withinfocus, Inc.

Software consulting, cybersecurity, and AI adoption.

One practice, three intertwined disciplines. In modern engineering organizations these are the same conversation from three angles.

Start a conversation See the background

Engineering leadership

Engineering organizations have predictable failure modes as they grow: unclear ownership, on-call that punishes the people who care most, and a gap between what leadership thinks the engineers are doing and what they actually are. The work is operational clarity -- who decides, who is accountable, and what "good" looks like when no one is watching.

Where I've done this
  • Co-founder & CTO -- iMobile3, zero to acquisition
  • Engineering manager -- Olo, through IPO
  • Director, Platform Services -- Global Payments
  • Embedded leadership -- large security and financial orgs

Security

My security foundation comes from payments -- PCI DSS wasn't an afterthought at iMobile3, it was the shape of the system. That framing (trust boundary, data flow, compensating control) still drives how I design and review systems. I build security into the work, not around it:

  • Threat model where it matters. Auth, money, PII, and third-party trust -- not everything.
  • Secure SDLC engineers respect. Short feedback loops that earn their place.
  • Compliance as a side effect. Get the baseline right and SOC 2 / ISO 27001 document what is already true.
  • Incident preparedness. Runbooks rehearsed before they are needed.
Frameworks & standards
  • PCI DSS -- scope design, compensating controls
  • SOC 2 / ISO 27001 -- posture, evidence, audit prep
  • Threat modeling -- STRIDE, data-flow driven
  • Secure SDLC -- pre-commit through production
  • Microsoft MVP -- Developer Security & Enterprise Security
A security program the engineering team doesn't believe in won't survive contact with a deadline.

AI adoption

I treat AI adoption as a security discipline, because it is one. Every LLM, agent, or RAG pipeline introduces new trust boundaries and new adversaries. The mature approach is to extend existing security practice over those surfaces, not start a parallel program:

  • Model and agent threat modeling. Prompt injection, tool-use abuse, data exfiltration, supply-chain risk.
  • Data governance. What the model can see, return, and log -- and how that holds when agents are chained.
  • Guardrails teams adopt. Standard patterns and allow-listed tools so engineers don't improvise into a breach.
  • AI to accelerate security. Code review, threat modeling assistance, scanner triage -- humans in the loop.
AI surfaces I work on
  • Agent workflows -- tool-use chains, MCP servers
  • RAG pipelines -- retrieval, grounding, eval
  • Policy & guardrails -- allow-lists, data boundaries
  • Executive strategy -- where AI helps, where it doesn't

Where this shows up

  • Security architecture reviews and threat modeling, including AI-touching features.
  • PCI DSS scope design, SOC 2 / ISO 27001 posture, and payment-security architecture.
  • Secure SDLC across distributed engineering organizations.
  • Engineering organization design, on-call, incident response, and SRE practices.
  • AI integration: agent workflows, MCP servers, RAG pipelines, eval harnesses -- with policy and guardrails.
Engagement models
  • Embedded -- join the team for a quarter or longer
  • Advisory -- recurring sessions with leadership
  • Project -- scoped deliverable, fixed timeline

Get in touch

If any of this is the shape of the problem you're working on, I'd like to hear about it.

matt@withinfocus.com