Services

Compliance & Risk

Frameworks that work in practice. From PCI DSS and BSIMM to NIST AI RMF and MITRE ATLAS, built by someone who has run assessments and managed them from the other side of the table.

Why This Engagement Exists

Compliance programs fail in one of two ways: they pass the audit without actually improving security, or they do real security work but can't prove it to an assessor. I have been both the QSA running PCI assessments at Trustwave and the security architect managing those assessments from inside Amazon. 25 years across both sides of the table. That's the perspective I work from.

What I Deliver

  • PCI DSS gap analysis and remediation planning
  • BSIMM-informed program assessment and benchmarking
  • NIST AI RMF 1.0 alignment and implementation
  • OWASP Top 10 for LLM and Agentic Applications assessment
  • MITRE ATLAS threat modeling for AI systems
  • Security program maturity assessment and roadmap
  • GRC framework implementation
  • Audit preparation and support
  • DevSecOps program design: embedding security into engineering workflows

How Engagements Work

I start with an assessment of your current state against the target framework, then deliver a prioritized remediation roadmap. For ongoing programs, I work alongside your team to turn paper controls into working procedures and configurations. For audit prep, I review your environment the way an assessor would.

Who This Is For

  • Companies facing PCI DSS, SOC 2, or other compliance requirements who want someone who's been on both sides of a PCI assessment
  • Security teams looking to benchmark their program maturity and build a roadmap they can actually execute
  • Organizations deploying AI systems that need NIST AI RMF alignment, MITRE ATLAS threat modeling, or OWASP LLM assessment

Frequently Asked Questions

Can you perform PCI DSS assessments?

I do gap analysis and remediation planning, not formal assessments. I'm a former QSA and PA-QSA, so I know exactly what assessors look for. I prepare your environment and documentation so the formal assessment goes smoothly.

What is a BSIMM assessment?

BSIMM measures the maturity of your software security program against observed practices across hundreds of organizations. At Synopsys I was part of the BSIMM community as a Managing Director, supporting clients who were both leveraging the framework and going through their own assessments. I use it to benchmark where you are and identify what to build next.

Do you cover AI-specific compliance frameworks?

Yes. NIST AI RMF 1.0 for AI risk management, MITRE ATLAS for threat modeling against AI systems, and OWASP Top 10 for LLM and Agentic Applications. These are applied in engagements, not formal certifications.

Other Services

Virtual CISO
Learn more →
AI Strategist
Learn more →
Offensive Security
Learn more →