Training & workshops
Practical training for engineers, architects, and security teams. The goal is simple: use the material immediately in code, code reviews, and day-to-day delivery work.
I prefer on-site (EU, CET/CEST), and can also run sessions online.
Formats
Training (lecture-style)
- Best for larger groups
- Focus on understanding, common pitfalls, and practical decision-making
- Examples from real engineering work and security findings
Workshop (hands-on)
- Smaller groups, more interaction and exercises
- Practical tasks (analysis, mitigation design, reviews)
- Space for help and discussion on your examples
Core programs
1) OWASP Top 10 in practice (web/API)
A developer-focused workshop: understand risks, see controlled lab exploitation, and—most importantly—learn fixes and patterns for code, reviews, and CI/CD.
- Audience
- engineers (junior–mid), tech leads, security
- Format
- training or workshop
- Variants
- 1 day (essentials) | 2 days (deep dive + exercises)
- Group size
- training 10–25 | workshop 6–12
- Prerequisites
- basic web/HTTP knowledge and API experience (everyday practice is enough)
- Signals in code and code review: what to look for and why (Top 10 in practice)
- Exploit → fix: short demos only to understand impact
- Secure-by-default patterns (authn/authz, input validation, error handling, secrets, logging)
- Mitigations and implementation trade-offs (practical guardrails)
- What to add to your process/CI/CD as a minimum bar
- Top 10 code review checklist usable in PR reviews
- Team-ready secure defaults / patterns overview (repo/wiki-ready)
- Process recommendations: minimum bar / guardrails for reviews and CI/CD
2) OWASP WSTG workshop: security testing methodology (web/API)
A security/testing workshop: systematic testing methodology, a practical test plan, and write-ups + prioritization.
- Audience
- security, senior engineers, testing & triage roles
- Format
- workshop
- Variants
- 1 day (methodology basics) | 2 days (practical scenarios + triage)
- Group size
- 6–10
- Prerequisites
- basic OWASP Top 10 knowledge (or equivalent)
- Coverage-first testing based on WSTG: how to build a test plan for web/API
- Practical test cases/scenarios (authn, authz, sessions, input, business logic, data exposure)
- Reproduction and evidence: clear steps, payloads, request/response, impact
- Reporting: write findings so they are easy to read and act on
- Triage: translate findings into backlog tasks (priority, owner, fix guidance)
- WSTG-based test plan/checklist for your application type (coverage-ready)
- Implementation-ready finding write-up template
- Triage workflow: turning findings into clear fixes (backlog-ready)
3) Secure development in practice (SSDLC for teams)
- Audience
- tech leads, architects, senior engineers, security
- Format
- training or workshop
- Variants
- 1 day (baseline) | 2 days (process + practical guardrails)
- Group size
- training 8–20 | workshop 5–10
- Prerequisites
- knowledge of your delivery flow (normal team practice is enough)
- Minimum bar for the team: auth, secrets, release process, ownership
- Practical checkpoints in CI/CD (what’s worth automating)
- Threat modeling without bureaucracy: fast decisions and prioritization
- Concise “minimum bar” document (repo/wiki-ready)
- Proposed CI/CD guardrails (what to implement and in what order)
- Backlog-ready recommendations (priority + owner)
4) AI Security in Practice (for engineering & security teams)
Practical training on securing LLM and AI integrations and on where AI meaningfully helps in AppSec and SOC workflows.
- Audience
- engineers, architects, security teams, tech leads
- Format
- training or workshop
- Variants
- 1 day (essentials) | 2 days (deep dive + hands-on exercises)
- Group size
- training 8–20 | workshop 5–10
- Prerequisites
- basic understanding of LLMs and API integrations (everyday practice is enough)
- OWASP Top 10 for LLM Applications mapped to common architecture patterns
- Prompt injection: direct, indirect, and multi-step attacks — demos and defensive patterns
- Data leakage vectors: context-window exposure, training data extraction, and RAG cross-contamination
- Securing RAG pipelines: access controls, document segmentation, and embedding pipeline hardening
- Output validation and content filtering — practical implementation patterns
- Secure AI-assisted development: using Copilot/Cursor safely, reviewing AI-generated code, and managing supply chain concerns
- AI in security operations: where LLMs actually help with triage, enrichment, and analysis — and where they do not
- LLM integration security checklist usable in architecture reviews and PR reviews
- Secure AI integration patterns for your stack (repo/wiki-ready)
- Risk assessment template for AI/LLM features
- Process recommendations for the minimum bar in AI feature security reviews
Custom training (tailoring)
I can tailor the content to your stack, domain, architecture, and recent incidents or findings.
Before the session we align on context (e.g., architecture, service types, current risks) so it is grounded in your reality rather than delivered as a generic security talk.
- Short questionnaire
- Optional pre-read
- Materials and takeaways delivered after the session
- materials + “what to take away” summary
- practical checklists/templates (based on format)
- recommendations directly usable by the team
Pricing & logistics
Pricing is offered as packages by format and length (e.g., on-site 1 day / 2 days, workshop vs. lecture-style training).
For on-site sessions, logistics are charged as a travel fee based on location and travel time (and accommodation if needed), with no markup.
I always include the final all-in price including travel in the quote so there are no surprises.