Professional Services
I offer specialized security services designed for organizations that require technical depth and actionable insights. Unlike standard compliance checklists, my approach combines academic rigor and the offensive mindset of a security researcher with the strategic perspective of a CISO who understands the real-world challenges of organizational security.
My Approach
I help companies not just to find bugs, but understand their systemic root causes. My work focuses on three core pillars:
- Offensive Security: Real-world testing of applications with an adversarial mindset.
- Strategic Security: Leveraging CISO experience to align technical security measures with business goals.
- Sustainable Knowledge Transfer: Empowering your internal teams through academic rigor and hands-on training.
🎤 Keynotes & Speaking
I provide engaging, non-generic keynotes for industry conferences and corporate events, blending entertainment with hard technical facts.
Note: The following topics are signature examples to showcase my focus areas. I am happy to tailor these or develop custom content to perfectly fit your event's theme.
| Topic | Description |
|---|---|
| "Anatomy of a Cyber Attack: Reality vs. Defense" | A transparent walkthrough of modern criminal operations—from infiltration to domain dominance. I demonstrate why we need robust technical safety nets, because a security architecture that collapses just because someone clicked a link isn't a strategy—it's a gamble. |
| "Built-in, Not Bolted-on: Lessons from Hacking WhatsApp" | Why "security at the end" fails. Using critical vulnerabilities I discovered in WhatsApp, I demonstrate why security must be ingrained in the design phase of software development and enforced server-side—making abstract principles tangible. |
| "The Human Factor: Stop Trying to Patch People" | The industry obsessively tries to "debug" employees with awareness training, ignoring that to err is human. I advocate for a paradigm shift: Accepting human nature and building systems resilient enough to survive it, rather than expecting your employees to become the "human firewall 2.0". Awareness remains indispensable, but we will redefine its purpose entirely—moving it from a failed defensive layer to a driver of open security culture. |
🎓 Expert Training & Workshops
I provide hands-on training for development teams and security professionals. My workshops are designed to be interactive and practically relevant.
💻 Secure Web Applications: From Design to Deployment
Target Audience: Development Teams & Architects
A holistic approach that goes far beyond standard "Secure Coding" or OWASP Top 10 training. This course covers the entire engineering lifecycle—from the first architectural decision to the automated build pipeline.
- Lifecycle & Design: Secure Development Lifecycle (SDLC), Threat Modeling, and effective Security Testing.
- Supply Chain Security: Securing build environments, managing dependencies, and ensuring software integrity.
- Standards: Leveraging OWASP ASVS (Verification) and SAMM (Maturity Model) for measurable security.
- Format: 2-Day On-Site Workshop featuring extensive live demos and hands-on challenges ("Capture the Flag" style).
Outcome: Developers who understand the current threat landscape, know how attacks manifest in reality, and can implement robust defenses across the entire stack.
📱 Mobile App Security & Reverse Engineering (iOS & Android)
Target Audience: Mobile Developers & Architects
To build truly secure mobile apps, you must understand the environment in which they run—and how easily they can be manipulated. This workshop bridges the gap between app development and offensive mobile research.
- Platform Fundamentals: Deep dive into iOS & Android security architectures (Sandboxing, Permissions, Signing).
- The Offensive Toolkit: Hands-on introduction to Static Analysis (Disassemblers, Decompilers) and Dynamic Analysis.
- Runtime Manipulation: Using Frida for function hooking, tracing, and bypassing security controls on live devices.
- Attack Vectors & Defense:
- Data at Rest: Breaking insecure storage and implementing correct Keychain/Keystore cryptography.
- Network Security: Traffic analysis, MitM attacks, and certificate pinning.
- IPC & Interaction: Exploiting Deep Links, URL Schemes, and WebViews.
- App Integrity: Repackaging attacks, anti-reversing measures, and root/jailbreak detection evasion.
Outcome: Developers who understand the "Glass Box" nature of mobile apps and can proactively harden their applications against reverse engineering and runtime tampering.
🛡️ Modern Infrastructure Security: Attack & Defense
Target Audience: IT Administrators & System Engineers
A 1-day compact workshop designed for the reality of IT operations. We bypass complex ISMS theory to focus on actionable, technical measures that act as effective stop-gaps against Ransomware and APTs.
- The Kill Chain: Understanding modern attack lifecycles using the MITRE ATT&CK framework.
- Active Directory & Windows: How attackers utilize Lateral Movement, Credential Dumping, and privilege escalation within Windows Domains.
- The Defense Triad:
- Prevention: Essential hardening beyond the firewall (MFA, Tiering Models, Attack Surface Reduction).
- Detection: Which logs actually matter? Identifying Indicators of Compromise (IoCs) without drowning in data.
- Response: Immediate actions to take (and mistakes to avoid) in the first critical hour of an incident.
- Baseline Reality Check: A pragmatic review of your essential defenses to ensure resilience against the most common threats.
Outcome: Administrators who understand the attacker's path through a network and hold a concrete checklist to close the most critical gaps immediately.
🛡️ Advisory & Consulting
Security decisions are often clouded by vendor hype or internal tunnel vision. I provide an objective, external perspective backed by years of operational leadership as a CISO. My goal is not to recommend you a product, but to validate your strategy and ensure your resources are fighting the right battles.
- The "Second Opinion": You have a security strategy or a major architectural decision pending? I challenge your assumptions and validate your concepts before you commit the budget.
- Organizational Reality Check: A sober analysis of your Incident Response readiness and Risk Management maturity—free from internal politics.
- Vendor Neutrality: Cutting through the marketing noise to evaluate if a solution actually solves your problem.
📬 Let's Collaborate
Interested in a workshop, keynote, or security assessment?
Email: mail@andreas-kurtz.de
Discretion and confidentiality guaranteed.