Secure development that keeps delivery fast.
I'm Tomáš Volný. I help engineering teams reduce security risk with practical guardrails, threat modeling, and secure-by-default patterns so security supports development, not blocks it.
- fewer vulnerabilities in production
- fewer surprises before release
- faster approvals and clear priorities
I turn offensive security experience into clear priorities and practical decisions during development — from threat modeling to CI/CD guardrails that actually hold.
Who I help
My work is most useful when security needs to be practical – with clear priorities and real impact on development. Typically in situations where the same findings recur, approvals are unclear, and there's a lack of minimum standards for basic security practices and the release process.
CTO / Tech lead
Security roadmap and risk-based prioritization. I help set up a plan for what to address now vs later, who is responsible for what, and which guardrails to include in the delivery process so the team doesn't lose momentum.
Dev teams
Practical secure coding habits and guidance for code review on your stack. I provide secure defaults, checklists, and simple rules that can be integrated into daily work without unnecessary theory.
Enterprise teams
Less friction between security, architecture, and development, more predictability. We set up reasonable guardrails, a clear approval path, and a way to collaborate with stakeholders so releases are calmer and more predictable.
Startups
Secure foundations quickly and pragmatically. I help you set up simple rules and a few key guardrails so risks are addressed continuously and development stays fast.
Core services
I focus on practical SSDLC and AppSec — security embedded directly into development and delivery. From a quick assessment of your development process maturity via OWASP SAMM to implementing checkpoints in CI/CD and making architecture decisions — always with clear priorities and concrete outputs for the team.
- Risk-based priority list + owners
- SSDLC minimum baseline for the team
- CI/CD guardrails and security gates
- Short playbooks (Top 10, auth, secrets)
OWASP SAMM Maturity Assessment
A clear view of development maturity and what to address first.
When security is handled ad hoc, priorities are unclear, or you need a shared language between the CTO and security.
- Practical SAMM-based maturity view focused on real weak spots rather than checklist-driven box-ticking
- Prioritized roadmap (quick wins vs. system changes)
- Risk-based plan with owners (who fixes what, and why)
1–2 short workshops + an action-focused summary
CI/CD Pipeline Hardening
Make releases more predictable: fewer late surprises and fewer last-minute fixes.
When CI/CD is inconsistent, security gets addressed right before release, or secrets and permissions keep surfacing as issues.
- Design and implementation of security gates in the pipeline
- Release-blocker rules + triage workflow
- Hardening around secrets, access, and the build/release flow
Pipeline audit + hands-on implementation
SSDLC Baseline
Help the team make secure decisions without escalating every detail to security.
When the same findings repeat, security aspects of code review are inconsistent, and there’s no clear baseline.
- SSDLC minimum standard (must vs. should)
- Checklists and secure-by-default rules for your stack
- Short playbooks for critical topics (auth, secrets, Top 10)
Workshop + adding templates/rules to the repo
Secure Architecture Review
Faster, safer decisions for auth, data flows, and integrations — without endless debates.
When you’re planning a refactor, a new system, or multiple integrations, or facing difficult architecture decisions.
- Concise threat model for key flows (practical, not bureaucratic)
- Recommended safe defaults for auth/session/secrets
- Backlog-ready tasks with priorities (what to do now vs. later)
Architecture review + implementation-ready recommendations
Additional support when needed
I can also help with these activities when there is a specific need. They work best as complementary support alongside the core SSDLC and AppSec work.
AI-Powered Security & Secure AI Adoption
AI is already changing how teams build software and how attackers operate. I help organizations use AI effectively in security workflows and secure the AI-powered features they are shipping to users.
For security teams: AI that makes AppSec and SOC faster
AI-assisted evaluation and prioritization of findings that cuts noise and helps teams focus on what matters. From pre-filtering and fuzzy matching to batched LLM analysis with business context.
Automated processing and correlation of feeds, IOC enrichment, and adversary profiling supported by LLM-based analysis.
Intelligent alert triage, automated playbooks, and AI-assisted incident investigation that help analysts move faster without replacing their judgment.
AI-assisted review workflows that help catch common weaknesses before a pull request reaches the human reviewer.
For engineering teams: ship AI features without adding new attack surface
Prompt injection risks, data leakage through context windows, output validation, model access controls, and API key handling.
Access control for retrieval, prevention of cross-tenant data contamination, document segmentation, and embedding pipeline hardening.
Practical use of Copilot, Cursor, and AI coding tools: reviewing AI-generated code, managing supply chain risk, and preventing secrets exposure in prompts.
A practical workshop on common weaknesses in LLM-powered systems, mapped to your architecture and team decisions.
Why me
This is not theoretical. I use AI-powered security automation in practice: vulnerability evaluation pipelines, LLM-based threat analysis, and workflows integrated with SOAR and SIEM platforms.
I also use AI tools daily in software delivery and have hands-on experience with local models, prompt engineering, RAG architectures, and agentic frameworks. The goal is practical adoption with clear security boundaries, not hype.
How the engagement works
We'll set clear expectations and steps so improvements show up in the process, not only in documents.
We'll align on scope, goals, and agree on next steps upfront.
Output: Brief summary and proposed next steps.
Together we'll determine priorities by impact and likelihood, so it's clear what to address immediately and what later.
Output: Clear priorities and recommended implementation plan.
We'll design and implement concrete changes to the development process so problems don't recur.
Output: Concrete tasks ready to add to backlog.
We'll evaluate the results and set the next step so the improvement can be maintained long-term.
Output: What improved and what's next.
