Abdullateef Abdulsalam is a cybersecurity analyst at Guaranty Trust Bank UK Limited. He is also the founder of Fa3Tech Limited and has built three security platforms: PrepIQ, DefenceIQ, and CertPulse.
In this chat with PREMIUM TIMES, he talks about his unique career journey, the issues he sees in the UK's cyber readiness, and why he decided to offer his main products for free.
PT: You studied Industrial Relations and Personnel Management. How did you end up working in the security team of a major bank in the UK?
Curiosity, and a specific event that made it personal. Before coming to England, I worked in IT support and operations for years. I was one of the first staff at Sigma Pensions Limited in Abuja from 2004 to 2009, then moved to IT operations at Starfish Mobile Nigeria Limited, a telecom service provider. In April 2012, someone accessed our systems without permission and used them for personal gain. Our server usage shot up, revenue fell, and it took time to figure out what was happening. That was when cybersecurity became real for me. You don’t forget the first time you see someone quietly stealing from something you helped create.
By the time I got to England and started my second degree, I had over ten years of practical experience. The academic path just added to what I had already learned in the field. Understanding how people behave is really useful in security. Most issues are really people issues.
PT: You got an MSc in Applied Data Science from the University of Sunderland in 2023. What motivated that choice?
Abdulsalam: I wanted to build things that are secure. In security, intuition can help, but “I feel” won’t hold up in a board meeting or during a regulatory check. The MSc taught me how to structure a problem, validate it with data, and explain my findings to those who weren’t there during the analysis. My dissertation focused on predicting flight delays using machine learning. It may seem far from security, but the skills are the same: clearly define a problem, don’t fool yourself with your own data, and communicate results to a non-technical audience. I use these skills all the time, whether building a fraud model or recommending a security control.
PT: You also received the SuPA Professional Award from the University of Sunderland in 2023, given by the Vice Chancellor. What was that about?
Abdulsalam: The SuPA, Skills and Professional Attributes, award recognises what you create outside the classroom: leadership, community work, professional events, and real-world projects. You have to show and reflect on your experiences, which is a tough process. Going back through my records later, I realised it was an early sign of habits that now define my work. I attend things not covered in class, build publicly, and see professional growth as a serious task.
PT: You have experience in incident management, threat detection, vulnerability management, and regulatory compliance with the FCA, PRA, and DORA. What has working in a major bank taught you?
Abdulsalam: Scale and impact. A wrongly set firewall rule in a bank can lead to losing hundreds of thousands of customer records or cause a major operational issue that shows up in a regulatory report. That context changes your thinking. You become careful about documentation, change management, and the consequences of any decision.
The downside is that big institutions tend to be cautious by nature. The problems I saw in the market, small firms without security budgets, civil society groups that are serious targets but unaware, can’t be fixed from within a bank. That gap pushed me to start building.
PT: Was there a time when you stopped seeing cybersecurity as just a job and started seeing it as a problem you needed to fix?
Abdulsalam: The incident at Starfish in 2012 was my first turning point. But the moment that really set my path came later. I was doing a vulnerability assessment at the bank and kept thinking about the organisations we weren’t protecting. They were too small for enterprise tools but too exposed to ignore. I wondered what a small law firm or GP surgery was supposed to do when vendor contracts cost more than their entire IT budget. Nobody had a good answer. That isn't a market gap; it's a structural failure. The moment I stopped waiting for someone else to fix it was when I began building PrepIQ. I didn’t plan to be a founder. I just became impatient waiting for the right product to come along.
PT: Tell us about Fa3Tech Limited. Why create a company instead of doing independent consulting?
Abdulsalam: Consulting solves one problem at a time. I wanted to tackle the same issue on a larger scale. Fa3Tech is a UK-registered cybersecurity and tech company based on the idea that good security tools should be available to all organisations, not just those with big budgets. Our products can help people a consultant might never reach, the NHS trust with only two IT staff, the small law firm in Birmingham, the news outlet targeted by a state actor without realising it.
PT: What does PrepIQ do?
