Every engagement is led by me directly. No junior staff, no handoffs, no bait-and-switch.
Executive Security Advisory
For boards, executive teams, and CISOs navigating high-consequence security decisions.
Board Briefings — Clear, calibrated assessments of organizational security posture, emerging threats, and strategic risk. Designed for directors and executives who need signal, not jargon.
CISO Advisory — Strategic counsel for security leaders on program direction, team structure, vendor evaluation, budget justification, and organizational positioning. Built on experience as a CISO, a founder, and an OWASP board chair — I understand the role from every angle.
Organizational Security Readiness — Assessment of whether your security function is structured, staffed, and positioned to handle what’s coming. Especially valuable during rapid growth, pre-IPO, or board-level scrutiny.
AI Security Strategy
AI is changing how software gets built and how it gets attacked. Most organizations are moving faster on adoption than on governance.
AI Security Governance — Policies, risk frameworks, and controls for organizations deploying AI tools and building AI-powered products. Covers prompt injection, data leakage, model supply chain, and responsible use — grounded in what actually works, not theoretical frameworks.
AI-Powered Security Tooling — I build custom security automation using LLMs (Claude, Codex) for vulnerability discovery, code analysis, and remediation. If you want to understand what AI can actually do for your security team, I can show you — with working tools, not slide decks.
AI Application Security — Security architecture and assessment for AI-powered applications, covering the threat landscape that traditional AppSec reviews miss.
Quantum / PQC Readiness
Every enterprise CISO is asking what quantum computing means for their security posture. After five years inside a public quantum computing company, I give concrete answers — not theoretical hand-waving.
Quantum Threat Assessments — End-to-end analysis of your cryptographic exposure. I dissect your protocols (TLS, SSH, blockchain), extract vulnerable cryptographic material, map quantum attack vectors (Shor’s, Grover’s), and deliver actionable reports with timelines and migration priorities.
Post-Quantum Migration — Cryptographic inventory, PQC algorithm selection (ML-KEM, ML-DSA, SLH-DSA), migration roadmaps prioritized by “harvest now, decrypt later” risk, and validation testing of PQC implementations.
PQC Readiness Assessments — Lightweight infrastructure scans to identify non-quantum-resistant cryptography and build a prioritized remediation plan.
Security Program Build-Out
Building security programs from scratch is what I’ve done my entire career — at IonQ, at Jemurai for dozens of clients, and at Trustwave for security products.
Fractional CISO / vCISO — Experienced security leadership without a full-time hire. I’ve delivered this model for years, including my initial engagement at IonQ, which started as a fractional CISO role before converting to full-time.
Zero-to-Audit Program Build — Framework selection (NIST 800-53, ISO 27001, SOC 2), policy development, control implementation, team hiring, vendor selection, and audit preparation. I’ve taken organizations from nothing to certified.
M&A Security Due Diligence — I’ve managed security through six acquisitions at IonQ. Target company security assessments, risk identification, and integration planning.
Technical Due Diligence & Architecture Review
For investors, acquirers, and executive teams who need a credible technical assessment before making decisions.
Acquisition Due Diligence — Deep technical and security assessment of target company infrastructure, code, and practices. Not a checklist — a judgment call from someone who has been on both sides of M&A.
Architecture Review — Security-focused assessment of system design, cloud infrastructure, and software architecture. I read code and understand systems at the engineering level.
Code Review — Security review of critical codebases. I’ve spent decades writing software in Python, Go, Ruby, Java, and JavaScript — my reviews reflect a practitioner’s understanding of what’s actually exploitable versus what’s theoretical.
How I Work
- Direct engagement. I do the work. Every deliverable has my name on it.
- Technical credibility. I write code, read code, and understand systems at the engineering level. Recommendations land because they come from someone technical teams respect.
- Actionable output. Clear, prioritized recommendations. Not 200-page reports that sit on a shelf.
- Flexible models. Advisory retainers, project-based engagements, or fractional leadership — structured to fit your needs.