DevSecOps run by Security Champions
“We are completely different people now — the Security Champions and me. We know how to act and what to do next.”
— Łukasz Jagielski
Engineering Team Leader, XTB
An annual pentest no longer satisfies DORA, NIS2 or the CRA. We help regulated organizations build security into how software ships, consistently across every team and entity, and provable to an auditor. We do it through training, verification and hands-on advisory. Practitioner-led, standards-based, and proven inside banking and fintech.


















Earned over years of hands-on application-security practice: our own work, inside engineering teams, and across dozens of organizations. It's why our engagements outlast the audit that triggered them.
We teach threat modeling where the decisions are actually made: at feature kickoff, not once a year before an audit. The method is matched to the system, the organization and the team's maturity.
Manual security gates lose to deadline pressure. We wire controls straight into the pipeline: tests, scans and policies that run on every build. Security stops being a step to remember and becomes the default.
Modeling and automation don't scale without people who understand them. We build and sustain a network of Security Champions in every team, so ownership returns to where the code is written, and modeling and automation both stay alive.
One specialism: the security of how software is built. We don't start with a big contract: each path runs from a single expert session to running your security function, and you take the next step only once the last one paid off. Enter where your maturity fits, then scale across the group.
Engineers who understand why, not just what. Secure decisions then happen in the pull request, not after the pentest.
Measure before you change. An objective read of where your process stands, on a recognized scale, defensible to an auditor.
Design, implement, oversee. We don't replace your team: we set the process up to run without us. And when you need it, we take the security leadership seat ourselves.
Three EU regimes turn “secure by design” from best practice into a requirement, and auditors now ask for evidence, not assurances. We help you produce that evidence the way auditors expect, across every entity in the group.
Operational resilience for financial entities: ICT risk, testing, and third-party oversight under regulatory scrutiny.
Wider scope, stricter duties, board-level accountability for cybersecurity across essential and important entities.
The Cyber Resilience Act puts security obligations directly on products with digital elements: SBOM, SDLC, vulnerability handling.
Our programs at work inside regulated organizations. We report what actually changed in how teams build, not an invented “−73% in vulnerabilities”. The quotes come from the people who drove the change.
“We are completely different people now — the Security Champions and me. We know how to act and what to do next.”
— Łukasz Jagielski
Engineering Team Leader, XTB
“The Security Champion is a central role for us. Without it, controlling and managing this process would be extremely hard.”
— Filip Brandt
Security Architect, BNP Paribas Bank Polska
In security, the strongest trust signals are objective and verifiable: CVEs and years of hands-on practice in real organizations.
Founder · Managing Partner
20+ years of hands-on security practice: his own research, inside engineering teams, and across dozens of organizations. Hundreds of projects delivered, thousands of engineers trained, security programs built with the biggest names in the region.
Co-founder · Managing Partner
Co-founder · Managing Partner










No “Bezpieczny Kod methodology” in a black box. We implement the frameworks auditors already expect (NIST SSDF, OWASP SAMM, ASVS), applied by people with years of hands-on practice. In regulated sectors, that transparency is a strength, not a weakness.
A 30-minute diagnostic call with our expert. Not a salesperson, no slide deck, no NDA to start. The fastest way to sanity-check the next step, whether that's one team or rolling security out across the group.