Your patch-management policy, finally running as a daily practice - and evidenced.

You’ve been asking for this for years. Meanwhile the backlog grows and everything else is already on fire.

  • A typical application carries ~911 third-party dependencies1
  • Newly-disclosed CVEs are up 263% since 20202
  • And AI is compounding it from three sides at once:
    • it finds vulnerabilities faster than manual research ever could3
    • coding tools increase the amount of code being shipped
    • attackers use it to shrink the window between disclosure and exploit

One more fire, and still no headcount to fight it?

That’s where I come in. I run your vulnerability and patch-management policy as a daily practice - SBOMs, human-signed VEX, remediation to your SLAs - and keep the audit-ready evidence current. The control you’ve been fighting for finally holds, without another hire.

How we work with you

Three steps to a control that actually holds.

See where you stand, close the gap, then keep it closed - evidenced continuously.

01 · Know your risk

Know your risk

Exactly where you’re out of SLA, ranked.

A structured read of current practice against every SLA you’ve committed to in ISO 27001, SOC 2, or a customer contract - the gaps ranked, with the evidence behind each finding.

  • A structured read against your published policy
  • The gaps ranked, with your top priorities
  • A readout for your team or board
02 · Close the gap

Close the gap

The control built to last, with evidence that regenerates itself.

A fixed-fee project against a real deadline. I clear the current gap to your SLAs, then build the automation that regenerates your compliance documentation - SBOM, human-signed VEX and policy-SLA evidence - on every release, so “compliant” survives the next build, not just the audit.

  • Your current gap closed against a fixed deadline
  • Automation that regenerates your SBOM and evidence pack on every build
  • Human-signed VEX and policy-SLA reporting a buyer can trust
03 · Stay audit ready

Stay audit ready

The control runs daily - signed off by a human.

Ongoing CVE triage and patch decisions - signed off by a person, not a bot - fed into the automation from step 2, so the documentation stays current and the vulnerabilities that matter actually get handled. The function you’ve been asking for, resourced at last, without another headcount.

  • Human CVE triage and patch sign-off, continuously
  • Fed into your build automation so the evidence stays current
  • Current, audit-ready evidence, ready to hand over

Coverage and SLA depth scale to your estate.

Who I am

Twenty-five years in software engineering, DevOps, SRE, and release engineering at Pivotal, VMware, Shopify, and Mechanical Orchard. I work specifically on the supply-chain side: reproducible builds, SBOM generation, dependency provenance, CVE remediation pipelines. Lately I’ve been exploring where agent-assisted workflows can make the repetitive parts of SBOM analysis, vulnerability triage, and remediation evidence cheaper and faster: the patient, tedious work that usually makes engineers want to quit. Based in Dublin.

Book a policy gap review

Pick a slot for a policy gap review - a short, fixed-fee read of where your real practice stands against the policy you’ve published, and what it would take to close the gap.

Scheduler not loading, or none of the slots work? Email me directly: [email protected]

References
  1. Black Duck Software. 2025 Open Source Security and Risk Analysis (OSSRA) Report. 2025. Sample: 965 commercial codebases across 16 industries, calendar year 2024. blackduck.com/…/rep-ossra.pdf
  2. National Institute of Standards and Technology (NIST). National Vulnerability Database - CVE submission statistics, 2020 - 2025. nvd.nist.gov/general/nvd-dashboard
  3. Anthropic. Project Glass Wing - Claude Mythos vulnerability-discovery research announcement. 2026-04-07. Named zero-days include a 27-year-old OpenBSD TCP flaw, a 16-year-old FFmpeg codec flaw, and CVE-2026-4747 (FreeBSD NFS RCE). anthropic.com/glasswing
  4. European Union. Regulation (EU) 2022/2554 of 14 December 2022 on digital operational resilience for the financial sector (DORA). Article 19 reporting cadence: initial notification within 4 hours of classification; intermediate report within 72 hours; final report within one month. eur-lex.europa.eu/eli/reg/2022/2554/oj
  5. European Union. Regulation (EU) 2024/2847 on horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act). Requires vendors to declare vulnerabilities, provide security updates for the product's support period, and notify ENISA of actively exploited vulnerabilities within 24 hours. eur-lex.europa.eu/eli/reg/2024/2847/oj