What People Say

Vaclav advised us on security for our iGaming platform. He's one of the few security experts I've met who can go deep into technical details and then zoom out to design processes that scale across a 500-person engineering org. What made him particularly effective in our case is his combination of security expertise and real anti-fraud experience — in iGaming that overlap is critical and hard to find. He understood our threat landscape without lengthy explanations and gave us a clear, actionable plan.

Vaclav helped xAID as an independent advisor right after our pivot — we needed ISO 27001 readiness and to pass KYC to expand the business. He took ownership of the compliance project, moved fast, and guided our leadership through every key decision. For a startup with no in-house security team, having someone who combines deep expertise with a practical, no-overhead approach was exactly what we needed. Happy to recommend.

Vaclav led a security audit of our online services — and he really delivered. He found vulnerabilities, explained everything clearly, and after his recommendations we were able to fix everything quickly. Communication was easy and straightforward: any question could be resolved fast, no unnecessary formalities or delays. It's a pleasure to work with him — both professionally and personally. We'll definitely reach out again and can confidently recommend him.

I would like to thank Vaclav for helping to improve the practical information security of Beeline digital services.

Highly recommend Vaclav for cybersecurity advice — clear, practical, and extremely helpful.

As CTO, I worked with Vaclav when he led security. He is highly proactive: he spots issues early, brings concrete options, and moves things forward without needing constant input. Vaclav is also fully autonomous in building security processes from scratch — he can align stakeholders, make pragmatic trade-offs, and deliver real improvements in how security works with engineering. On a personal note, it was genuinely great working with him — clear, reliable, and easy to partner with.

Working with Vaclav means working with a highly motivated person who is full of ideas for improvement. His proactivity and willingness to interact with any stakeholders far beyond the usual circle of technical specialists allows information security to function as a full-fledged business partner that anticipates and responds to real business challenges. Vaclav is able to take into account the maturity of the company, available resources, and key changes, which allows him to be a real driver of improvement rather than an abstract expert.

I led the AppSec team at inDrive reporting to Vaclav as CISO for over two years. He changed how I think about running security — not just what to do, but how to organize it. Using Team Topologies and Kanban STATIK for security teams, introducing Security Error Budget so engineers stopped chasing developers with daily "when will you fix this?" reminders, scaling the team without slowing down — I picked all of this up from him. We built the Security Architecture Review process together, and Vaclav's expertise is what made it work well enough for engineers to actually trust it. The team wouldn't have achieved what we did without his leadership — it's one of those rare cases where one person's direction truly shaped the result. Beyond our direct work together, I've watched Vaclav's practices — especially Security Error Budget and his approach to centralized vulnerability lifecycle management — get adopted across the industry after his HighLoad++ talk. I applied them myself at Yandex. The way he does AppSec is ahead of where most of the market is today, and the fact that these methods spread to other companies makes the whole field stronger. I'd be glad to work with him again and hope we get the chance someday.

Vaclav transformed how my R&D organization thinks about security. Instead of bolting it on as a separate gate, he embedded AppSec and Pentest directly into our development rhythm — lightweight architecture reviews, actionable feedback, zero bureaucratic overhead. Having seen heavy-weight security processes in enterprise environments, I can say Vaclav's approach is refreshingly different. Teams actually trust and use it because it fits their context and velocity. His Security Error Budget metric became a real decision-making tool for me — one dashboard to see posture across all teams and allocate resources where they matter most. What sets Vaclav apart is his forward thinking. He's constantly exploring how AI can strengthen security — and equally important, how the rise of AI agents creates entirely new threat surfaces. He doesn't wait for incidents; he's already working on what's next.

Vaclav has exceptional expertise in incident investigation and response process design. His direct technical contribution to SOC operations — not just oversight, but real investigative depth — helped our team navigate serious challenges and deliver faster, higher-quality results. He builds processes with zero busywork. Every workflow exists for a reason, and resources go where they create the most business value. Vaclav brought the expertise and made the business case for migrating to Splunk — which directly improved our analysts' speed and alert quality. As a leader, Vaclav stands out in how he handles the stress and uncertainty that comes with security work. Even during the hardest incidents, he sets the right tone for the team and keeps people from burning out. His management approach is structured and consistent: regular 1-on-1s across the hierarchy, OKRs and KPIs for teams, clear personal accountability for outcomes. This framework is what allows a security team to achieve more with the same resources.

At City-Mobil Vaclav was one of the key people behind our security function during a period of rapid growth into 60+ cities. What I noticed as CEO is that security worked — we had no major incidents, the team operated efficiently on a lean budget, and it never became a blocker for the business. That combination is harder to achieve than it sounds, especially at our pace. Vaclav is someone who gets things done quietly and reliably, which is exactly what you want from security.

I've worked with Vaclav across several dimensions — as a Program Committee member, as a podcast guest, and as a fellow industry professional I regularly exchange ideas with on complex technical and security challenges. What sets him apart is his ability to reason about security as a practical engineering and business problem, quickly moving from abstract discussion to concrete decisions, trade-offs, and execution. I highly value these conversations and consider him a strong, trusted peer.

Vaclav is one of the top experts in his field, staying abreast of trends and possessing a deep understanding of modern practices and processes. He is a thought leader who regularly shares his insights and experiences, contributing significantly to the DevSecOps community. His expertise and commitment to advancing security practices make him a valuable asset to any organization. With over ten years of experience across AppSec, InfraSec, and DevSecOps, he tackles security challenges with a holistic perspective.

At Security Code I needed to build DevSecOps processes that would scale to thousands of repositories without drowning in per-repo MRs and approvals. Vaclav's Common Security Pipeline was the right foundation: simple parent-child architecture, proven open-source tools, easy CI/CD integration, and — critically — a centralized approach where all findings land in DefectDojo instead of being scattered across individual repos. We adapted it to our stack and got real security coverage running fast. Years after his ZeroNights 2021 talk, the core design still holds up — I kept developing the approach and presented my own results at HighLoad++ 2024. His work helped us achieve tangible security results in a short time. Thank you for the contribution to the industry.