Strategic cyber capability advisory

Clarity in a complex world.

Principia Ratio is a strategic cybersecurity advisory for organisations facing complex risks and delivery challenges

We help leaders make risk and cost informed decisions, giving organisations the agility to move with urgency.

Request a consultation → Explore Solutions →

Experience

Credentials earned in complex environments.

Principia Ratio brings senior cyber leadership across regulated sectors, critical infrastructure, assurance, strategy, architecture, remediation, and delivery recovery.

Enterprise cyber leadership

Led complex cyber defence, assurance, remediation, architecture, and uplift initiatives across major enterprise, government, and critical infrastructure environments.

Regulated sector experience

Delivered cybersecurity advisory and assurance work across banking, digital health, defence, aviation, federal government, state government, and critical infrastructure.

Critical infrastructure delivery

Led cybersecurity delivery for major critical infrastructure initiatives, including large-scale aviation and nationally significant technology programs.

Cyber assurance and assessment

Delivered and led IT controls assurance, audit activities, PCI DSS readiness, ISO 27001-aligned assurance, PSPF improvement, ISM controls assessment, and remediation programs.

Essential Eight maturity uplift

Designed and delivered Essential Eight uplift programs spanning maturity assessment, remediation planning, executive responsibilities, implementation support, and measurable uplift outcomes.

Cyber strategy and risk management

Developed cyber strategies, risk frameworks, implementation plans, control assurance programs, and operating models aligned to business, regulatory, and operational requirements.

Security architecture and cyber defence

Led cyber reference architecture, security architecture review, cyber defence capability development, threat intelligence frameworks, and threat management initiatives.

Complex program recovery

Stabilised and redirected complex cyber programs by aligning senior stakeholders, engineering teams, architecture functions, operations teams, and delivery partners around practical outcomes.

Senior stakeholder advisory

Advised executive leaders, program boards, risk owners, technology teams, and delivery partners on cybersecurity strategy, assurance, risk, priorities, and regulatory obligations.

Multidisciplinary delivery leadership

Led cross-functional teams across cyber architecture, engineering, assurance, operations, governance, risk, compliance, and program delivery.

Practical remediation expertise

Delivered cyber remediation programs in complex environments, helping organisations prioritise risk, close control gaps, and improve security maturity.

Standards and framework expertise

Applied leading cybersecurity and assurance frameworks including Essential Eight, ISM, PSPF, APRA CPS, COBIT, ISO 27001, PCI DSS, cyber risk management, and IT controls assurance.

Alpha

Hopdox is in active alpha testing. It accelerates and structures compliance assessment, but a qualified assessor remains accountable for every result. During alpha, do not process classified or sensitive material, or enter real identifiers, credentials, or PII.

Documentation in.
Defensible assessment out.

Hopdox is built as a compiled Go application with an embedded React interface, REST API, live Server-Sent Events progress, assessment-local evidence indexing, checkpointed stage execution, and generated DOCX, PDF, and ZIP report outputs.

Six

Sequential stages from boundary analysis through generated reports

Controls per batch, with checkpointing for pause, retry, and resume

Review

Conflicts, overrides, evidence, and report readiness remain under human control

The six-stage pipeline.

Boundary

Identifies assets, scope, and system context from uploaded architecture and design evidence.

Applicability

Determines which ISM controls apply using retrieved evidence and trusted framework guidance.

Effectiveness

Assesses control evidence, gaps, recommendations, confidence, and cited source excerpts.

Maturity

Scores Essential Eight maturity levels with rationale against the available evidence.

Conflict

Detects competing directives and routes them to human-in-the-loop review before reports are used.

Reports

Builds ISM Control Assessment and E8 reports from the same structured document model.

Built as an assessment system,
not a prompt demo.

The alpha includes the application surfaces needed to run, inspect, pause, correct, and export an assessment, not just generate prose.

Evidence ingestion

Accepts common office, PDF, text, configuration, infrastructure, and policy formats, with document-type labelling at upload.

Evidence trace

Findings retain source references and excerpts so reviewers can inspect the evidence behind an assessment result.

Live progress

The running assessment view receives stage, validation, pause, resume, and completion events through a live stream.

Reviewer controls

Human reviewers can resolve conflicts, override selected control fields with reasons, retry stages, and check readiness.

Audit trail

System, sanitisation, validation, model, and human decision events are written to an append-only NDJSON audit log.

Report outputs

DOCX and PDF reports are generated from a shared model, with ZIP download support for complete assessment packages.

Security is the architecture —
not a feature.

Hopdox is designed to minimise exposure of sensitive material, separate uploaded evidence from trusted guidance, constrain external calls, and keep a human decision-maker in control.

Mandatory masking

Infrastructure identifiers and selected named entities are masked before model-assisted reasoning, with token mappings restored for reports.

Trusted guidance boundary

Uploaded files are treated as assessment evidence only; ISM, E8, PSPF, and guidance material stay in a separate trusted corpus.

Constrained runtime

Network allowlisting, redirect controls, strict file permissions, and signed cache files narrow the runtime surface.

A person decides

A qualified reviewer accepts, rejects, resolves, or overrides before results are relied on.

Join the Hopdox alpha.

Alpha testing is limited to a small group of assessors and security leaders.

Contact

Get in touch to discuss how we can support your organisation.

General enquiries Enable JavaScript to reveal email Email →