I offer security consulting and contracting services through Room 641A, a boutique security practice I founded in 2023. I work with companies of all sizes, with a particular focus on early- and mid-stage technology startups that need to build security into their operations before they have capacity to take on a full-time security team.
Engagements are available on a retainer or project basis. If your need doesn’t fit neatly into one of the categories below, get in touch — the most interesting problems rarely do.
I take on a limited number of clients at any given time. I’m selective about the work I accept — not to be precious about it, but because I have a limited amount of available time and I’m committed to giving every engagement the attention it deserves. If we’re going to work together, it should be a genuine fit for both of us.
For organizations that don’t yet have dedicated security leadership, I offer ongoing advisory relationships designed to build a security program that fits your stage and risk profile — without the overhead of a full-time hire. This typically means a monthly retainer covering security strategy, risk assessment, vendor evaluation, compliance guidance, and serving as an on-call security voice for engineering and leadership decisions. If you’re a founder or CTO making security decisions by instinct, this engagement gives you a security leader in your corner.
Full-scale adversary simulations designed to answer the question a long list of vulnerabilities can’t: what does a real attack against your organization actually look like? Engagements are scoped collaboratively, run from one to twelve months in length, and include post-engagement work with your defensive teams to close the gaps we find.
Scoped assessments targeting production, corporate, or bridging networks — covering web applications, network services, workstations, and lateral movement between environments. Useful for validating security posture, meeting SOC 2 requirements, or stress-testing a new architecture. Typically three to six weeks of active testing followed by one to two weeks of reporting and debrief.
White-box and black-box assessments focused on the vulnerabilities that matter most: business logic flaws that produce real security impact, not just a report full of automated scanner output. I specialize in Python applications, with experience across PHP, Ruby, JavaScript, and Go. Scope and duration vary based on application complexity.
Static analysis for mission-critical or pre-release software. Can include setup and integration of automated analysis tooling into your CI/CD pipeline so the scrutiny doesn’t stop when the engagement ends.
Helping engineering teams ship faster without compromising on security or reliability. Container migration, reproducible deterministic builds, managed cloud deployment (AWS-focused), and CI/CD pipeline design and optimization. Particularly well-suited for startups moving from “it works” to “it works securely at scale.”
Customized training programs for new or established red teams. Covers adversarial thinking, engagement planning, tabletop exercises, and architecture reviews — built around your team’s specific gaps rather than a generic curriculum.
Strategic guidance on building and operating continuous attack surface monitoring capabilities. You can’t protect what you don’t know about — this engagement focuses on helping your team develop visibility into what you’re actually exposing to the world.
If your need doesn’t fit one of the above, reach out anyway.