Security expertise for companies that need a real program without full-time headcount. I work with early to growth-stage B2B SaaS, developer tools, and edtech.
Build a program that fits your stage
From first SOC2 to FedRAMP and the EU AI Act, I design controls that reduce real risk and integrate with how your team already works. Not controls that exist to satisfy an auditor and collect dust.
I use AI tooling to accelerate the slow parts: policy drafting, control mapping, evidence templates. That frees up time for the decisions that actually matter for your company.
Engineering solutions for compliance problems
I build automation that closes the gap between your security stack and your compliance requirements. FedRAMP continuous monitoring, SOC2 evidence collection, GDPR data mapping: all of it wired up to your actual infrastructure, not a spreadsheet.
Recent examples: SSP generation from Terraform, AI-assisted POAM triage integrated with GitHub Issues, and RAG pipelines that answer auditor questions against your own control documentation.
Security that fits the roadmap
Architecture review, threat modeling, and security guidance for product teams. I help you make the calls that come up constantly: what to build in, what to defer, what to buy.
This includes secure development lifecycle design, AI feature security review (model access, prompt injection, data handling), tool selection, and working directly with engineering on implementation.
Ongoing security depth without full-time headcount
Strategic guidance, architecture reviews, and help with the security decisions that come up week to week. Good fit for companies with an existing program that needs a technical second opinion, or earlier-stage teams building security from scratch.
I write and publish openly about what I'm learning, including how AI tooling is changing security work. If you want a partner who's thinking about this seriously, not just billing hours, reach out.
Security education that sticks
Workshops and training programs for engineering and product teams. Secure coding, cloud security, threat modeling, AI system security: tailored to your stack, not off a shelf.
Formats range from a single afternoon workshop to an ongoing developer education program. The goal is building real security intuition, not getting a checkbox signed off.
Right-size permissions and reduce identity risk
A full audit of your IAM posture across cloud providers, SaaS tools, and internal systems. I find overprivileged accounts, stale credentials, and access gaps, then help you fix them: least-privilege policies, role-based access models, access review processes.
I use AI-assisted analysis to get through large permission sets faster, so audits take days not weeks.
Whether you have a specific security challenge or want to discuss building out your security program, I'd like to hear from you. Reach out at:
alex@engseclabs.comOr use the form to tell me about what you're working on.