Available now · booking new audits for the coming weeks

Your infrastructure outgrew its year-one assumptions. Nobody's audited it since.

SecOps Lab runs fixed-scope security & reliability audits for fast-scaling companies. Usually there's a SOC 2, a customer security review, or due diligence coming, and infrastructure that was never built to be looked at that closely.

Book a scoping call → See what's in the audit

// Fixed scope · fixed fee · 2–3 weeks · findings + remediation plan you can act on

secopslab — audit (illustrative output)

$ secopslab audit --scope security,reliability
→ mapping the black box from first principles…
✓ CI/CD supply chain — STRIDE threat model
✓ Kubernetes hardening — CIS benchmark
✓ Secrets & access paths — reviewed
✗ 3 critical exposures — in remediation plan
! 11 reliability risks — prioritised by blast radius
 
report.pdf → findings + prioritised fixes

Built on hands-on production experience at

Kraken N26 Midokura + crypto & fintech infra at scale

The problem

You shipped fast. The duct tape is now production-critical.

The infrastructure that got you from zero to product–market fit was built to move quickly, not to survive scrutiny. That was the right call at the time. Now you're scaling, and something is forcing the issue.

// trigger_01

The questionnaire arrived

A first enterprise customer sent a security questionnaire, or you're entering SOC 2 / ISO 27001, and you genuinely don't know how your infrastructure answers it.

// trigger_02

Diligence is coming

A funding round or acquisition means someone technical is about to look hard at your stack. You'd rather find the problems before they do.

// trigger_03

No one ever checked

You've never had an internal audit, you don't have the in-house security depth to run one, and the team is too close to the system to see it objectively.

The engagement

A fixed-scope audit, not an open-ended retainer.

One defined engagement with a clear start, end, and deliverable. You get an answer and we're done. Buy a result your Head of Infra can forward straight to the CTO: the report is written to help you win the budget conversation, and nobody on the team that built the system gets thrown under the bus.

Flagship

Infrastructure Security & Reliability Audit

2–3 weeks•Remote•Fixed fee

from €9,500 · exact fee fixed at scoping, never open-ended

✓ Threat model of your CI/CD and supply chain (STRIDE), where the highest-leverage risk usually hides.
✓ Kubernetes & host hardening reviewed against CIS benchmarks, cloud or bare-metal.
✓ Vulnerability & CVE review across images, dependencies and exposed surfaces.
✓ Reliability & availability assessment: single points of failure, blast radius, recovery paths.
✓ Secrets, access & identity paths traced end to end.

You get: a written findings report, risks ranked by severity & blast radius, and a prioritised remediation plan your team can execute, plus a walkthrough call.

CI/CD Modernisation Audit

1–2 weeks•Remote•Fixed fee

from €5,500 · exact fee fixed at scoping

✓ Build & deploy pipeline reviewed end to end for speed, cost and safety.
✓ Concrete bottlenecks identified, with measured before/after targets.
✓ Supply-chain hygiene: signing, provenance, scanning in the pipeline.
✓ GitOps / release-process review and recommendations.

Recent result: on a client's microservices monorepo, cut average CI time from ~70 min to under 20. Mostly build caching and parallelisation. Not glamorous, but the team feels it every day.

Discuss this audit

// see the actual deliverable

See an example report before you ever talk to me

"Findings + remediation plan" is abstract, so here's a specimen report: the exact structure, severity model and remediation format you'd receive, built on synthetic data so you can judge the depth and clarity up front. Real client reports are confidential. This one is illustrative by design, and labelled as such.

Open the example report →

How it works

From black box to a plan you can act on.

No bottomless ticket queue. A defined process, a fixed timeline, and a clear handoff.

01 — Scope

30-min scoping call

We agree the boundaries, the trigger you're solving for, and a fixed fee. No obligation.

02 — Access

Read-only access

Scoped, read-only access to the systems in question. NDA and least-privilege by default. → See exactly how access works

03 — Audit

First-principles drill-down

I work the system from the outside in: threat modelling, hardening checks, reliability review.

04 — Deliver

Report + walkthrough

Findings ranked by severity, a prioritised remediation plan, and a live walkthrough with your team.

Alejandro Andreu

Founder · SecOps Lab

Ex-Kraken SRE Ex-N26 Threat hunting Bare-metal K8s STRIDE CIS

Who runs it

An audit is a trust purchase. Here's who you're trusting.

