Stop losing deals at security review.

Enterprise buyers now demand your SBOM, open-CVE list and patch evidence before they sign. I get it ready - and keep it ready - so security review stops stalling your deals.

Producing that evidence on demand is never-ending work - and buyers ask for more of it every quarter.

  • A typical application carries ~911 third-party dependencies1
  • Newly-disclosed CVEs are up 263% since 20202
  • And AI is compounding it from three sides at once:
    • it finds vulnerabilities faster than manual research ever could3
    • coding tools increase the amount of code being shipped
    • attackers use it to shrink the window between disclosure and exploit

How much revenue is sitting in security review right now?

That’s where I come in. When a buyer’s security review lands, you have the SBOM, the evidence, and the remediation timeline ready to hand over - so the deal keeps moving instead of stalling in procurement. I close the gap, keep it closed, and give you the pack.

How we work with you

Three steps to stop deals stalling on security review.

See where a buyer’s review will land, close the gap, then stay ready for the next one - with proof at every step.

01 · Know your risk

Know your risk

What will the next buyer’s security review turn up?

A short, plain-English read of where your real practice stands against the policy you’ve published - so you find the gaps before a prospect’s security team does. A readout you can take straight to the board.

  • A structured read against your published policy
  • The gaps ranked, with your top priorities
  • A readout for your team or board
02 · Close the gap

Close the gap

Clear it before it blocks the next deal or renewal.

A fixed-fee project against a real deadline - a contract waiting on security sign-off, an audit, a CRA or DORA obligation. I close your current gap, then build the automation that regenerates your compliance documentation - SBOM, human-signed VEX and policy-SLA evidence - from every build. Your latest state stays documented and ready to hand a buyer, without anyone reassembling it by hand.

  • Your current gap closed against a fixed deadline
  • Automation that regenerates your SBOM and evidence pack on every build
  • Human-signed VEX and policy-SLA reporting a buyer can trust
03 · Stay audit ready

Stay audit ready

Someone owning your CVE triage - so the evidence never goes stale.

Cheaper than a full-time hire. Ongoing CVE triage and patch decisions - signed off by a person, not a bot - fed into the automation from step 2, so your documentation stays current and the vulnerabilities that actually matter keep getting handled. You’re never again holding up a deal while someone digs out fresh evidence.

  • Human CVE triage and patch sign-off, continuously
  • Fed into your build automation so the evidence stays current
  • Current, audit-ready evidence, ready to hand over

Coverage scales to your business.

Who I am

Twenty-five years in software engineering, DevOps, SRE, and release engineering at Pivotal, VMware, Shopify, and Mechanical Orchard. I work specifically on the supply-chain side: reproducible builds, SBOM generation, dependency provenance, CVE remediation pipelines. Lately I’ve been exploring where agent-assisted workflows can make the repetitive parts of SBOM analysis, vulnerability triage, and remediation evidence cheaper and faster: the patient, tedious work that usually makes engineers want to quit. Based in Dublin.

Book a policy gap review

Pick a slot for a policy gap review - a short, fixed-fee read of where your real practice stands against the policy you’ve published, and what it would take to close the gap.

Scheduler not loading, or none of the slots work? Email me directly: [email protected]

References
  1. Black Duck Software. 2025 Open Source Security and Risk Analysis (OSSRA) Report. 2025. Sample: 965 commercial codebases across 16 industries, calendar year 2024. blackduck.com/…/rep-ossra.pdf
  2. National Institute of Standards and Technology (NIST). National Vulnerability Database - CVE submission statistics, 2020 - 2025. nvd.nist.gov/general/nvd-dashboard
  3. Anthropic. Project Glass Wing - Claude Mythos vulnerability-discovery research announcement. 2026-04-07. Named zero-days include a 27-year-old OpenBSD TCP flaw, a 16-year-old FFmpeg codec flaw, and CVE-2026-4747 (FreeBSD NFS RCE). anthropic.com/glasswing
  4. European Union. Regulation (EU) 2022/2554 of 14 December 2022 on digital operational resilience for the financial sector (DORA). Article 19 reporting cadence: initial notification within 4 hours of classification; intermediate report within 72 hours; final report within one month. eur-lex.europa.eu/eli/reg/2022/2554/oj
  5. European Union. Regulation (EU) 2024/2847 on horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act). Requires vendors to declare vulnerabilities, provide security updates for the product's support period, and notify ENISA of actively exploited vulnerabilities within 24 hours. eur-lex.europa.eu/eli/reg/2024/2847/oj