Senior DevSecOps Engineer · Freelance

DevSecOps-as-a-Service

Secure your pipelines, cloud infrastructure and workloads — delivered by a senior DevSecOps engineer, on a fixed-price sprint or monthly retainer.

🚨

Your CI/CD pipelines are an attack surface

Supply chain attacks, hardcoded secrets, compromised runners — the majority of 2024 incidents originated in the pipeline itself.

🔓

Secrets, IaC and containers left unsecured

API keys in code, Terraform without scanning, Docker images with critical CVEs — the most exploited vectors in production.

No time for a full DevSecOps hire

A senior DevSecOps engineer costs £60-100k/year and takes 3-6 months to hire. A freelance engagement ships in one week.

I secure your systems as if I were embedded in your team: hardened pipelines, Zero Trust cloud, dynamically managed secrets, scanned containers — shipped to production.

Senior DevSecOps execution. Freelance flexibility. Zero recruitment overhead.

What I deliver

Targeted interventions on the highest-risk attack surfaces in your stack.

🔄

Pipeline & CI/CD Security

Full hardening of your GitHub Actions / GitLab CI pipelines — from secrets detection to SLSA artifact signing.

  • ·Secrets scanning (gitleaks, truffleHog) + pre-commit hooks
  • ·GitHub Actions: least-privilege GITHUB_TOKEN
  • ·Supply chain: SBOM, Sigstore/Cosign, SLSA L2-L3
  • ·Branch protection, signed commits, CODEOWNERS
☁️

Cloud & IaC Security

Zero Trust architecture on AWS, GCP or OVHcloud — IAM least-privilege, WAF, network segmentation and Terraform/Ansible scanning.

  • ·IaC scanning: Checkov, tfsec, PR integration
  • ·IAM Analyzer, SCPs and least-privilege policies
  • ·WAF, rate limiting, OWASP API Top 10
  • ·CIS Benchmarks, CSPM (Security Hub, SCC)
🔐

Secret Management & Vault

Zero hardcoded secrets in production: HashiCorp Vault, AWS Secrets Manager, External Secrets Operator, SOPS/age.

  • ·Vault architecture (AppRole, K8s Auth, HA)
  • ·Dynamic secrets and automatic rotation
  • ·External Secrets Operator for Kubernetes
  • ·Encrypted GitOps: SOPS + age + KMS
📦

Container & Kubernetes Security

Image scanning, runtime hardening, strict Kubernetes RBAC and NetworkPolicies to isolate your workloads.

  • ·Image scanning: Trivy, Grype, CI integration
  • ·RBAC, Pod Security Standards, NetworkPolicies
  • ·Non-root containers, read-only filesystems
  • ·Admission controllers (OPA/Gatekeeper, Kyverno)
⚙️

SAST / DAST & Automation

Automated vulnerability detection in code and at runtime — Semgrep, CodeQL, OWASP ZAP integrated into the pipeline.

  • ·SAST: Semgrep, CodeQL, SonarQube in CI
  • ·SCA: Dependabot, Snyk, license detection
  • ·DAST: OWASP ZAP in staging pipeline
  • ·STRIDE threat modeling on architectures
📡

Monitoring & Incident Response

Anomaly detection, SIEM alerting, incident response runbooks and cloud forensics (CloudTrail, GCP Audit Logs).

  • ·SIEM integration, alerting on critical events
  • ·CloudTrail / GCP Audit Logs forensics
  • ·Documented incident response runbooks
  • ·Post-incident review and corrective hardening

Tech stack

Tools I use in production — not just demos.

CI/CD

GitHub ActionsGitLab CIJenkins

IaC

TerraformAnsiblePulumi

Secrets

HashiCorp VaultAWS Secrets ManagerSOPS

Containers

DockerKubernetesHelm

SAST / SCA

SemgrepCodeQLSnykTrivy

Cloud

AWSGCPOVHcloud

How it works

From kick-off to production merge — a clear, documented process.

01

Audit & Diagnosis

Review of your stack, pipelines, cloud and secrets — priority risk identification with criticality scoring.

02

Target Architecture

Deliverable: prioritised implementation plan (effort, residual risk, quick wins) validated with your team.

03

Implementation

Development of configurations, IaC scripts, policies and CI/CD integrations — PRs, code review, tests included.

04

Delivery & Handover

Operational documentation, runbooks, team training and clean handover — your team is fully autonomous.

Plans & Pricing

One-off sprint, monthly retainer, or bespoke — aligned with your roadmap.

Security Sprint

One-off engagement · Quick win

€4,600/ sprint
  • 1 intensive week (5 days)
  • Targeted audit of one vector (pipeline, cloud or secrets)
  • Implementation + tests included
  • Documentation and runbook delivered
  • Pre/post vulnerability report
  • Ideal for hardening a pipeline before an audit
Book a diagnosis →
Recommended

Monthly Retainer

Startups · Scale-ups · Tech SMEs

€3,000/ month
  • 4 days / month
  • Everything in Sprint +
  • Multi-vector coverage (pipeline + cloud + secrets)
  • Continuous security code reviews
  • Incident response (4h SLA)
  • Monthly security report delivered to your team
  • Dedicated Slack support
Book a diagnosis →

Custom Mission

Enterprise · Complex projects

Custom quote
  • Full scope defined together
  • Everything in Retainer +
  • Full DevSecOps architecture overhaul
  • Vault / Zero Trust / Kubernetes migration
  • Team training included
  • Certification support (SOC2, ISO 27001)
  • Custom incident response SLA
Book a diagnosis →

All prices ex-VAT. Custom quotes available for complex engagements and enterprise accounts.

Why me?

DevSecOps engineer with hands-on experience in banking (BNP Paribas), fintech and SaaS — I deliver secure systems that hold in production, not PDF audit reports.

  • EPITA Paris — Expert in Cybersecurity & Systems Security
  • Production experience: Vault, Kubernetes, Terraform, GitHub Actions, AWS at BNP Paribas scale
  • Attacker mindset: I think like an adversary before I fix anything
  • Zero theory without practice — every deliverable is merged and tested
  • Bilingual FR/EN — documentation and code reviews in English when needed
  • In progress: OSCP · CISSP · ISO 27001 LA
4+
years in DevSecOps & offensive security
10+
CI/CD pipelines hardened and shipped
Complementary service

Need a CISO on top of the engineering?

DevSecOps covers technical implementation. If you also need governance, NIS2/ISO 27001 compliance and board reporting, my CISO-as-a-Service offering picks up where this leaves off.

Discover CISO-as-a-Service →

Ready to secure your stack?

30 minutes to review your pipelines, cloud and secrets — and define the priority quick wins. No commitment.

Book a free 30-min diagnosis →