Services

I support startups, SMEs, enterprises, and public institutions across four areas: CTO-as-a-Service, development & architecture, hands-on workshops, and pentesting & security. You work directly with me, hands-on when needed, with a focus on sound technical decisions rather than buzzwords.

═══ CTO-as-a-Service ═══

CTO-as-a-Service

I step into responsibility where important technology decisions need experience rather than hype. That can mean greenfield decisions after funding, or stabilizing teams and systems when an early technical setup has become messy. I've led a fintech startup from zero to go-live, supported production signature systems in PKI environments for more than 15 years, and worked with startups, SMEs, enterprises, and public institutions. I bring structure, sound architecture, modern engineering practices, and communication that works for both technical and non-technical stakeholders. My goal is long-lived systems, digital sovereignty, and trust-based collaboration.

Technology Strategy

Technology decisions shaped by team reality, business model, and regulatory constraints. I support stack selection, build-vs-buy decisions, and architecture roadmaps in a way that keeps your options open instead of locking you in too early. Digital sovereignty is part of that from the start: vendor dependencies, data location, and exit paths are considered up front.

Team & Process

I bring order to engineering teams when roles, responsibilities, and day-to-day processes are still too vague or simply do not hold up in practice. Together we establish clear ownership, solid Git-based workflows, useful documentation, sensible ticket processes, and CI/CD that helps delivery instead of getting in the way. What matters to me is that engineering, product, and management can talk about the same realities without talking past each other.

Modernization

I modernize systems that have grown over many years and are now too opaque, too fragile, or too dependent on a few individuals. Instead of promising a rewrite, I look at what business logic must be preserved, where the real risks are, and which sequence of steps makes sense. The goal is incremental modernization that does not endanger operations and gives the team a maintainable structure again, with AI-assisted analysis used selectively where it helps.

Technical Due Diligence

I provide an independent technical assessment when decisions have to be made under uncertainty: before investments, acquisitions, partnerships, or other major strategic commitments. That means looking beyond code quality to architecture, operational risk, technical debt, dependencies, and the team's actual ability to deliver. The result is a clear view of what is sound, where the risks are, and which assumptions need to be tested before moving forward.

═══ Development ═══

Development & Architecture

I build web applications, APIs, and backend services hands-on, and I help with architecture, modernization, and cryptographically demanding systems. From browser-native frontends and maintainable backend services to signature and PKI solutions, I focus on technical decisions that teams can understand, operate, and evolve over the long term.

Web Applications

I build web applications, APIs, and backend services hands-on, from the user interface down to the infrastructure. Depending on the problem, I work with React, Vue, Spring Boot, Rails, Fastify, or deliberately framework-light approaches built on modern browser APIs. What matters to me is not what is fashionable, but what your team can understand, operate, and evolve over time.

Architecture Consulting

I help with system design, architecture reviews, and making sense of technical debt when complexity needs to be brought back under control. One of my strengths is spotting patterns, breaks, and unnecessary complexity in grown systems quickly and turning that into a clear technical direction. I frame architecture decisions in a way that lets engineering, product, and management understand the same consequences and make sound decisions together.

Digital Signatures & Cryptography

For more than 15 years, I have worked on digital signatures, PKI, and AdES-compliant systems — from projects in the EU Commission and ETSI context to production signature-as-a-service platforms. As a former maintainer of Ruby OpenSSL, I combine conceptual cryptography consulting with real implementation experience. That also includes post-quantum cryptography consulting and implementation, from migration strategies and hybrid approaches to preparing systems for the new NIST standards.

Legacy Migration

I modernize existing applications in a way that keeps them viable in day-to-day operation instead of buying change with longer outages or unnecessary risk. In practice, this often means grown monoliths, unclear ownership, outdated build or deployment processes, and codebases that only a few people still truly understand. I break these efforts down into realistic steps, prioritize risks, and restore a technical foundation that teams can work on sensibly again, with AI-assisted analysis used selectively where it helps.

