PUBLIC / UNTRUSTED EDGE · PKI INTERNAL ENTERPRISE NETWORK Remote operator VPN client Partner service contracted partner external unauthenticated VPN concentrator WireGuard · tunnel Partner ingress mTLS · IP allowlist Secure gateway TLS termination WAF · policy Issuing CA online · rotation Root CA offline · air-gapped API gateway tokens · routing Identity OIDC · authz Registry / CI Application services Queue broker Redis · NATS Workers consumers PostgreSQL Object storage Monitoring metrics · logs enqueue out-of-band internal service certs agent-based telemetry from all workloads internal request (mTLS) untrusted ingress cert issuance out-of-band (offline) telemetry (agent-based)

Product Security Consultant & Software Engineer

I assess complex software platforms, design practical security architecture, and build security-sensitive systems.

Independent assessments for teams building or operating multi-tenant platforms - from external reconnaissance and authorized penetration testing through threat modelling, target-state architecture, and remediation specification.

Flagship engagement

Multi-Phase Product Security Assessment

Confidential European B2B software platform

A multi-phase engagement covering external reconnaissance, authorized penetration testing, source-informed threat modelling, and target-state security architecture.

The assessment established what an attacker could reach, tested which controls held up under live adversarial use, identified the risks that genuinely had to block production, and translated those risks into implementation-ready engineering work.

Reconnaissance Penetration testing Threat modelling Security architecture IR validation
Delivered
  • Reconnaissance and live penetration-test reports
  • 135-page threat model
  • Risk register and remediation roadmap
  • Target-state security architecture
  • Implementation and verification specifications
“We did not receive a scanner dump or a generic list of findings. Haroun reconstructed the system, tested the controls that mattered, and separated confirmed weaknesses from assumptions. The final deliverable gave us a prioritized remediation plan, a target security architecture, and acceptance criteria precise enough for our engineers to implement and independently verify.”
Co-founder and Platform Owner
Confidential European Software Company
pending client approval

Security software

OpenVPN Management Suite

A certificate-authority and VPN administration system designed around explicit trust boundaries: an offline root CA, an isolated intermediate CA, and a local AF_UNIX control interface mediating every issuance, revocation, and CRL operation behind a role-based administrative interface.

  • Offline root CA
  • Intermediate CA isolation
  • Certificate issuance & bundles
  • Revocation & CRL lifecycle
  • AF_UNIX control interface
  • Role-based administration
View the system design →
OFFLINE ROOT Root CA offline signing MANAGEMENT HOST Intermediate CA isolated service Control daemon policy checks Admin UI role-based Issuance certs · CRLs manual signing AF_UNIX

Consulting

Independent security assessments

For teams building or operating complex software platforms - without a full internal security function.

S-01
Product security assessment

Architecture review, source-informed assessment, tenant isolation, risk register, remediation specification.

S-02
Application security testing

Reconnaissance, web and API testing, authentication, authorization and IDOR, business logic, retesting.

S-03
Threat modelling & architecture

Data-flow modelling, trust boundaries, STRIDE, attack trees, credential architecture, acceptance criteria.

S-04
Secure infrastructure review

Network exposure, deployment provenance, container hardening, PKI, backup architecture, secrets.

S-05
IR & recovery validation

Tabletop exercises, restore drills, recovery validation, credential-rotation exercises.

developing

About

Haroun Ahmad

I approach security as a systems problem. Application code, infrastructure, credentials, deployment, operations, and human processes all shape the real security posture of a product. Looking at any one of them in isolation produces an incomplete picture.

My background is in software engineering, with a focus on product security, threat modelling, and secure architecture. I assess systems end to end, but I also build them: PKI tooling, self-hosted infrastructure, and security-sensitive services designed around explicit trust boundaries and failure modes.

My goal is not simply to identify vulnerabilities. It is to understand why they exist, how they interact, and what engineering changes meaningfully reduce the risk.

Contact

Need an independent security review of a product, platform, or infrastructure?

Straightforward scoping, evidence-disciplined reporting, no sales pressure.

Minimum 20 characters
Complete the verification to enable sending.

Your information will be used to process and respond to your enquiry. See the Privacy Policy for details.