For years, I’ve lived deep inside enterprise security, building global programs, leading critical incident response across 60+ offices, and shaping security into something the business actually understands. I’ve redesigned processes, driven multi-region audits during messy M&A cycles, and taken on every “we’ve never done this before” mandate thrown my way.
But here’s the twist no one talks about: even with a decade of experience, API security still punched me in the face when I started learning DevSecOps.
I’ve always believed in learning by doing. Build it, break it, understand it. and my homelab is proof of that. From self-hosting to automation to open-source projects, I’ve always pushed beyond the perimeter. But the moment I began actually building applications myself, something shifted.
Suddenly API security wasn’t a theoretical chapter in a certification book. It became personal.
APIs aren’t “just endpoints.” They’re where your logic, your data, and your assumptions live. And attackers aren’t waiting for CVEs, they’re waiting for your mistakes.
The fundamentals hit differently when you’re the one writing the code:
APIs expose not just data but business flows the real actions that run companies. When you realize that, you stop treating APIs like technical plumbing and start treating them as critical infrastructure. That's when API security becomes responsibility, not theory.
And that’s why I’m here, I'm learning to build, not just defend. If I want to preach honest security, teach it at home, protect my family’s digital footprint, and champion data sovereignty, then I need to understand the systems I’ll one day secure.
API security isn’t just another domain for me. It’s the bridge between who I’ve been the analyst, the responder, the builder of enterprise security and who I’m becoming next.
DevSecOps isn’t a career move.
It’s the next evolution of my mindset.