I help software vendors deliver the compliance evidence their enterprise customers and auditors now require — SBOMs, licence notices, build provenance, VEX statements, and timely CVE patches — without pulling your team off the roadmap.
Regulated buyers — banks, hospital systems, government — now require SBOMs and ongoing CVE remediation as a condition of contract. If one of these is happening to you right now, we should probably talk.
Your customer's security team has sent a vendor questionnaire asking for an SBOM, dependency licence attestations, and your CVE remediation SLA. Your sales team is asking when they'll get an answer.
The auditor wants documented evidence that you continuously monitor and remediate CVEs in your dependencies, in a form they can sign off on. You produce a vulnerability scan once a quarter and email it to whoever asks.
Your anchor customers are still on the older product line, and they're now demanding SBOMs, licence notices, and timely CVE patches as a condition of renewal. Your engineering team is on the next product and not coming back.
The clause your legal team agreed to commits you to remediating CRITICAL CVEs within 48 hours and producing evidence in a form the customer's compliance team accepts. You don't currently have a process that can meet that.
Four days establishing whether you were actually exploitable, three days producing a patched build, one day writing the customer notification. Your CTO would prefer this not be a recurring monthly event.
Components without licences. No provenance attestation. No VEX. The vulnerability scan attached separately and already out of date. The deal is no longer "pending compliance review" — it's stuck.
The assessment is the foot in the door. The pipeline is the durable artefact. The retainer is what turns compliance from a recurring fire drill into a fixed monthly cost.
A short, fixed-scope engagement to map what you actually need to produce against the regime you're being held to — CRA, DORA, NIS2, ISO 27001, or a specific customer's questionnaire. You finish with a written gap analysis, a prioritised remediation list, and a defensible answer to "what do we need and what does it cost?"
I build, alongside your existing CI, a release pipeline that takes the artifacts you already produce and packages them with the compliance evidence — SBOM, licence notices, provenance attestation, VEX — automatically generated and signed at every release. After delivery, every future release of yours produces an audit-ready evidence bundle without your team thinking about it.
A monthly retainer that watches the CVE feeds against your shipping artifacts, triages each finding against your actual deployment context, produces patched releases inside the SLA windows your customer contracts demand, and keeps the VEX and SBOM artifacts current. You stop being in permanent reactive mode; the customer's security team gets evidence in the form they already accept.
Dublin-based. Twenty-five years in software engineering, DevOps, SRE, and release engineering — Pivotal, VMware, Shopify, Mechanical Orchard. I work specifically on the supply-chain side: reproducible builds, SBOM generation, dependency provenance, CVE remediation pipelines. I work on Nix when the stack benefits from it, particularly for legacy and end-of-life runtimes that other toolchains handle badly, and on whatever else the situation needs when it doesn't.
This is customer discovery. I want to understand whether the problem you're facing is one I can actually help with — and whether the way I'm describing it on this page lands the way I think it does. Pick a slot below.