I don't just advise on security — I build it. Creator of tachi and AOD.
I lead enterprise security programs where strategy meets engineering — across application security, AI/ML security, and cloud security, grounded in the risk, compliance, and governance discipline that regulated environments demand. Today I lead compliance, risk, and security architecture for the Commonwealth of Massachusetts' Business Enterprise System Transformation (BEST) program, and I've served as a fractional CISO bringing senior security leadership to organizations that need it without a full-time hire.
What sets me apart is range: I pair executive security leadership with the hands-on technical depth a modern CISO or VP of Cybersecurity role demands.
- Enterprise risk, compliance & security architecture — Lead compliance, risk, and security architecture for the Commonwealth of Massachusetts' Business Enterprise System Transformation (BEST) program.
- Fractional CISO — Bring CISO-level security leadership to organizations that need it without a full-time hire.
- Application, AI & cloud security — Secure modern application, AI-agent, and cloud workloads through threat modeling, secure-by-design architecture, and governance.
- Security strategy & governance — Translate risk and compliance requirements into security architecture and program governance for regulated, AI-forward environments.
I build the tooling I'd deploy on my own security team — practical, governed, and verifiable.
tachi — flagship project Threat Modeling and Vulnerability Detection Harness for Claude Code. An AI-reasoning security scanner (STRIDE + AI + MAESTRO) that reasons over your architecture to catch the logic-level risks SAST can't reach. OWASP 50/50 coverage across LLM 2025, Agentic 2026, ML 2023, Mobile 2024, and Web/API 2021/2023 — every catalogued threat in all five frameworks has a detection agent, with byte-deterministic, reproducible verification.
AOD — Agentic Oriented Development · newly launched An open-source methodology and toolkit for governed AI-assisted development: a three-role Triad (PM · Architect · Team-Lead) and a six-stage lifecycle that produce specs an agent can't bypass at build time. Ships with stack packs, Claude-led security scanning, and structured thinking lenses. (GitHub)
- Cybersecurity Content — The Security Manifesto for AI-assisted development and the Seven Strategic Cybersecurity Posture Domains framework.
- Agentic-Oriented Development — My book series and the Agentic Shift newsletter on agentic development. Subscribe on LinkedIn
Smaller builds that keep me close to the code:
| Repo | What it does |
|---|---|
| GitHubDevOps | SwiftUI app for GitHub CI/CD metrics via the GraphQL API. |
| StockWatcher | Swift application for stock watching via Alpha Vantage. |
- LinkedIn — the best way to reach me
- davidmatousek.com
- Book a call
