Product Security Consultant & Software Engineer
I assess complex software platforms, design practical security architecture, and build security-sensitive systems.
Independent assessments for teams building or operating multi-tenant platforms - from external reconnaissance and authorized penetration testing through threat modelling, target-state architecture, and remediation specification.
Selected work
Evidence, not claims.
Reconnaissance, authorized penetration testing, and a full source-informed threat model of a multi-tenant SaaS platform - ending in target-state architecture and a hosting-suitability verdict.
Read case study → Security software OpenVPN Management SuiteA certificate-lifecycle and VPN administration system designed around a narrow security boundary: an offline root CA establishes a constrained operational intermediate, while a dedicated local daemon mediates routine issuance, revocation, CRL generation, and client provisioning without exposing CA key material to the web application.
View the system design → Infrastructure Secure self-hosted infrastructureA self-hosted environment designed around a small public surface, certificate-gated management access, explicit routing, private service discovery, and documented operating procedures.
View the architecture →Flagship engagement
Multi-Phase Product Security Assessment
Confidential European B2B software platform
A multi-phase engagement covering external reconnaissance, authorized penetration testing, source-informed threat modelling, and target-state security architecture.
The assessment established what an attacker could reach, tested which controls held up under live adversarial use, identified the risks that genuinely had to block production, and translated those risks into implementation-ready engineering work.
- Reconnaissance and live penetration-test reports
- 135-page threat model
- Risk register and remediation roadmap
- Target-state security architecture
- Implementation and verification specifications
“We did not receive a scanner dump or a generic list of findings. Haroun reconstructed the system, tested the controls that mattered, and separated confirmed weaknesses from assumptions. The final deliverable gave us a prioritized remediation plan, a target security architecture, and acceptance criteria precise enough for our engineers to implement and independently verify.”
Confidential European Software Company
Security software
OpenVPN Management Suite
A certificate-authority and VPN administration system designed around explicit trust boundaries: an offline root CA, an isolated intermediate CA, and a local AF_UNIX control interface mediating every issuance, revocation, and CRL operation behind a role-based administrative interface.
- Offline root CA
- Intermediate CA isolation
- Certificate issuance & bundles
- Revocation & CRL lifecycle
- AF_UNIX control interface
- Role-based administration
Writing
Security Engineering Notes
When production provably differs from the reviewed source, what can an assessment still claim, and how should the uncertainty itself be treated?
How far does an application compromise travel when the application holds database-owner, object-storage root, and platform-wide service credentials?
What does a defensible root-CA ceremony look like without an HSM budget, and which controls actually change the risk?
Consulting
Independent security assessments
For teams building or operating complex software platforms - without a full internal security function.
Architecture review, source-informed assessment, tenant isolation, risk register, remediation specification.
Reconnaissance, web and API testing, authentication, authorization and IDOR, business logic, retesting.
Data-flow modelling, trust boundaries, STRIDE, attack trees, credential architecture, acceptance criteria.
Network exposure, deployment provenance, container hardening, PKI, backup architecture, secrets.
Tabletop exercises, restore drills, recovery validation, credential-rotation exercises.
About
Haroun Ahmad
I approach security as a systems problem. Application code, infrastructure, credentials, deployment, operations, and human processes all shape the real security posture of a product. Looking at any one of them in isolation produces an incomplete picture.
My background is in software engineering, with a focus on product security, threat modelling, and secure architecture. I assess systems end to end, but I also build them: PKI tooling, self-hosted infrastructure, and security-sensitive services designed around explicit trust boundaries and failure modes.
My goal is not simply to identify vulnerabilities. It is to understand why they exist, how they interact, and what engineering changes meaningfully reduce the risk.
Contact
Need an independent security review of a product, platform, or infrastructure?
Straightforward scoping, evidence-disciplined reporting, no sales pressure.
- hello@erisdev.io
- linkedin.com/in/haroun-ahmad
- gitlab
- gitlab.com/HarounAhmad