Killed a Trivy false-positive treadmill for a client — 412 "critical" findings down to 9 actually-reachable ones. Engineering stopped ignoring the scanner. P0 backlog cleared in 11 days.
I focus on the areas with the most impact — not surface-level audits. Initially, this means identifying the primary sources of security risk, pipeline drag, and cloud spend in your stack. From there, I ship fixes directly, and provide proof of their effectiveness.
Most clients see meaningful results within the first month: 60–90% reductions in critical findings, CI/CD runtime, or cloud spend are typical outcomes.
I work embedded in your team (Slack / team chat), and handle issues end-to-end rather than handing off reports or recommendations.
Engagement
Embedded, fractional
Minimum
3 months
Pricing
On request
What I actually do
- Vuln triage that ignores the noise. Reachability-based prioritization. The 12 findings out of 800 that actually matter — with proof of exploitability, not CVSS theater.
- CI/CD hardening and cost cuts. Pin actions, kill PPE risks, parallelize jobs, drop GitHub Actions spend. Pipelines that finish faster and stop leaking secrets.
- Cloud cost surgery. AWS bill broken down by service, team, and feature. Right-sized infra, killed idle resources, fixed egress traps. Receipts in the next invoice.
- SAST / DAST / IaC that runs on every PR. Trivy, Snyk, Grype, Checkov, Nuclei — wired into Actions with policy gates that block real risk and don't slow shipping.
- AI & MCP security. Threat models for agentic systems, prompt-injection guardrails, MCP supply-chain monitoring. The stuff your current tooling doesn't cover yet.
Engineering teams I've worked with
Security and infrastructure work across Fortune 500 and growth-stage orgs.
- CommScope
- HD Supply
- McKesson
- National Philanthropic Trust
- Roper Technologies
Recent wins
Found a tj-actions-style supply chain risk in a Series B's release pipeline — unpinned third-party action with write-all permissions. 22 repos patched in one PR sweep before the next disclosure cycle.
Rewired a client's GitHub Actions matrix and cut monthly minutes by 64%. Same coverage, half the runtime, <$2k/mo saved. Security checks moved earlier in the pipeline as a side effect.
Audited an MCP server a client shipped to prod last quarter. Found unauthenticated tool calls reachable from a public agent endpoint. Hardened the boundary, added structured audit logs, and wrote the runbook their team now uses for every new MCP.
AWS bill review for a fintech client: idle NAT gateways, oversized RDS, abandoned EKS node groups. $11k/month gone in week one. Security groups tightened along the way.
Built a reachability-aware SAST gate for a client's monorepo. Blocks PRs only when a finding actually hits a network sink or auth boundary. Devs stopped opening "ignore this" issues. Real risk score adoption hit 100% in 3 sprints.
Work with me
If you're shipping fast and your security posture, pipeline cost, or cloud bill has gotten away from you — let's talk. One call to scope the problem, no slide decks.
cam@camgrimsec.com