisation, and engaging with multiple national governments exploring their own CiSP-like information sharing capabilities.

Java, Spring, Kubernetes, Jive, STIX, TAXII, MISP

2019 – present

Crossing Domains — Engineering at the Trust Boundary

“The most interesting engineering happens at the boundaries”

Throughout my career I’ve built systems that communicate across security domains where each side operates at a different level of trust. From cross-domain messaging and collaboration services, mobile push notifications bridging secure and open networks, through to a nationally significant service processing the most sensitive personal information across security boundaries using a serverless architecture.

Cross-domain engineering means rethinking trust at every layer: data schemas, identity, validation, gateways, and the business processes that wrap around all of them. There are no shortcuts, the quality of the engineering is the security.

AWS Serverless, TypeScript, React, WebCrypto, CDS Gateways

Various

Infrastructure as Code & Platform Engineering

“Repeatable, robust, auditable, and version-controlled”

I’m as comfortable in the terminal configuring clusters as I am writing the applications that run on them. I’ve transformed manual deployment processes into automated, reproducible infrastructure: air-gapped Kubernetes clusters, deployment pipelines that reduced 40+ manual steps to under 10, and infrastructure defined entirely in code so every environment is a known quantity.

All of this came together when I delivered a resilience overhaul of a nationally significant UK government system. Mapping the single points of failure, replacing the database layer with a distributed YugabyteDB deployment across multiple availability zones, and proving it all with chaos engineering.

AWS, Docker, Kubernetes (K3S, RKE2, EKS), CloudFormation, Pulumi, Terraform, Distributed Systems, CI/CD Pipelines, Chaos Engineering, Resilience Engineering, Canary & Blue-Green Deployments

2001 – present

Security as a Design Decision

“Deliberate security from the first commit”

Early in my career I worked alongside security assessors and quickly learned that the systems which held up under scrutiny were the ones where security had been baked in from the start. That stuck with me. Since then I’ve built tooling that connected software developers with Security Operations Centre analysts, making security logging something the team designed for rather than bolted on after the fact.

R&D into browser-based end-to-end encryption reinforced the same lesson. Treating encryption as a first-class architectural concern, rather than a layer added later, opens up possibilities that simply aren’t there when it’s an afterthought. The technical side matters, but the real skill is translating risk into decisions that people across the organisation can understand and act on.

Secure by Design, Threat Modelling, PKI, End-to-End Encryption, Logging, Identity and Access Management, Security Operations, Vulnerability Management

2013 – 2016 (early Surevine)

CERT-UK & the Birth of National Cyber Security

“Building the platforms behind national cyber defence”

I was brought in at the formation of CERT-UK to build the platforms that UK national cyber security coordination ran on. The incident management system, the public-facing website, and CiSP, the government’s platform for sharing threat intelligence across public and private sector organisations. After launch I led CiSP’s first major redesign and steered its evolution over the following years.

When CERT-UK evolved into the NCSC, I managed the transition of CiSP to its new home. That meant rebranding, decommissioning legacy infrastructure, migrating users, and coordinating penetration testing, all while keeping live services running for the people who depended on them.

Java, Perl, AWS, Incident Management, Threat Intelligence Sharing, Penetration Testing, Migration, Rebranding, Decommissioning

2013 – present

Remote Working — Before It Was Normal

“Remote by design”

I’ve been fully remote for over a decade, long before the pandemic made it mainstream. That’s a lot of time to figure out what actually makes distributed teams work. For me it comes down to the small things: checking in on the new starter every day, making sure remote meetings feel human, and noticing when someone’s gone quiet.

Remote work is easy to do badly. It works when people genuinely look out for each other and adapt when something isn’t working. I’ve always tried to be the person who does that, whether it’s adjusting how we communicate or changing working practices when someone is struggling.

Communication, Empathy, Embracing Change, Deliberate Inclusion, Trust

2010 – present

Working at the Edges of Organisations

“Understanding the problem is most of the solution”

I am often pulled into the space between companies, the work that happens before anyone writes a line of code. Analysing RFPs, understanding what the customer actually needs and how that relates to what they’ve asked for, estimating scope, and putting together roadmaps that both sides can commit to. It rarely gets a mention in retrospectives, but getting this wrong is how projects fail.

Separately, I spent time as a technical subject-matter expert for a national law enforcement agency, advising on threat assessments for decentralised messaging systems and what they meant for investigations. Two very different contexts, but the same underlying skill: understanding the problem well enough that the solution becomes obvious.

User Needs, Requirements Analysis, Stakeholder Alignment, Technical Advisory, RFP Analysis, Roadmap Planning, Scope Estimation

2004 – present

Stabilising Systems Under Pressure

“Reliability, only noticed when it's missing”

Throughout my career, people have called me in to help when things are broken. A large international consortium called on me to assess and stabilise an XMPP-based trade execution platform. I diagnosed the root cause, presented my findings to the consortium, removed unnecessary workarounds, and implemented proper connection handling at the right layer. Stability delivered within days.

Early in my career I did similar work on the Severn River Crossing PLC TAG data processing system, the infrastructure handling electronic tolling for one of the UK’s busiest crossings. Different decade, different technology, same principle: understand the problem then fix at the right level.

React, Redux, TypeScript, Node.js, NestJS, XMPP, Docker, Databases, Debugging, Tracing, Profiling

2009 – present

Building and Growing Teams

“Investing in people pays the highest returns”

I’ve led and grown teams at most organisations I’ve worked for. Hiring well matters, but so does what happens after. I’ve introduced proper feedback loops, made sure people have space to develop, and invested valuable time in mentoring. One apprentice I mentored went on to win BCS Software Developer & Tester Apprentice of the Year, and work experience placements became genuine learning experiences for everyone involved.

