Secure Development

Production software, built by someone who's spent a decade breaking it.

17+ years writing software, 10+ years in offensive security. Web apps, APIs, internal tools, automation, data pipelines, ML/AI integrations, and specialized systems. The security background is the differentiator — common gaps aren't there in the first place because the operator perspective shapes the design from day one.

Offerings

Project phases or ongoing engagement.

Most builds run as phased projects: discovery, build, review — each phase is its own SOW with caps and clear deliverables. For systems already delivered, the post-build maintenance retainer keeps them running.

SD‑T0
Discovery & Architecture
1–2 weeks
Define what you're actually building. Requirements gathering, system architecture, technology selection, threat model, build estimate. Deliverable is a written architecture brief and a phased build proposal with order-of-magnitude pricing. The brief is yours regardless of whether you continue with me for the build.
Contact for scope →
SD‑T1
Production Software Build
2–6 weeks per phase
Build a defined application, service, or tool. Backends and APIs, web apps, internal tools, CLIs, automation, data pipelines, integrations between systems. Authentication, authorization, secrets management, logging, and input handling are part of the design from day one — not a security review at the end. Phased delivery with not-to-exceed caps per phase.
Contact for scope →
SD‑T2
ML/AI Integration
3–6 weeks
Add ML or AI capability to an existing product. Includes use-case definition (model training vs. off-the-shelf inference vs. LLM-assisted vs. heuristics), evaluation methodology, and security review of the data path and model boundaries. Avoids ML where a rule-based approach works better. For teams who need someone honest about whether AI is the right answer.
Contact for scope →
SD‑T3
Sensor & Data Aggregation Systems
4–8 weeks per phase
End-to-end data systems for industrial, OT, or product telemetry. Sensor inventory and transport (MQTT, gRPC, OPC-UA), ingestion, time-series storage, downstream ML or analytics, and security architecture across the full path. Built for teams running sensor or IoT workloads who need the system to be both functional and not be the breach vector.
Contact for scope →
SD‑T4
Code & Architecture Review
1–3 weeks
Review of an existing codebase or system. Threat model, security findings, dependency and supply-chain analysis, and remediation guidance with priority ranking. Useful before launch, before an enterprise security review, or when something feels off and you want a second set of eyes. Read-only — no changes to your code.
Contact for scope →
SD‑TR
Post-Build Maintenance & Support
Monthly engagement, quarterly milestones
Ongoing support for systems I've already built and shipped. Monthly: bug fixes, dependency updates, security patches, minor feature work, and questions on operating the system. Quarterly: dependency and supply-chain audit, threat model refresh, accumulated risk assessment as the system has evolved. The retainer keeps a delivered system maintained and current. New builds, major feature work, or net-new product development are separate engagements scoped under the build tiers above.
Contact for scope →
Pricing: Discovery engagements start at $8,500 fixed-fee. Build phases scoped per-SOW after discovery. Review work fixed-fee or hourly depending on size. Post-build maintenance retainer starting at $5,500/month for systems I've built. Reach out to discuss scope.
How this differs from a typical dev shop: Every engagement includes a written threat model and security architecture as part of the deliverable, not as a separate add-on. The same person who tests your system after it's built is the one designing it. AI/ML Security and Cloud Security work pair naturally with build engagements.
Stack

What I reach for first.

I default to boring, well-understood technology. Bespoke choices come from genuine fit, not novelty.

Python Go JavaScript TypeScript HTML / CSS FastAPI Flask SQLite PostgreSQL Redis REST / gRPC MQTT GCP AWS Terraform Ansible Docker GitHub Actions Vertex AI OpenAI / Anthropic APIs promptfoo

Other languages and frameworks are negotiable per project. The above are defaults — what I reach for first when there's no constraint forcing a specific choice.

Contact

Build it right the first time.

Most projects start with a one-week discovery so we both know what we're committing to before any code gets written. Tell me what you have in mind.

Get in touch