The problem is resolved. No one outside your organization knows we were there.
Retained when the situation is serious and the margin for error is zero.
Failed AppSec programs almost never fail because of an IC. They fail because someone above them defunded the effort, ignored the warnings, or created conditions where security couldn't function. That's who I'm looking for when I come in. The work starts there.
The AppSec engineer is gone. Coverage is zero. Something ships this week. You need the function covered now — not after a six-week search process concludes.
A window opened — compliance, acquisition, or incident response. The gaps need to close before external scrutiny arrives. There is no time for orientation.
Ownership is nominally assigned. Nothing is actually happening. You need someone to build the function and make it operational — not advise on it from a distance.
A firm delivered findings. Nothing changed. The work didn't account for how your engineering organization actually operates. You need someone who goes inside.
Engagements are scoped precisely before work begins. Deliverables, timeline, and obligations on both sides are stated without ambiguity. Scope drift is not tolerated in either direction.
If something requires your attention or a decision, you will be told immediately — without diplomatic softening. Clients who act on findings get the outcome. Clients who don't are told so directly.
Describe the situation. One message. No intake process, no preliminary calls with anyone but the practitioner. If the engagement is appropriate, you will hear back within 24 hours.
Deliverables, timeline, and cost are defined before anything starts. Minimum engagement is 40 hours. The SOW is signed. The deposit clears. Work begins.
The work is done. Findings are stated plainly. If a recommendation involves a leadership decision — including personnel — it will be stated plainly and without softening.
The engagement succeeds when you act on what is found. You will be told precisely what that requires. That expectation is mutual and it starts at contact.
Thomas Jost. I've been in software since I was nine — security came later, after a decade building production systems across web, platform, and infrastructure. I crossed to AppSec because I cared too much about the code to pretend the risk wasn't there.
The most useful thing I ever did was build an AppSec program that collapsed. Not from lack of technical competence — from moving alone, without trust, faster than the organization could absorb. I presented that failure in full, on record, at DEF CON and OWASP AppSec Global. Not as a confession. As a case study. The failure pattern is documented. The fix is learnable. I know both because I've lived both.
Security guidance that doesn't account for how software is actually built, shipped, and maintained under production pressure does not work. Every recommendation made here has been tested against real engineering constraints — not derived from a framework.
This is not a firm. There is no bench. You get the practitioner — the one who has been in the room when it fails, and knows what it takes to leave it in better condition than it was found.
On record
Scope of practice
Delivered twice — DEF CON 33 and OWASP AppSec Global. A public account of a program failure: what was built, what broke it, and the specific decisions that turned a functioning security practice into something engineering actively avoided.
It is not a redemption arc. It is a failure analysis. The reason it exists publicly is that the pattern recurs — and practitioners who haven't lived it tend to repeat it. The operating principles built from it are what Nullra runs on.
Nullra does not publish client names --
not as a policy disclaimer.
As a professional commitment.
The measure of a successful engagement is simple: the problem is resolved, and no one outside your organization knows we were involved. We hold that standard without exception.
There is no client roster. No case studies. No testimonials. If you require a reference, you already know someone who has retained us.
Ask them.
No intake process. No preliminary calls with anyone but the practitioner. If this is the right engagement, the response will be direct and within 24 hours.
All conversations are confidential. Submissions are PGP encrypted.