Speaking

Keynotes, workshops, and private training.

Sessions calibrated to the audience. From a fifteen minute board update to a full day practitioner workshop, every engagement is written for the room and grounded in primary source material.

Formats

Choose the room, choose the format.

Keynote. Thirty to sixty minutes on the trajectory of software transparency, what is changing, and what your audience should do about it.
Executive briefing. A focused board or leadership session on regulation, risk, and strategic posture. Typically under an hour, with discussion.
Practitioner workshop. Half day or full day deep dive for engineering and security teams. Hands on with CycloneDX, Dependency‑Track, and the operational playbook.
Panel and fireside chat. Moderated discussion with regulators, practitioners, or customers on policy and practice.
Private training course. Multi session curriculum delivered to a single organization, with pre reading, labs, and graded assessments.

Signature topics

Sessions I give most often.

Each topic is available as a keynote, an executive briefing, or a workshop, and each is refreshed continuously as the underlying standards evolve.

Strategy

Illuminating transparency: the evolution of Software Bill of Materials (SBOM) and beyond

A tour of where SBOM started, where it is today, and where the standards are taking it next. Covers CycloneDX, Cryptography Bill of Materials (CBOM), Machine Learning Bill of Materials (ML‑BOM), Operations Bill of Materials (OBOM), attestations, and the Transparency Exchange API.

Regulation

The regulatory map of 2026

The EU Cyber Resilience Act (CRA), U.S. Executive Order 14028 derivatives, U.S. Food and Drug Administration (FDA) premarket cybersecurity guidance, and sector specific mandates. What they require, what they actually mean for engineering, and how to stay ahead of the deadlines.

Practice

Software Bill of Materials (SBOM) quality: the five dimensions that actually matter

Most SBOMs are produced, few are useful. A practical framework for evaluating generation, completeness, accuracy, context, and freshness, and for fixing the ones that fall short.

Cryptography

Cryptography Bill of Materials (CBOM) and the post quantum transition

CBOM as the foundation for a measurable path to post quantum cryptography, which describes the next generation of algorithms designed to resist attack from future quantum computers. Inventory, exposure mapping, and migration planning at enterprise scale.

Operations

Ten years of Dependency‑Track: what the data taught us

Lessons from a decade of production component analysis. What vulnerability management has actually learned, and what is still unsolved.

Leadership

The supply chain question every board is going to ask

A briefing for non technical leaders. What software supply chain risk is, why it is now a board concern, and the five questions directors should be asking their executive teams.

Selected venues

Where I have recently spoken.

I present regularly at global industry conferences, OWASP events, government workshops, academic programs, and private customer gatherings. Recent examples include:

OWASP Global AppSec, the flagship application security conference of the Open Worldwide Application Security Project (multiple years, multiple regions)Keynote / Session
RSA Conference and ecosystem eventsSession / Panel
Black Hat and Def Con village stagesSession
ChiBrrCon, BSides, and regional security conferencesKeynote / Session
Government and regulator workshops on Software Bill of Materials (SBOM) and supply chain policyBriefing
Private customer and partner events for enterprise technology vendorsKeynote
University guest lectures and industry advisory boardsLecture

A current speaking kit with bio, headshot, topic abstracts, and AV requirements is available on request.

Inviting me to speak or train your team?

Tell me about the audience, the format, and the outcome you want attendees to leave with. I will respond with a tailored proposal, and I do read every request personally.

Submit an invitation Browse resources