Work with me

I have been working in IT security since 2000 — first building antimalware products used by over 100 million people at Avira, then founding Endpoint Cybersecurity GmbH to help companies build better security products and pass the audits that matter. The blog you’re reading is how I think in public. This page is about what it looks like to work together.

I take on a small number of engagements at a time, which means the work gets real attention — not a junior consultant with a checklist.

TISAX Audit Support

You’re a supplier to an automotive OEM, and you’ve been asked to achieve TISAX certification — probably AL2 or AL3. You may be preparing for your first assessment, or you received findings in a previous one and need to close them before the follow-up deadline.

What I help with: scoping your ISMS correctly for the assessment, working through the ISA catalogue requirements so you understand what evidence is actually expected, identifying gaps before the auditor does, and building a corrective action plan that is realistic and auditor-credible.

For AL3 specifically — which requires on-site assessment, unplanned interviews, and physical inspection — preparation depth matters significantly more than at AL2.

This is particularly relevant if your scope involves software development, cloud migration (Azure or private cloud), or a tech support operation, as these environments carry specific ISA requirements that are easy to underestimate.

Get in touch about TISAX support →

ISO 27001, NIS2, and CRA Compliance Support

You need to implement or improve an ISMS, close a compliance gap for NIS2, or understand what the EU Cyber Resilience Act means for your products. These frameworks overlap significantly, and the sequencing of work matters — doing them in the wrong order wastes effort.

What I help with: gap analysis against the relevant standard, scoping the ISMS correctly, mapping your existing controls to what the audit will look for, and making the SDLC part of your compliance posture rather than treating it as separate from it. I write about all three frameworks extensively on this blog — the engagements go considerably deeper than the articles.

Get in touch about compliance support →

Secure Software Development (SSDLC) Coaching

Your development team ships features, but security requirements get written vaguely, deprioritized in sprint planning, or discovered too late in the cycle. The problem is usually not that developers don’t care about security — it’s that no one has given them a repeatable way to think about it from the start.

What I help with: coaching developers and product owners on writing Security User Stories that are specific, testable, and survive sprint planning intact; integrating security checkpoints into your existing agile process without creating a parallel bureaucracy; and building the team’s ability to reason about threat models at the story level rather than only at architecture reviews. I have done this with teams building security products (antimalware, endpoint protection, automotive security software) as well as general enterprise software.

Get in touch about SSDLC coaching →

Security Product Consulting

You are building a security product — endpoint protection, mobile security, or something adjacent — and you need someone who has done it before at scale. Product strategy, threat modelling, feature prioritization, architecture review.

This is the broadest engagement type and the scope varies significantly by client. The starting point is always a conversation.

Get in touch about product consulting →

Who I typically work with

The clients who get the most from working with me tend to be software companies and tech suppliers in or entering the automotive industry who are facing a real compliance deadline, development teams that have grown past the point where security can stay informal, and product managers who need to speak the language of security without becoming security engineers themselves.

I work in English and German. Most of my clients are based in the EU.