I’ve also adapted working practices for colleagues facing mental health challenges. Good teams don’t just happen. Someone has to care enough to build them.

Hiring & Recruitment, Mentoring & Coaching, Feedback, CPD, Team Wellbeing

2008 – 2011

Tracesmart — Building the Foundation

“Great software starts with great people and great practices”

When I joined there was a shared development server and no source control. Over three years that changed completely. The team I built grew from a couple of developers to a cross-functional team of 15, and along the way we introduced version control, automated testing, CI/CD pipelines, and reliable database versioning. Pair programming and continuous feedback became part of everyday working practice. That discipline carried the company through to ISO 27001 compliance.

We built multiple business-critical applications, tackled database replication concerns, and developed high-performance secure web services. I put the same energy into hiring well, thinking carefully about how we grew the team without losing what made it work. When I left, trunk-based development and continuous delivery were goals we were actively working towards, and the practices were in place to get there.

PHP, MySQL, Jenkins, Selenium, SVN → Git, Zend Framework (MVC web framework), Doctrine (object-relational mapper), Memcached (distributed caching), Gearman (distributed job queue)

2006 – 2008

Hargreaves Lansdown — Through the IPO

“Where stability is non-negotiable”

I joined Hargreaves Lansdown as a web developer, building their online life insurance platform, content management system, and trading platform. I was there through the company’s flotation on the London Stock Exchange in 2007, when it listed directly onto the FTSE 250.

When the systems you’re building underpin a company going through an IPO, there’s no room for guesswork. Everything has to work, and keep working. That expectation shaped how I thought about reliability long after I left.

Web technologies, financial services, trading, integration

2001 – 2006

Early Career

“Full responsibility from day one”

My first professional role at Qualtech Services meant owning everything technical. I introduced an e-learning platform, built the company website, created a customer management system, and handled IT support across the business. Small company, a broad remit, no one else to hand things to.

Going freelance afterwards felt like a natural next step. Over three years I built a stock management system for an international shipping company, developed a vision-system data capture product for manufacturing lines, and delivered data processing improvements for Severn River Crossing PLC that increased performance by orders of magnitude.

Moodle, ASP, PHP, MySQL, Perl, C#, ActiveX

1998 – 2001

University of Wales, Cardiff

“Learning to think in systems”

Studying for a B.Sc. in Computer Science at Cardiff University taught me algorithms, data structures, systems design, and built the foundations that still shape how I think about software. But university also built a lasting curiosity, the habit of experimenting, trying something new, and seeing what happens. That has driven my career far more than anything in the curriculum.

During summers, I worked at Bridgend County Borough Council as a Network IT Engineer, handling network support, new installations, support calls, and the telephone system. Real infrastructure, real users, real problems. A good grounding before I’d even graduated.

B.Sc. Computer Science, University of Wales, Cardiff

1980s – 1990s

The Beginning

“Creatively curious, what if I try this?”

Playing games on a BBC Micro at junior school, dabbling with a Sinclair ZX Spectrum 48K at home, then A-Level Computer Science and programming in Turbo Pascal.

My A-Level project was the moment something clicked. My mother was a coordinator for homecare workers at the local council, and their system for organising rotas and balancing care needs was entirely paper-based. I spent time watching how they worked, spotting problems and opportunities, understanding the processes they followed, and then in 1997 I built a system that digitised the process.

That’s when I started to realise that the interesting part of programming is understanding people and their problems. The technology is just how you solve them. Everything since has been a variation on that.

BBC Micro, ZX Spectrum 48K, Turbo Pascal, People & Interactions

Work in the Open

Most of my work is behind closed doors, but not all of it. Openfire gives a good glimpse into how I work — the pull requests and discussions show how I collaborate with engineers across time zones and take care with software that many organisations depend on. Review-Loop is something different, a tool I built from scratch, developing and experimenting openly with AI without the constraints of a sensitive codebase.

Openfire

The open source XMPP server used by defence and government organisations across the world. I'm a long time contributor, my contributions include replacing the core networking framework with Netty, a systematic cryptographic security programme, introducing Architecture Decision Records, and performance engineering.

igniterealtime/Openfire

Openfire Docker Compose

I created this Docker Compose environment for running multiple Openfire servers with databases during local development and testing. It's since been adopted by several of the Openfire core developers and testers. I've added clustering support, OCSP configuration, Java remote debugging, and comprehensive documentation.

surevine/openfire-docker-compose

Review-Loop

A tool I built to bridge human reviewers and AI coding agents. Annotate your rendered site in-browser (select text, highlight elements, write notes) and your agent reads the feedback directly via MCP, edits the source, and reports back for your approval (or not!).

Building review-loop in the open gives me the freedom to fully explore AI-enhanced software engineering without the constraints of a commercial or sensitive codebase. Experimenting with the same engineering rigour and practices, but also pushing the boundaries of speed, tooling, and working practices in ways that other projects don't always allow.

viv/review-loop

More at github.com/viv (opens in new tab)

Beyond the Code

Wado Ryu Karate

3rd Dan black belt and instructor in Wado Ryu. I originally started accompanying my kids and stuck with it. I'm drawn to the discipline it demands, the satisfaction of teaching, and the rich history of practical application

ogwrkarate.co.uk

Mountain Biking

I've been mountain biking for over 30 years, I'm lucky to be surrounded by great countryside, community, and trails in South Wales. I also enjoy running, rowing, and exploring the nearby mountains and forests on foot.

Smart Home & IoT

Home Assistant, Matter, Thread, Apple Home. Engineering curiosity applied to domestic life. Building automations, tinkering with protocols, and trying to make the house smarter without making it fragile.

Field Notes

My engineering notebook. Discoveries, observations, and failures that made me smile. Writing on things I've learned, problems I've solved, and ideas worth remembering.

All notes →