I’ve spent 25 years in security, and watching the news cycle of breaches never gets less frustrating. Another company compromised. Another million records stolen. Another ransomware payment. What makes it worse is that most of these incidents didn’t have to happen. While working at Google and Stripe, I helped develop security invariants which are technical controls that categorically eliminate entire attack surfaces. I wanted to understand which invariants were most effective, so I set out to analyze data breaches systematically.