Security & Compliance
A customer wants SOC 2.
The deal is on the clock.
I build the technical controls and evidence to pass SOC 2, ISO 27001, GDPR, and HIPAA — and actually make your system safer doing it. From an engineer who ships in healthcare, GovTech, and regulated SaaS — not a checklist consultant.
Sound familiar?
When compliance becomes a blocker
An enterprise deal is gated on SOC 2
Your biggest prospect's security team sent a questionnaire and won't sign without a report. Revenue is waiting on a control framework you don't have yet.
The auditor's findings are all technical
Encryption gaps, weak access controls, no audit logging, secrets in code. The policy docs are fine — the system isn't. You need an engineer, not a GRC tool.
GDPR is a vague worry, not a plan
Personal data flows you can't fully map, no deletion process, unclear data residency. Fine until a DPA request — or a regulator — arrives.
Security is "we'll get to it"
No threat model, no dependency scanning, secrets management ad-hoc. One incident away from a very bad week — and you know it.
How I work
From gap to evidence
1. Scan — free 30-min call
Tell me the framework (SOC 2 / ISO 27001 / GDPR / HIPAA), the deadline, and the trigger. I tell you the realistic technical gap, the effort, and what an auditor will actually look at. Honest scoping, no fear-selling.
2. Gap assessment
Map your current technical controls against the framework: access control, encryption, logging/monitoring, change management, vulnerability management, data handling. Prioritised remediation list with effort and risk.
3. Remediate & evidence
Implement the controls with your team — IaC, CI checks, logging, secrets management — and produce the evidence auditors want. Controls that survive after the badge, not theatre for audit week.
What I cover
The technical controls behind the badge
Least-privilege roles, MFA, SSO, access reviews. The control auditors probe first.
At rest and in transit, key management, TLS config. Verified, not assumed.
Tamper-evident logs, alerting, retention. Prove who did what, when.
Dependency scanning, patching cadence, SAST/DAST in CI. Findings tracked to closure.
Data mapping, residency, retention, deletion/DSAR process, processor agreements.
The technical evidence auditors request, mapped to controls. Less scramble, faster audit.
Engagement options
Three ways to work together
Free
30-min scan
$0
- ✓ Realistic technical gap
- ✓ Effort to your deadline
- ✓ What the auditor checks
Fixed scope
Gap assessment
1-2 weeks
- ✓ Controls mapped to framework
- ✓ Prioritised remediation list
- ✓ Effort & risk per item
- ✓ Auditor-ready evidence plan
Hands-on
Remediation sprint
From 4 weeks
long-term if needed
- ✓ Implement controls with your team
- ✓ IaC, CI checks, logging, secrets
- ✓ Evidence collected as we go
- ✓ Audit-prep support
Common questions
Are you an auditor / can you certify us?
No — and that is by design. Certification needs an independent auditor; if I built your controls I cannot also audit them. I am the engineer who makes you pass: I build and evidence the technical controls, and work alongside your chosen auditor or platform (Vanta, Drata, etc.).
Do you work with Vanta / Drata / Secureframe?
Yes. Those platforms automate evidence collection but still need an engineer to implement the actual controls they monitor. I plug into whatever you use and close the technical gaps it flags.
SOC 2, ISO 27001, GDPR, HIPAA — which do you cover?
The technical controls overlap heavily across all of them, and I cover that overlap: access, encryption, logging, vulnerability management, data handling. For the org/policy side I coordinate with your compliance lead or auditor.
We have a deadline. Can you move fast?
Yes — deadline-driven compliance is the common case. The gap assessment is 1-2 weeks; remediation is scoped to hit your audit window. I tell you up front what is realistic and what has to be a documented exception.
What makes you different from a GRC consultant?
I write the code and configure the infrastructure. Most compliance consultants hand you a spreadsheet of gaps and leave the engineering to you. I close them — with experience shipping in regulated SaaS and GovTech.
Stop letting compliance block the deal
30 minutes, your framework and deadline, an honest read on the technical gap and how fast it closes.