Open-source · built in public · for CISOs who are done with theater

A new shape for the office. A live signal for the business.

The role was never staffed for the workload it carries. UpIsland is an open-source process that ships a virtual security office of purpose-built agents — and the SecurityPulse they produce: a live, evidenced view of where the organisation actually stands on cyber risk, and the interface the business reads it through.

The architecture, the mental models, and the build itself land here as I learn in public. The newsletter is the weekly reading log that feeds it.

publishing weekly · next issue Sunday Browse the reading log

Built on PAI — Personal AI Infrastructure by Daniel Miessler. Open substrate, owned by its operator. We build agents where the office demands it; we integrate the great tools everywhere else.

▸ Building in public — the site is the workshop

Architecture as it gets drawn. Mental models as they crystallize. The SecurityPulse itself, as it gets wired. Nothing here is a pitch. It's the build, in the open, with the wrong turns left visible.

From the reading log

Browse all →

The weekly reading log

What I read this week.

A summary of articles I read each week that will most likely fold into the SecurityPulse — meant for learning and inspiration, not as the build itself. The build lives on this site.

Why this exists

One CISO. A whole office. One signal.

UpIsland is an open-source process that ships a virtual security office of purpose-built agents — and the SecurityPulse they produce: the live, evidenced view of where the organisation stands on cyber risk.

Not one general assistant pretending to be everything. A team of specialists, each with a job description, a scope of authority, and a probe surface that proves it did the thing it claims to have done. We build agents where the off-the-shelf tools don't fit the office's shape. We integrate the great tools when they do.

The Pulse itself is the artifact every agent in the office contributes to. Live views on risks, controls, policies, attacks, and audit findings — and how every layer ties to the others. The board reads it as a narrative of safety. The auditor reads it as evidence. The CISO reads it as a worklist. Same artifact, three lenses.

This site is the workshop. Architecture diagrams, mental models, sketches of the Pulse as it gets wired — they land here as the build matures. The newsletter is the weekly reading log: what I read that might fold into the Pulse next. Inspiration, not output. The build lives on this site.

We offload the work no human should be doing twice — and free the human to do the work no machine can. The office gets faster, the CISO gets the job back.

"security outcomes, not security theater." · © 2026 · open source

How the agents are built

01
Purpose-built.

One job, well. No generic copilots pretending to be specialists.

02
Context-aware.

Reads the artifacts it needs before acting. Cites them in the output.

03
Architecturally grounded.

Knows where its authority ends. Hands off cleanly. No drift across edges.

04
Autonomous where earned.

Supervised by default. Promoted to autonomy on the work it has proven.

05
Built where we must. Integrated where we can.

The stack composes both — PAI as the substrate, our own work where the gap demands it, the best of the open ecosystem everywhere else.

Lineage

UpIsland sits on top of PAI — the Personal AI Infrastructure pattern Daniel Miessler put into the world. We adapt it for a different operator: not an individual, but the CISO office. Same principles — open, composable, owned, evidence-driven. Different domain — security work, with the adversarial pressure that comes with it.