Abdulsalam: PrepIQ is a free, open-source cyber preparedness platform designed for UK organisations without a dedicated security team. It features a UK SME Cyber Health Index that benchmarks your organisation against peers. There are 27 learning modules based on frameworks like NCSC Cyber Essentials, UK GDPR, FCA SYSC 13, and DORA. It includes a six-scenario incident simulator with AI-powered feedback and a phishing simulation engine with UK-relevant templates. It generates board-ready PDF reports. You can find it at prepiq.fa3tech.io, and it is open source on GitHub under the Apache 2.0 licence. It currently has 78 users from 12 UK organisations across finance, healthcare, education, retail, and public sectors.
PT: You made it completely free. That’s not the usual business decision.
Abdulsalam: The organisations that really need it are often the ones that can’t afford it. I kept seeing the same situation, a small charity, a local council, a GP surgery, that knew they had a gap but had no way to address it. Commercial products often start at prices that don’t fit their budgets. Making PrepIQ free removes that barrier.
The bigger picture is that cyber resilience in the UK isn’t just a competitive issue. It’s a shared infrastructure problem. If PrepIQ helps thousands of organisations prepare better, that’s important for big banks and insurers too because they rely on those smaller organisations in their supply chains. Making it free was the right choice, even from a self-serving standpoint.
PT: How does DefenceIQ relate to PrepIQ?
Abdulsalam: They tackle different parts of the same issue. PrepIQ focuses on preparedness, understanding your security state, training your team, and practicing your response. DefenceIQ is an AI-powered fraud intelligence platform with 12 modules, including AML transaction monitoring, sanctions screening, adverse media classification, a UK NCA-format SAR generator, and network link analysis. It is also open source under Apache 2.0 at defenceiq.io. Together, these platforms give any UK organisation access to tools that used to require enterprise contracts and specialist staff.
PT: And CertPulse?
Abdulsalam: CertPulse is a paid SSL certificate monitoring service at CertPulse.tech with active customers. It shows that Fa3Tech is not just building open-source tools for the sake of it. The reason people pay for a tool instead of using a free one is often about accountability and reporting. Customers want assurance that something is watching over them so they don’t have to.
PT: Two of your three products are free. Some might see that as a bad business model.
Abdulsalam: I don’t think it’s hard to defend. There’s a clear issue with cyber readiness in the SME and public sectors in the UK. The NCSC has the data. The insurance industry knows it. Everyone sees the gap. The organisations most at risk are often the ones least able to act, and the commercial market hasn’t solved this because it’s not built to. Open source is one of the few ways to reach these organisations at scale.
What’s harder to defend is the alternative, creating another paid product that helps organisations already served while leaving others exposed. CertPulse is how I address the business model issue in practice. You can run a sustainable business alongside work that genuinely benefits the public. They can coexist if you plan carefully.
PT: In March 2026, you spoke on a panel at a TechChat and Networking event hosted by ParayTech and supported by the NatWest Accelerator. What did you cover?
Abdulsalam: I was invited due to my work at the cutting edge of financial services security while also running a startup in the same area. The panel discussed the realities of building a cybersecurity venture in the UK’s fintech space. We talked about the balance between moving quickly as a founder and the discipline needed in a regulated institution, what digital trust really means beyond slides, and why the UK needs more people with experience in both fields. ParayTech and the NatWest Accelerator have created something that works well for early-stage tech founders.
PT: You wrote an analysis on the alleged Remita data breach, Nigeria’s central government payment platform. Why did that incident catch your eye?
Abdulsalam: A threat actor claimed to have taken 3TB of data, including KYC documents, government HSM keys, source code, and over 35,000 password hashes. If the HSM key claim is true, that’s a serious breach. HSMs are crucial for financial operations. The entry point was a misconfigured S3 bucket. It wasn’t a zero-day attack. It was a misconfiguration. That’s painful in a specific way.
The public reaction also grabbed my attention. There was talk of “some hitches” while quietly telling partners to regenerate API keys. The gap between these two responses tells its own story. I wrote about it because millions of Nigerians use Remita and deserve a clear explanation of what’s at stake, including the 72-hour notification requirement under Nigeria’s Data Protection Act.
PT: In December 2025, you spoke at HEDA Resource Centre’s monthly Chatting with HEDA series on X, to an audience of journalists and advocacy professionals. What did that session cover?
Abdulsalam: HEDA is a civil society group with over 16,000 supporters. They invited me because journalists and advocacy workers are prime targets. State actors, criminal groups, and disruptive forces often aim to compromise them, yet they get little of the security support that corporate environments have. We discussed targeted hacking, AI-generated misinformation, deepfakes aimed at activists, and practical steps they could take right away: encrypted communication tools, email security, and password hygiene. HEDA’s Chairman, Mr Olanrewaju Suraju, called the session timely and engaging. What mattered more was the feedback from attendees who said they left with actionable steps for the next morning.
