Fractional security engineering · Greater Philadelphia

The senior security engineer your roadmap is waiting on.

Engineering-led companies hit a moment where security suddenly becomes urgent: a customer demands SOC 2, an enterprise prospect sends a 200-question security review, the board asks who owns this. Hiring a senior security engineer takes six months. CraftedSecure is the bridge: senior, embedded, hands-on security engineering for B2B SaaS, marketplace, and ops-tech companies between Series A and Series B.

Book a 10-minute intro call See the engagements

Resilience without the noise. Quietly preventing chaos before it happens.

20+ years Security engineering at unicorn-stage startups (Gopuff, Veho) and Fortune 50 enterprise (Comcast)
1 → 6 security engineers Multiple from zero or near zero founding security engineer experiences building great teams
ISO 27001, zero exceptions Previous experience with ISO 27001, NIST CSF, HIPAA, ITIL, HITECH, FISMA
Damion Waltermeyer
About

Senior engineering judgment, not security theater.

CraftedSecure is the practice of Damion Waltermeyer, a principal-level security engineer with 25+ years in technology and 15+ years in security engineering, highlights including senior and lead roles at unicorn-stage startups (Gopuff, Veho) and Fortune 50 enterprise (Comcast). Earlier startup work includes three years as an early engineer at Connectify, performing DevOps and security functions on Docker during its alpha and beta releases.

He joined a two-person security team at Gopuff and led it through 2.5 years of hypergrowth, expanding to six engineers plus an external red team while the company scaled from 65 to 400+ software engineers and from $750M to $15B in valuation. He provided the security engineering guidance and evidence that carried Veho's ISO 27001 certification through with zero exceptions, partnering with the GRC director who led the program. He identified $300K of annual SMS fraud at Gopuff through investigation, observability, and analytics work that pinpointed the abuse pattern, and built DevSecOps automation supporting one of the world's largest HashiCorp Vault deployments at Comcast. Most recently, post-acquisition security integration at Vistar Media following its 2025 T-Mobile acquisition.

The approach is quiet and specific: find what can actually break, fix what matters, document what auditors need. No inflated programs. No tooling sprawl. No 90-page decks that no one reads.

Background

Principal Security Engineer · Security Engineering Manager · DevSecOps

Focus areas

Cloud security · Identity · Compliance · Detection engineering

Find me

LinkedIn →

Engagements

Four ways to work together.

/ 01

Founding Advisor

On retainer for senior judgment when it matters. Architecture review, policy guidance, security questionnaire support, hiring help when you're ready for your first internal security hire.

Best when you're seed or pre-Series-A and need senior judgment occasionally, but aren't ready for full delivery.

$3,500 / month
/ 02

Pre-Acquisition Security Assessment

A deal-critical exposure map for acquirers evaluating a target, delivered as a decision memo your investment committee can use. Two weeks, fixed scope, fixed price. Direct experience on both sides, buy-side diligence and post-acquisition integration.

Best when an acquisition is on the horizon and you need clear technical risk and compliance answers within two weeks.

From $12,000 · scoped per target
/ 03

SOC 2 Type 1 Readiness

A 90-day fixed-fee program from zero to audit-ready. Control scoping, policy authoring, hands-on remediation, evidence collection organized for your auditor, and a 12-month maintenance plan at close. Audit-ready or we keep working at no additional cost.

Best when you have a customer or board-driven SOC 2 deadline within four to six months and no security engineer on staff to run the program.

$28,000 – $40,000 · 90-day fixed fee
/ 04

Embedded Security Engineer

Ongoing senior delivery scoped to outcomes rather than hours. Vulnerability management, AWS hardening, incident response readiness, application security review, engineer enablement. The work, not just the framework.

Best when you have a real and growing security workload but no headcount yet, and you'd rather not wait six months to start.

$8,000 – $12,000 / month · Up to 2 days / week
Approach

Deliberate. Quiet. Adapted to how you actually operate.

  1. A short, confidential intake call

    Ten minutes. The goal is to understand the stakes, the timeline, and whether we're a fit. No slide decks. No pitch.

  2. A focused diagnostic on what can realistically break

    Not a generic checklist. We look at what matters to your business, your customers, and any deadlines on the horizon. Then we put it in writing.

  3. Clear findings with options

    Written deliverables that name the tradeoffs: what to fix now, what can wait, what an auditor will actually ask for. Decisions stay with you.

  4. Hand-off, or an ongoing partnership

    Some engagements end at delivery, with documentation thorough enough that your first internal hire can pick up where we left off. Others become continuing relationships. You decide the cadence.

Community

Known in the field, not just listed on it.

Active leader in the Philadelphia security and engineering community for over a decade, organizing, speaking, and contributing to the conversations that shape how practitioners actually do the work.

Organizer

  • PhillySec Meetupsince 2013
  • PhillyDevOps Meetup2016–2024 (Looking for a new home)
  • BSides Phillysince 2016
  • DevOpsDays Philadelphiasince 2018

Speaking & Recognition

  • Ablative ResilienceDevOpsDays Philadelphia · 2025
  • Myiasis: Embedded Hardware SecurityPumpCon · 2013
  • Microsoft Azure Sentinel Hackathon2nd of 283 teams · 2020

Memberships

  • InfraGardsince 2013
  • OWASPsince 2022
Writing

Field notes on the work.

Practical writing on the security decisions that actually move deals, pass audits, and hold up under pressure.

On Medium

Resilience by Design.

Why resilience can't be bolted on to a finished system, and what it actually looks like to build it in from the start, across infrastructure, teams, and incident response.

Read on Medium →
Start the conversation

Tell me what's on the horizon. I'll reply within one business day.

The fastest path is a 10-minute intro call. I'll listen for ten minutes, ask sharp questions, and tell you honestly whether I can help. If we're a fit, I'll send a scoped SOW that day.

Book a 10-minute intro call →

Prefer to write first?

Email: info@craftedsecure.com

Signal, Proton, and PGP available for clients with specific confidentiality requirements.