SecOps Lab is the vehicle; the work is done by me. I'm a Senior SRE who has run production infrastructure where the cost of getting it wrong is real money, including a major crypto exchange (Kraken), where I supported a platform of 700+ engineers, and enterprise fintech at N26.

My background spans both halves of this work: a SOC analyst / threat-hunting past (SIEM detection engineering, real CVE discovery) and years of hands-on SRE and platform engineering: STRIDE threat modelling, CIS hardening, bare-metal Kubernetes, and CI/CD pipelines rebuilt to ship faster and more safely. That combination is what an infrastructure audit actually needs: security depth and the operational reality of running the thing in production.

It's also why this work doesn't hand off well to a generic scanner. It needs live access to a messy real system, and someone accountable applying judgement to what they actually find there.

› Crypto exchange infrastructure (Kraken) — production SRE on a platform serving 700+ engineers, where downtime and security failures carry direct financial and regulatory cost.

› Security from the detection side — a SOC / threat-hunting background: SIEM detection engineering, threat hunting, and CVE discovery. I've worked the detection side, not only the hardening side.

› Hardening & reliability at scale — STRIDE threat models of CI/CD, CIS-benchmarked Kubernetes (cloud and bare-metal), and pipeline rebuilds with measurable before/after gains.

Prefer to check before you trust? See the full track record on LinkedIn, or ask me to walk through any of it in detail on the scoping call.

Honest fit

Who this is — and isn't — for.

A good audit starts with telling you the truth. Same applies to whether you should hire one.

✓ A strong fit if you're…

→ A scaling company (Seed → Series B-ish) whose infra has never been formally reviewed.
→ Facing a forcing function: SOC 2, a customer security questionnaire, or investor diligence.
→ A crypto or fintech team where the cost of a breach or outage is existential.
→ Without the in-house security/SRE depth to audit yourselves objectively.

✗ Probably not for you if…

→ You're a large exchange or enterprise with a mature internal security team.
→ You're pre-product with nothing in production to audit yet.
→ You want someone embedded full-time on an endless ticket queue — that's a hire, not an audit.
→ You want a clean report to wave at someone. The findings here are real and you'll have to act on them.

Access, data & continuity

Letting an outsider near prod is the scary part. Here's how I handle it.

A security auditor should expect to be security-questionnaired right back. These are the answers up front. Happy to complete your vendor questionnaire too.

How is access granted — and revoked?

Scoped, least-privilege, time-boxed, read-only access to exactly the systems in the agreed scope, nothing wider. Access is granted under NDA at the start and revoked the moment the engagement ends. You provision it, you can pull it at any time, and you keep the audit log.

Do you ever execute anything, or purely read?

Read and observe by default. This is an analysis of how your systems are built, closer in spirit to a code review than to a pen test. Any active testing that could touch a running system happens only with explicit, written sign-off on specific actions. Otherwise I never run anything against your infrastructure.

Where do my data and the findings report live?

Findings are kept to the minimum needed to do the work, held in an encrypted store under my control, and the report is delivered to you directly. On request, all working data is destroyed after delivery and you receive written confirmation. Your report is yours; it's never shared or reused.

What's your own security posture?

Encrypted disks, hardware-key 2FA, a hardened workstation, secrets in a dedicated manager, and the same least-privilege discipline I audit you for. I'll fill in your vendor security questionnaire like any other supplier. Fair question to ask; I'd ask it too.

You're one person — what if you're unavailable mid-engagement?

Honest answer: engagements are deliberately short (1–3 weeks) to keep that risk small, and scope/fee are fixed in writing. If something serious interrupts an audit, you're never charged for undelivered work, the timeline is reset by agreement, and any access you granted is revoked until we resume. No open-ended exposure on either side.

Will this make my team look bad?

No. The report is written with that in mind: findings describe the system as it stands today, with no names and no blame, and are framed as the prioritised plan that wins you budget to fix them. Every scaling company has this debt. The proactive move is having it mapped before a customer or investor finds it for you.

Find the problems before diligence does.

Book a free 30-minute scoping call. We'll figure out whether an audit makes sense for you, and if it does, you'll leave with a fixed scope and a fixed fee.

Book a scoping call → Or email hello@secopslab.eu