← Back to main site

Security consulting for SaaS and fintech

Web application penetration testing, API security testing, AWS and cloud security audits, Kubernetes and DevSecOps reviews. 7+ years securing production environments.

I help CTOs and engineering teams find and fix vulnerabilities before they become incidents. Services include application security testing, cloud security assessment, and security architecture consulting—with clear deliverables and remediation guidance.

Book consultationView services
  • 7+ years security engineering
  • Cloud-native infrastructure
  • Fintech and SaaS environments
  • Compliance-aware security

Experience across production environments including:

Types of platforms and environments I regularly secure.

SaaS platforms

Multi-tenant application architectures and API ecosystems.

Fintech systems

Security assessments for payment and transaction platforms.

Kubernetes infrastructure

Container orchestration security and cluster hardening.

AWS / GCP cloud environments

Cloud-native security architecture and auditing.

CI/CD pipelines

DevSecOps automation and secure software delivery.

Security services

For SaaS startups, fintech companies, and engineering teams. Each engagement includes defined scope, findings with risk ratings, and remediation guidance.

Pricing varies by scope; see each service for indicative ranges. Book a consultation to discuss your needs.

Web Application Penetration Testing

Manual testing of web applications against OWASP Top 10. Find authentication, access control, and injection issues before they are exploited.

  • Executive summary
  • Technical findings with CVSS
  • Proof-of-concept for critical/high
  • Remediation guidance

€4k – €12k

Learn more

API Security Testing

Dedicated assessment of REST and GraphQL APIs: auth, authorization, injection, and business logic. OWASP API Security Top 10 aligned.

  • API-specific findings report
  • CVSS ratings
  • Proof-of-concept
  • Remediation guidance

€3k – €10k

Learn more

AWS Security Audit

CIS-aligned review of IAM, S3, network, and logging. Identify misconfigurations and excessive permissions that could lead to data exposure or account takeover.

  • CIS-aligned report
  • IAM & S3 exposure review
  • Prioritized remediation
  • Re-test option

€3k – €10k

Learn more

Kubernetes Security Review

Cluster hardening, RBAC, secrets management, and workload security. For teams running containerized workloads in production.

  • Cluster security report
  • RBAC and policy review
  • Secrets and config findings
  • Remediation plan

€3k – €9k

Learn more

DevSecOps Security Assessment

Review of CI/CD pipelines, supply chain security, and security tooling. Identify gaps in SAST, DAST, SCA, and deployment practices.

  • Pipeline security report
  • Tool and process recommendations
  • Prioritized improvements
  • Implementation guidance

€3k – €8k

Learn more

GRC / Security Program Setup

ISO 27001 and SOC 2 readiness: gap assessment, policies, risk register, and audit preparation. For SaaS and fintech preparing for certification.

  • Gap assessment
  • Policies and procedures
  • Risk register
  • Audit readiness support

€4k – €12k

Learn more
Book consultationView services

How I work

A clear, repeatable process for every engagement.

1

Discovery & scope

We align on objectives, scope, and rules of engagement.

2

Security testing

Testing or audit per agreed methodology (OWASP, CIS, etc.).

3

Reporting & follow-up

Executive and technical report; optional re-test and remediation support.

Case studies

Anonymized engagements: security problem, approach, impact, and remediation. Application security and cloud security examples.

Application Security

SaaS API Access Control Vulnerability

Critical IDOR in a B2B SaaS API allowed cross-tenant data access. Discovered during a web/API pentest and remediated before disclosure.

Read case studyCloud Security

Public S3 Bucket Data Exposure

Customer uploads and backup snapshots were stored in an S3 bucket with overly permissive policies, leading to potential mass data exposure.

Read case studyCloud Security

Privilege Escalation in Cloud IAM

Overly permissive IAM roles and resource-based policies allowed privilege escalation from a developer role to near-admin in AWS.

Read case study

Want similar security insights for your system?

Contact

Latest writing

Recent posts on API security, cloud audits, and practical remediation.

AWS Security Audit Checklist: What Auditors Check and How to Prepare

Practical AWS security audit checklist for SaaS and fintech: IAM, S3, networking, logging, and compliance. Prepare for SOC 2 or external audits without slowing engineering.

Read more →

Common SaaS Security Risks: What Engineering and Security Teams Should Address First

Practical overview of common SaaS security risks: authentication, multi-tenancy, APIs, secrets, and supply chain. For CTOs and engineering leads building or scaling SaaS.

Read more →

How SaaS Startups Fail AWS Security Audits (and How to Pass Without Slowing Down)

Common AWS security audit failures for SaaS: IAM sprawl, S3 exposure, missing CloudTrail, weak networking. Practical fix plan for CTOs and platform teams.

Read more →
View all posts

Security Philosophy

How I approach every engagement.

Practical security

Focus on risks that matter to your business. Prioritize findings by impact and likelihood, not by checklist volume.

Developer-friendly remediation

Clear, actionable guidance that your team can implement. No jargon-heavy reports—concrete steps and code-level advice where useful.

Risk-based prioritization

Not every finding is equal. I help you decide what to fix first and what to accept or defer, aligned with your risk appetite.

Automation-first mindset

Recommendations that scale: secure defaults, CI/CD checks, and repeatable processes so security improves with every release.

Tools & Technologies

Cloud posture, DevSecOps, offensive testing, detection engineering, and automation.

Cloud Security & Posture

AWSGCPKubernetes+3

DevSecOps & Supply Chain

GitLab CIJenkinsGitHub Actions+4

Vulnerability Management

Rapid7QualysCVSS+1

Offensive / Testing

Burp SuiteOWASP ZAPNmap+1

Detection Engineering & Monitoring

SplunkATT&CKThreat intel enrichment

Automation

PythonBashPowerShell+1
View full tooling on About

Security & Payments

Safe practices for what to publish and how to accept payments.

  • Pricing ranges are OK to publish on the site.
  • Do not publish: IBAN, bank account number, home address, billing address, invoice samples with real metadata, or personal VAT ID (or equivalent).
  • Prefer trusted payment platforms (e.g. Stripe, PayPal Checkout, Calendly with payment) instead of publishing bank transfer details on the site.

Ready for a security assessment?

Web app pentest, API security testing, AWS or Kubernetes audit, or DevSecOps review—get in touch for a no-obligation consultation.

Book consultation

Support my work

If my articles, case studies, or security resources helped you, you can support my work. Your support helps me maintain free content and keep publishing practical security guides.

Revolut

Quick support in seconds.

Buy me a spritz

Bank transfer (EUR)

If you prefer a traditional bank transfer, request IBAN and bank details via the contact form

Request bank details

Support is optional. For consulting or security work, please use the Services or Contact pages.