Security that fits your reality

Your team is stretched thin. Compliance deadlines loom. Security vendors keep pitching enterprise solutions when you're running on an NGO budget. I work with European organisations (typically 10-100 people) who need practical security guidance. My approach is straightforward. Understand what you're actually protecting, focus on risks that matter, and build defences your team can maintain.

No magic boxes. No vendor theatre. Just security that works.

Who I work with

You might be a good fit if:

• You're facing NIS2, GDPR, or other regulatory requirements without a compliance team
• Your board is asking hard questions about cyber risk and you need clear answers
• You're scaling and security is starting to feel overwhelming
• You handle sensitive data and need to get it right (health records, domestic violence cases, whistleblower information)
• You've been breached before and want to go through that again as little as possible
• You're building something that matters and can not afford to cut corners on security

I prioritise working with organisations serving vulnerable populations. And I also work with other mission-driven teams that need help.

Explore strategic solutions

Risk assessment and security roadmap

1-2 weeks | For organisations needing clarity on priorities

You can't protect everything. Let's figure out what actually matters. We'll map your critical assets, realistic threats, and current gaps, then build a practical roadmap that fits your budget and capacity. You'll get clear understanding of your risk exposure, prioritised actions, realistic timelines, and documentation you can show your board.

Threat modelling and defence design

2-6 weeks | For teams ready to strengthen specific systems

Whether you're building something new or hardening existing systems, we'll work through your architecture together. You'll get documented threat models, specific security controls mapped to real risks, and team training so security thinking becomes embedded.

NIS2 compliance support

Ongoing | For EU organisations facing NIS2 requirements

Navigate the requirements without losing your mind or budget. We'll build security practices that satisfy regulators whilst actually improving your resilience. You get gap analysis, practical implementation plans, policy templates, and audit preparation.

Incident response preparation

1-4 weeks | For organisations who know they're not ready for a breach

Most organisations discover their incident response plan doesn't work when they're already on fire. We'll build realistic response playbooks, run tabletop exercises with your team, and make sure everyone knows what to do when things go wrong.

Fractional security advisor

Ongoing retainer | For organisations needing sustained guidance

Think of this as having a security person on your team without hiring full-time. Regular check-ins, on-call for urgent questions, review of new systems and vendors, security input on strategic decisions.

Custom work

If your situation doesn't fit the boxes above, let's talk. I've helped organisations with SIEM implementation for resource-constrained environments, security training for non-technical teams, vendor security assessment, and open-source security tool development.

How I work

Collaborative: Security decisions need to fit your reality. I bring expertise and options, you know your constraints. We figure it out together.

Patient and pragmatic: Security happens in layers over time. I help you make steady progress without burning out your team.

No jargon barriers: I translate technical concepts into language that makes sense for your context.

Bias for action: Long reports gather dust. I focus on recommendations you can actually implement.

Values-aligned: I prioritise organisations doing work that matters, especially those serving vulnerable populations.

Availability

Based in Dordrecht, Netherlands. Available for remote work and on-site engagements across Europe.

• Dutch ZZP (KvK & VAT registered)
• Available for meaningful, project-based work that protects people and improves real-world security.
• Prefer direct, project-based collaboration.
• I dedicate one day per week to volunteer with the Dutch Institute for Vulnerability Disclosure (DIVD), keeping my practice grounded in current threats.
• No outsourcing, overpromising, or data-selling.

You will never receive an invoice that differs from our agreed-upon, written quote