Take the compliance grind off your engineers - and keep the roadmap moving.

Keeping the software you ship compliant is never-ending work most engineers hate - and every hour on it is an hour off the roadmap.

  • A typical application carries ~911 third-party dependencies1
  • Newly-disclosed CVEs are up 263% since 20202
  • And AI is compounding it from three sides at once:
    • it finds vulnerabilities faster than manual research ever could3
    • coding tools increase the amount of code being shipped
    • attackers use it to shrink the window between disclosure and exploit

Is staying compliant stealing time from shipping features?

That’s where I come in. I take it off your engineers - matching your practice to your published policy, keeping it true, and handing you the evidence to defend it. Specialists doing daily what your team would rather not - so they stay on the features only they can build.

How we work with you

Three steps - none of them on your team’s plate.

See where you stand, close the gap, then keep it closed - handled outside your backlog.

01 · Know your risk

Know your risk

Where does real practice drift from the policy you signed?

A short, sharp review of how your shipping practice compares to your published SLAs - so you know exactly what needs doing before it blocks a release or a deal. No team time spent finding out.

  • A structured read against your published policy
  • The gaps ranked, with your top priorities
  • A readout for your team or board
02 · Close the gap

Close the gap

Handled outside your product backlog.

A fixed-fee project against your real deadline. I close the current gap, then build the automation that regenerates your compliance documentation - SBOM, human-signed VEX and policy-SLA evidence - from every build. Your engineers never own it: they ship, the roadmap keeps moving, and the evidence assembles itself.

  • Your current gap closed against a fixed deadline
  • Automation that regenerates your SBOM and evidence pack on every build
  • Human-signed VEX and policy-SLA reporting a buyer can trust
03 · Stay audit ready

Stay audit ready

The CVE triage your team keeps getting pulled into - owned.

Ongoing CVE triage and patch decisions - signed off by a person, not a bot - fed into the automation from step 2, so the documentation stays current and your engineers never get pulled off the roadmap to chase findings. Cheaper and more continuous than a full-time hire.

  • Human CVE triage and patch sign-off, continuously
  • Fed into your build automation so the evidence stays current
  • Current, audit-ready evidence, ready to hand over

Coverage and SLA depth scale to your estate.

Who I am

Twenty-five years in software engineering, DevOps, SRE, and release engineering at Pivotal, VMware, Shopify, and Mechanical Orchard. I work specifically on the supply-chain side: reproducible builds, SBOM generation, dependency provenance, CVE remediation pipelines. Lately I’ve been exploring where agent-assisted workflows can make the repetitive parts of SBOM analysis, vulnerability triage, and remediation evidence cheaper and faster: the patient, tedious work that usually makes engineers want to quit. Based in Dublin.

Book a policy gap review

Pick a slot for a policy gap review - a short, fixed-fee read of where your real practice stands against the policy you’ve published, and what it would take to close the gap.

Scheduler not loading, or none of the slots work? Email me directly: [email protected]

References
  1. Black Duck Software. 2025 Open Source Security and Risk Analysis (OSSRA) Report. 2025. Sample: 965 commercial codebases across 16 industries, calendar year 2024. blackduck.com/…/rep-ossra.pdf
  2. National Institute of Standards and Technology (NIST). National Vulnerability Database - CVE submission statistics, 2020 - 2025. nvd.nist.gov/general/nvd-dashboard
  3. Anthropic. Project Glass Wing - Claude Mythos vulnerability-discovery research announcement. 2026-04-07. Named zero-days include a 27-year-old OpenBSD TCP flaw, a 16-year-old FFmpeg codec flaw, and CVE-2026-4747 (FreeBSD NFS RCE). anthropic.com/glasswing
  4. European Union. Regulation (EU) 2022/2554 of 14 December 2022 on digital operational resilience for the financial sector (DORA). Article 19 reporting cadence: initial notification within 4 hours of classification; intermediate report within 72 hours; final report within one month. eur-lex.europa.eu/eli/reg/2022/2554/oj
  5. European Union. Regulation (EU) 2024/2847 on horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act). Requires vendors to declare vulnerabilities, provide security updates for the product's support period, and notify ENISA of actively exploited vulnerabilities within 24 hours. eur-lex.europa.eu/eli/reg/2024/2847/oj