The Team Operators and advisors

The operators behind Olympus.

Mill Creek is engineering-led. The partners run the engagements; the engineering bench ships Olympus; a standing council of sitting and former CIOs from regulated industries advises on board-level read-outs. We name everyone we are allowed to name. Boards expect to see who is in the room.

The standard

We name everyone we can name.

Most security consulting firms hide behind logos and anonymized quotes. The model works for them because their engagements are sold to procurement, where names matter less than coverage. Mill Creek is sold to boards. Boards verify against named accountability, and rightly so. Every Mill Creek engagement runs under a named partner who attends the audit-committee read-out. Every Olympus deployment runs under a named engineering lead. Every advisor on the council is named when the engagement letter permits, and anonymized to a sector descriptor when it does not.

The only people we anonymize are advisors whose current roles do not allow public association with a security consultancy. The bench is otherwise published in full.

Partners

The principal partners.

Co-accountable on every engagement. One leads the partner brief, one leads the engineering. Both attend audit-committee read-outs.

Founder & chief executive

[Name placeholder]

Background in offensive security and platform engineering. Previously led red-team for a top-five U.S. financial institution, where the team was responsible for proving exploitability against production payment systems before regulators did.

At Mill Creek, holds engagement leadership accountability across every program. Runs the partner brief intake, signs every engagement letter, and attends every audit-committee read-out. The point of the role is that the buyer always knows whose name is on the work.

Frequent author on agentic AI security and board-level risk communication. Speaking and publication history available on request.

If your engineering team cannot merge a security pull request by Friday, the pull request is wrong. That is the standard Olympus is built to.

LinkedIn Selected writing Speaking

Head of engineering

[Name placeholder]

Architect of Olympus. Twenty years across distributed systems, applied AI, and security tooling. Previously shipped the agentic infrastructure inside a hyperscale platform team, including the parts of the codebase regulators care most about.

At Mill Creek, owns the Olympus codebase, the policy library structure, and the deployment posture. Runs the technical brief for prospective Olympus clients. Personally reviews every change to Vulcan's pull request authoring path.

Maintains a small open-source project on provenance-preserving agent traces that came out of the Mill Creek engineering practice.

Olympus is interesting because the constraints are sharp. No merge access. No default-branch writes. Rollback plan attached. The product is better because of the constraints.

LinkedIn GitHub Selected writing

Engineering bench

The directors who own each sprite.

One director per sprite, plus the operator who runs the Olympus cluster. All four are named. All four are reachable to clients on engagement.

Director, adversarial engineering

[Name placeholder]

Leads Nemesis development and operates the rules-of-engagement review for adversarial engagements. Background in offensive security research; frequent contributor to defensive bug-bounty programs and a well-known voice on prompt-injection threat modeling.

Director, source audit

[Name placeholder]

Leads Delphi development and owns the policy library architecture. Background in compiler engineering and policy modeling for regulated industries. Wrote the council-vote resolution semantics that grade every Delphi finding.

Director, remediation

[Name placeholder]

Leads Vulcan development and owns the pull-request authoring path. Background in developer tooling at hyperscale platforms; ships pull requests that other engineers actually want to merge. Personally writes the rollback-plan templates.

Director, operations

[Name placeholder]

Runs the Olympus cluster and the on-call rotation. Background in SRE for security-critical systems. Owns the SLA, the deployment posture, and the cluster build cadence. The person who answers the page at three in the morning.

CIO Council

The advisory bench.

Sitting and former CIOs from regulated industries, drawn across healthcare, federal civilian, financial services, and consumer retail. Reachable to clients on engagement; attended at the board read-out when the engagement letter requests it.

Healthcare

[Name or anonymized]

Sitting CIO of a Fortune-100 U.S. health system. Twenty-five years in regulated healthcare technology. Authority on protected-health-information handling under agentic systems and on hospital-network deployment constraints.

Federal civilian

[Name or anonymized]

Former CIO of a federal civilian agency. Authority on sovereign-deployment requirements, federal compliance pathways, and the regulator-engagement cadence that follows incidents in federal environments.

Financial services

[Name or anonymized]

Sitting CIO of a global asset manager (AUM in the mid-eleven figures). Brings perspective on material non-public information handling, regulator engagement, and incident communications under SEC oversight.

Consumer retail

[Name or anonymized]

Former CIO of a top-three U.S. retailer. Authority on consumer-data scale, payment system security, and public incident communications when the customer base is in the hundreds of millions.

Specialist affiliates

Pulled in by name when the work demands depth.

A vetted bench of specialists in domains our staff team does not match alone. Affiliates are engaged by name, attached to the engagement letter, and accountable to the partner running the engagement.

  1. Incident response

    [Name placeholder]

    Former CISO at a major SaaS company. Pulled in for active incidents requiring senior counsel on disclosure decisions and regulator communications.

  2. Cryptography

    [Name placeholder]

    Academic researcher and former government cryptographer. Pulled in when a finding touches cryptographic primitives, key management, or the integrity layer of a regulated system.

  3. AI policy & counsel

    [Name placeholder]

    Counsel at a major law firm specializing in emerging AI regulation. Pulled in for AI Audit engagements where the deliverable will land in front of a regulator or a board's audit committee.

  4. Threat intelligence

    [Name placeholder]

    Former federal threat hunter. Pulled in for red-team engagements requiring nation-state threat modeling and for incidents where the suspected adversary is state-aligned.

Hiring

Two seats open.

We hire infrequently and write the briefs ourselves. If either of these reads like the work you want to do, send a note to hiring@Mill Creek.example.

Engineering · Vulcan

Senior Application Security Engineer

You will draft the actual remediation diffs that Vulcan opens against client codebases. This is not a prompt-engineering role; it is an applied security engineering role with an unusual constraint surface — no merge access, no force-push, no default-branch writes, every PR ships with a rollback plan, every diff respects CODEOWNERS.

You should have shipped security-critical code at scale, be comfortable on someone else's codebase as a guest contributor, and care more about the merged PR than the advisory.

Remote-first · partner-reviewed · published rate band on request.

Partnership track

Engagement-Lead Partner

You will lead engagements alongside the founders. Own the partner brief intake, the engagement letter, and the audit-committee read-out. Will be named on the website, on the engagement letter, and on the brief that goes to the board.

You should have run security engagements for boards before. You should be willing to carry your own intake roster. You should be allergic to slideware.

Equity participation · joint accountability with founding partners.

Standing order

You should know who is in the room before you sign anything.

Every Mill Creek intake begins with a partner identifying themselves by name. Every engagement letter names the partner, the engineering lead, and any specialist affiliate the engagement requires. If you cannot get a name from a security consultancy, the answer is not to lower your standard for who you hire.

Schedule the brief desk@Mill Creek.example