PT: In April 2026, you delivered a guest lecture at the University of Sunderland to postgraduate students. What was the main argument?
Abdulsalam: Human-centered security, cyber resilience, incident response, and organisational security culture. The main point is that many security failures are really human failures, not because people are careless, but because systems are made without thinking about how humans react under stress, time pressure, and information overload. I want students to understand that good security design starts with empathy. Resilience is a better focus than just prevention. Also, the ability to communicate clearly to a non-technical leadership team is just as important as any technical certificate.
PT: Teaching at a school where you were recently a student is an interesting position. How do you handle it?
Abdulsalam: You must be honest about the gap between what the curriculum teaches and what the first few years in the field are really like. What I offer is the raw version, the issues that didn’t resolve easily, the board meetings where security recommendations were ignored for budget reasons, and the realisation that managing the human side of security is tougher than any technical control.
I also want to show students that taking an unusual path into the field is not a disadvantage. I came from operations, from real infrastructure, with a decade of hands-on experience before I got formal qualifications. That’s a different kind of preparation, and in some ways, a better one.
PT: What is it like to build a company while working full-time at a major bank?
Abdulsalam: Most of PrepIQ was developed between 10 PM and 2 AM. The phishing simulator, the incident scenarios, the AI coaching feature, and the board reporting engine, all of these took hundreds of hours of work after a full day at the bank. There are weekends when I debug a database migration while finishing a compliance report. I wouldn’t romanticise it. But I stopped believing in perfect conditions a long time ago. Waiting for everything to align before starting wasn’t an option for me, and I don’t think it is for most people who end up building something real.
PT: What does the UK cybersecurity sector still get wrong that someone with your experience can see clearly?
Abdulsalam: Two main things. First, there’s the belief that security awareness is just a training issue. You can send employees phishing simulations, track click rates, and report to the board that the percentage dropped. But none of that tells you if the organisation is actually better off. Real awareness means creating a security culture where people voice concerns early, where the security team is seen as a resource, and where leadership shows the behaviour they expect.
The second issue is the talent pipeline. The sector heavily recruits from a narrow profile, computer science graduates, certain certifications, and specific universities. This leads to teams that are technically similar but limited in their understanding. Some of the best security work I’ve done came from understanding how people behave in organisations under pressure, which isn’t something you learn in a classroom. The sector would be stronger if it recruited more intentionally from operational backgrounds, social sciences, and people with experience in regulated areas outside of tech.
PT: Where do you see Fa3Tech by 2030?
Abdulsalam: PrepIQ used by thousands of UK SMEs, NHS trusts, and civil society groups, truly improving national cyber readiness. DefenceIQ having official partnerships with financial crime units and regulatory bodies, providing intelligence to the system instead of just serving individual organisations. And a funding round that allows me to hire a proper team and develop the commercial side alongside the free part, which is a commitment, not just a marketing tactic.
PT: You also plan to pursue a PhD. What will your research focus on?
Abdulsalam: Adversarial machine learning in network intrusion detection systems, specifically, keeping detection performance high even when adversaries actively test and adapt to your models. Most current studies assume a stable threat environment: a model is trained on labelled data, validated, and deployed. But in reality, advanced adversaries scout, discover detection limits, and craft ways to evade detection. This gap between lab performance and real-world issues is what I aim to study. The research ties directly to what I’m already building, both PrepIQ and DefenceIQ are at the crossroads of AI-assisted detection and accessible infrastructure. The PhD will allow me to contribute to this field from a practitioner’s viewpoint.
PT: What advice would you give someone from a non-technical background wanting to enter cybersecurity but feeling lost?
Abdulsalam: Find the specific issue that frustrates you. For me, it was watching organisations suffer from threats they could have handled with basic preparation, knowing nobody was making accessible tools for them. Anger can be a stronger motivator than a career plan. Start building before you feel ready, write before you feel qualified, speak before you think you’ve earned it. The true qualification comes from doing, not the other way around. If I had waited until I felt ready, PrepIQ wouldn’t be here.
Drop your comment
No comments yet — be the first to drop the gist 👇