Training & workshops
Practical training for engineers, architects, and security teams. The goal is simple: use the material immediately in code, code reviews, and day-to-day delivery work.
I prefer on-site (EU, CET/CEST), and can also run sessions online.
Formats
Training (lecture-style)
- Best for larger groups
- Focus on understanding, common pitfalls, and practical decision-making
- Examples from real engineering work and security findings
Workshop (hands-on)
- Smaller groups, more interaction and exercises
- Practical tasks (analysis, mitigation design, reviews)
- Space for help and discussion on your examples
About
I’m a secure software development consultant with more than 10 years in cybersecurity and 15 years building software. My core focus is SSDLC/AppSec: reducing vulnerabilities, setting practical guardrails, and helping teams make sound security trade-offs during development instead of after the fact.
My background is not only advisory. I led a SOC/SIEM team responsible for security operations in banking and large European energy-sector environments. I have also been hands-on in offensive security: penetration testing, red teaming, OSINT, threat intelligence, and TLPT/TIBER-EU engagements for regulated financial institutions.
That mix of building software, breaking it, defending it, and operating the environments that detect problems shapes how I consult. I do not stop at scans or generic recommendations. I understand the full lifecycle from architecture and delivery pipelines to production monitoring, and I know what actually matters when a vulnerability shows up at the worst possible moment.
I have worked across web application development, infrastructure, cloud-native and Kubernetes-based systems, and hybrid architectures. I help startups establish a practical security baseline and support enterprise teams that need less friction between security, engineering, and architecture. I actively integrate AI into security workflows — from vulnerability triage and threat intelligence enrichment to AI-assisted code review. I hold OSCP and OSWE, participated in the IVLP program representing Slovakia, and work under NDA as standard practice. I’m based in Bratislava and available across the EU, on-site or remote.
Technologies I work with
Security tooling
Wazuh, TheHive, Shuffle SOAR, Tenable IO, Burp Suite, SonarQube, Snyk, Trivy
CI/CD & DevOps
GitHub Actions, GitLab CI, ArgoCD, Docker, Kubernetes, Terraform
Cloud & infrastructure
AWS, Azure, hybrid / on-prem, Kubernetes-native architectures
AI & automation
OpenAI, Anthropic, local models, n8n, RAG pipelines, prompt engineering, Cursor, Claude Code
Development
JavaScript / TypeScript, Python, Node.js, Java, PHP, REST / GraphQL APIs
Booking
Prices are listed excluding VAT.
Not sure where to start? Use the Intro consultation (free) to clarify your context and next options. If you need a structured review of a specific problem and a clear plan afterwards, Deep Dive & Strategy is usually the best fit. Brief context before the call is enough (architecture, current concerns). The output is a summary, clear next steps, and recommended priorities.
☕️ Intro consultation
15 – 20 minutes
- A quick introduction and understanding of your context.
- Identifying the main security challenges.
- Recommended next steps and the most suitable type of collaboration.
⚡️ Express consultation
30 minutes
- Immediate help with a specific problem.
- Quick guidance or a "second pair of eyes".
- No preparation needed in advance.
🛡️ Standard analysis
60 minutes
- Consultation on common security questions.
- Review of materials sent before the call.
- Time for questions and answers.
🚀 Deep Dive & Strategy
90 minutes
- Structured review of architecture and more complex problems.
- Detailed preparation and code analysis in advance.
- Written summary and action plan after the call.
- Task prioritization for your team.
💡 Fair upgrade: If you book a larger package (60 or 90 min) within 7 days after a 30 min consultation, I'll fully credit the price of the first one from the final amount.
Looking for a larger engagement? For security programs, team training, architecture reviews, or ongoing advisory, see project and partnership options below.
Enterprise & project engagements
For teams and organizations that need more than a single consultation: structured projects, ongoing advisory, or tailored training adapted to your environment and procurement process.
Pricing is scoped per project or engagement, based on complexity, timeline, and deliverables. I always provide a clear proposal before we start so there are no surprises.
Project engagement
A scoped engagement with a defined timeline and concrete deliverables.
- SSDLC implementation or maturity assessment (OWASP SAMM)
- CI/CD pipeline hardening and security gate design
- Secure architecture review for new systems, refactors, or integrations
- AI/LLM integration security review
- Penetration testing (web/API) with a prioritized remediation plan
Ongoing security advisory
A dedicated partnership for teams that need regular access to security expertise without starting a new engagement every time.
- A trusted advisor for architecture and design decisions
- Ongoing security review as the product evolves
- Support for code reviews, incident response, and release approvals
- A security perspective in planning, without a full-time hire
Training & workshops (on-site or remote)
Practical, hands-on sessions tailored to your stack, architecture, and recent findings. Not a generic security talk: the content is aligned to your context before the session.
- OWASP Top 10 in practice (web/API)
- OWASP WSTG: security testing methodology
- Secure development in practice (SSDLC for teams)
- AI Security in Practice (LLM/AI integrations + AI in AppSec/SOC)
- Custom training based on your specific needs
Procurement & compliance
- NDA: ready to sign yours before scoping
- Proposals and SOWs: provided in your preferred format
- Invoicing: flexible (per milestone, monthly, or on completion)
- Compliance: familiar with regulated environments (banking, energy, TIBER-EU, DORA, NIS2 context)
- EU-based: Bratislava, Slovakia (CET/CEST), VAT registered
If you have specific procurement requirements, let me know during the intro call and I'll make sure the proposal fits.
Let's work together
Based in Bratislava (CET/CEST). I usually reply within 24 hours.