Skills

One case, start to finish.

A small civic organisation shares a messy dataset for a digital-harms study. The case moves through four kinds of work, from raw data to a defensible, access-controlled decision.

Case CR-204 runs from a raw dataset to a defensible, access-controlled decision. Each station is a working instrument you can use.

01Data Systems

case state · raw dataset

The Pipeline Bench

Proves ETL thinking — validation, deduplication, and resilience when the source schema changes. Not “I know pandas.”

quality score40%
idsellerpriceposteditemcitystatus
L-0042USER-042Rs. 15,000 approxyesterday??Used phone - urgent!!!lahore
L-0043user_04215k2026-05-14used phone (urgent)Lahore
L-0044user_108PKR 8,5002 days ago laptop chargerkarachi
L-0045user_211free2026-05-13Sofa setISLAMABAD
L-0046user_077Rs 25000todayBicycle!!!lahore

Step through, or run the pipeline — fields normalise, duplicates drop, the quality score climbs.

Proof1.5M+ listings100K+ seller profiles500K posts/day

02Platform Accountability

case state · harm signal flagged

The Evidence Packet

Proves accountability is evidence assembly with epistemic honesty — weak evidence is visibly penalised, not buried.

Evidence — toggle onto the packet

Accountability memo · CR-204

A clustered language spike — repeated gendered abuse toward a community advocate — appears in a narrow window during an election period.

packet strength84%
ConfidenceHIGH

Limitation. Coordination is possible, not asserted. This packet structures evidence; it does not decide intent or guilt.

Proof290-term GBV taxonomyOversight Board commentsDRF research

03Governance & Risk

case state · decision: human review

The Risk Decision Dial

Proves governance is explainable trade-off design — the system refuses to auto-decide a high-severity, low-confidence case.

71RISK INDEX

Recommended path

Human review required

High severity, low confidence — the system will not auto-decide. It holds irreversible action and asks for corroboration.

Try to “Auto-decide” a high-severity, low-confidence case — watch it refuse.

ProofCivicSec risk modelhuman-in-the-loopincident governance

04Software Engineering

case state · access: scoped

The Permission-Gated Console

Proves backend skill through states and boundaries — object-level access control made visible, not just role checks.

Endpoint

GET /api/incidents/CR-204

Role

Acting org

An admin in Org A can do everything — but is still denied Org B's incident. Object-level access, not just role checks.

Response

200 OK
{
  "status": 200,
  "scope": "admin",
  "fields": [
    "id",
    "severity",
    "evidence",
    "state",
    "review",
    "audit"
  ],
  "audit": "admin@OrgA read CR-204"
}

Audit log

  • No requests yet.
ProofDjango · DRFobject-level RBACPostgreSQL

The stack

A working ecosystem — grouped by what each tool does, not the brand.

CollectionStructuringProductGovernanceCommunication

Collection

  • PythonPrimary language for collection and analysis pipelines.
  • SeleniumDrives unstable, JS-heavy interfaces when no API exists.
  • BeautifulSoupParses messy HTML into structured records.
  • requestsLightweight HTTP collection where endpoints are stable.

Structuring

  • pandasCleaning, validation, dedup, and analysis-ready tables.
  • SQLRelational modelling and query logic for research data.
  • BigQueryScales batch processing to ~500K posts/day workloads.

Product

  • DjangoBackend for stateful, reviewable civic workflows.
  • DRFPermission-gated REST APIs with object-level access control.
  • ReactInterfaces for review queues, dashboards, and demos.
  • TypeScriptType-safe product and data-tooling code.
  • PostgreSQLDurable store for evidence, risk events, and audit logs.

Governance

  • OWASPApplication-security baselines for defensive design.
  • MITRE ATT&CKShared vocabulary for adversary techniques.
  • OSVOpen-source vulnerability data for exposure triage.
  • CISA KEVKnown-exploited vulnerabilities for prioritisation.
  • NISTRisk-management framing for governance decisions.

Communication

  • Policy commentsTurning evidence into regulatory submissions.
  • ReportsPlain-language findings for non-technical stakeholders.
  • WorkshopsHelping civic teams use the tools and read the signals.

These four come together in CivicSec Lab.

The flagship is where data systems, accountability evidence, governance reasoning, and permissioned engineering meet in one build.