One job: get your product past its compliance obligations — without stalling engineering
I don’t sell a generic menu of penetration tests. I do one thing: take products with digital elements — connected machines, embedded ECUs, industrial devices — through the regulations that now gate them (CRA, ISO 21434, IEC 62443, ASPICE) and turn that burden into automated architecture your team can live with.
Three focused pillars, each tied to a deadline you actually have.
1 · CRA & IEC 62443 Readiness
Photo by Petter Lagson on Unsplash
The Cyber Resilience Act makes cybersecurity a condition of CE marking for every product with digital elements by 2027. I get connected machines and devices conformity-ready — gap assessment, secure-by-design architecture, vulnerability handling and SBOM processes — so compliance doesn’t become a shipping blocker.
Find out more about:
- CRA gap assessment
- IEC 62443 secure-by-design
- Vulnerability handling & PSIRT
- SBOM & secure update
2 · ISO 21434 & TARA
Fixed-scope Threat Analysis and Risk Assessments for embedded ECUs to unblock your OEM contracts. Because I also exploit these systems for a living, the threats in my TARA are the ones an attacker would really use — not a checklist.
Find out more about:
- TARA generation
- Cybersecurity concept & goals
- Attack-path validation
- OEM audit preparation
3 · Engineering-as-Code (ASPICE)
Photo by Chris Liverani on Unsplash
Docs-as-code traceability — sphinx-needs graphs, automated evidence, requirements-to-test links — so your engineers stop writing Word documents and get back to writing Rust and C. The ASPICE and safety-case paperwork produces itself from the work they’re already doing.
Find out more about:
- sphinx-needs traceability
- ASPICE evidence automation
- Safety & cybersecurity case tooling
- CI-integrated compliance gates
Trustable Software Framework
Where a release has to be demonstrably trustworthy — safety, security and reliability backed by evidence and a confidence score — I bring in the Trustable Software Framework. It’s the natural companion to Engineering-as-Code for your most critical software.
Training
I offer private, team-tailored training in secure and compliant product development — CRA essentials for machine builders, TARA workshops, and docs-as-code for engineering teams. Contact me for details.
Photo by Scott Graham on Unsplash
Something else?
Have a regulated-product problem that doesn’t fit neatly into one of these? Contact me. Bridging safety, security and low-level engineering is exactly where I’m most useful.
Photo by