═══ Training ═══

Workshops & Training

475+ workshop days and counting. I run hands-on training on Git, AI-assisted development, modern languages & frameworks, and cryptography, many of them refined over more than 15 years. The content is built around real projects, real team problems, and exercises that transfer directly into day-to-day work. Article 4 of the EU AI Act requires companies to ensure sufficient AI literacy among their staff — my workshops cover exactly that, with certificates of completion available on request.

Git & GitOps

I have been teaching Git workshops for more than 15 years, and I teach Git as a concept, not as a collection of commands to memorize. From the basics through advanced team workflows with branching, code review, release management, and GitOps, participants learn what Git is doing internally and why certain strategies work. The result is more confidence in day-to-day work, even in more complex situations, and teams that collaborate more reproducibly and with less friction.

Explore workshops →

AI-Assisted Development

In my workshops, teams learn how to integrate AI assistants such as GitHub Copilot, Claude Code, or Cursor methodically into real development work, from design and implementation through testing, review, and CI/CD. We do not work with toy examples, but with realistic projects, real prompts, and results that can be examined and discussed. I also teach the 'Text First' methodology and show how AI-assisted development and AI-assisted legacy migration can be used productively without sliding into tool hype or blind trust.

Explore workshops →

Languages & Frameworks

I run hands-on training on Java, Spring Boot, Kotlin, TypeScript, Ruby/Rails, and other technologies teams actually use in practice. The focus is not just on syntax or feature lists, but on idiomatic use, modern language and framework concepts, and how to transfer them sensibly into existing projects. Whether your team is getting started, switching technologies, or updating its technical approach, the training is tailored to your stack, experience level, and concrete goals.

Explore workshops →

Cryptography & Security

For more than 15 years, I have been teaching cryptography in workshops — from the fundamentals of secure encryption through digital signatures, PKI, TLS, and post-quantum cryptography. The training combines solid understanding with concrete practical recommendations, so teams do not just use security mechanisms but actually understand their strengths, limits, and common failure modes. That also includes current topics such as hybrid approaches and migration strategies for the post-quantum era.

Explore workshops →

═══ Security ═══

Pentesting & Security

I help with web pentests, code and security audits, technical reviews in the context of SOC 2, and cryptographic assessments all the way through post-quantum migration. My focus is on real risk, understandable findings, and measures that can actually be implemented in both technical and organizational terms, from web applications to security architecture.

Web Application Testing

I conduct practical penetration tests for web applications and REST APIs, mostly in typical web and backend environments. The focus is on realistically exploitable weaknesses, common attack paths, and the question of which risks actually matter for your specific operation. You do not get scanner output, but a clear assessment with prioritized findings and actionable recommendations.

Code Audits & SOC 2

I review codebases, security concepts, and development processes for technical risk, sound implementation, and common weaknesses. That includes code audits and security reviews as well as technical audits in the context of SOC 2, where traceability, process maturity, and defensible security measures matter. The goal is a realistic picture of what is sound, what needs improvement, and which risks have been overlooked so far.

Cryptographic Audits & Post-Quantum Cryptography

I review cryptographic implementations, protocols, and security architectures in the areas where standard pentests reach their limits: digital signatures, encryption, key management, PKI, and algorithm choices. This also includes post-quantum cryptography consulting and implementation, for example around migration strategies, hybrid approaches, and the question of which systems should be prepared today.

Security Consulting & Training

I help teams make security part of their architecture and development work rather than something checked only at the end. That ranges from threat modeling, secure architecture reviews, and Privacy by Design aligned with GDPR Article 25 to hands-on training for development teams covering common vulnerabilities, secure coding practices, and technical safeguards under GDPR Article 32.

══ Contact ══

Ready to get started?

Whether it's consulting, development, or training — you work directly with me, no juniors or subcontractors in between.

Get in Touch