Are you a SOC 2 auditor?

No. I am not your auditor. I implement and document the engineering controls and evidence your auditor, platform, or enterprise buyer asks for.

Do you work with Vanta, Drata, or Secureframe?

Yes. I fix failing controls and produce the engineering evidence those platforms expect — IAM, audit logs, branch protection, scanning, backups, and AI workload controls.

Which clouds do you support?

AWS, Azure, and GCP. Most engagements touch a primary cloud plus GitHub or GitLab. I do not position this as GCP-only.

What access do you need?

Read-only access to relevant cloud, repo, CI/CD, logging, and compliance-platform consoles, or exported evidence files. We scope access narrowly during the kickoff.

Can you work with our existing DevOps / security team?

Yes. The engagement is structured so your team owns the systems. I produce findings, fixes, and evidence — your team reviews and merges.

What do we get after the review?

A prioritized findings report (severity, system, evidence requested, fix path, effort), and an implementation plan. After the Controls Sprint you also get merged fixes, an evidence folder, and questionnaire-ready answers.

Can you help answer security questionnaires?

Yes. The Controls Sprint output is structured so the answers and evidence can be pasted directly into customer questionnaires and trust-center entries.

What if we are mostly on GCP?

Fine. GCP is one of three supported clouds. I hold the Google Cloud Professional DevOps Engineer certification, but engagements regularly cover AWS and Azure too.

What if we have AI features?

The AI add-on covers data access, prompt and tool-call logging, retention, tenant isolation, spend caps, and abuse handling for RAG, agents, and LLM endpoints.

Fix the cloud controls blocking your security review

For B2B SaaS and AI-product teams: I implement the IAM, logging, CI/CD, vulnerability, backup, and AI-workload controls that auditors, enterprise buyers, and security questionnaires ask for.

Book a controls review View sample report

15-minute fit call · Clear yes or no · Not an audit or sales pitch

Musah Abdulai · Cloud Controls Engineer

Google Cloud Professional DevOps Engineer

controls-review · acme-corp.report

demo data

Finding	System	Severity
Admin access lacks MFA evidence	AWS · IAM	High
Cloud audit logs not retained for review period	GCP · Logging	High
No deploy approval evidence for production	GitHub · CI	Medium
AI feature has no token spend guardrail	Vertex AI	Medium

Admin access lacks MFA evidence

AWS · IAM

High

Cloud audit logs not retained for review period

GCP · Logging

High

No deploy approval evidence for production

GitHub · CI

Medium

AI feature has no token spend guardrail

Vertex AI

Medium

+ 5 more findings · 48-hour Controls Review outputView full report →

When this is worth fixingIf one of these is true, the 15-minute call is probably worth it.

SOC 2 readiness gaps

Enterprise security questionnaire

Vanta / Drata / Secureframe failing checks

Customer asks for cloud evidence

AI feature with customer data

Founder / CTO needs a remediation plan

What gets fixed

Controls I implement and document

The actual control surfaces buyers, auditors, and compliance platforms ask for evidence on.

Access controls

MFA / admin review
Least privilege
Service-account cleanup
Offboarding evidence

Logging & monitoring

Audit logs
Retention policies
Alert routing
Evidence screenshots / exports

CI/CD & change management

Branch protection
Required reviews
Deployment approvals
Release evidence

Vulnerability & secrets hygiene

Dependency scanning
Container / image scanning
Secret scanning
Remediation queue

Backups, recovery & availability

Backup configuration
Restore-test evidence
Incident runbook
Status / alerting checks

AI workload controls

Model endpoint auth
Prompt / tool-call logging
Spend caps
RAG document boundaries
Data-retention review

The deliverable

See the report before you book

Every Controls Review ends in a written findings report — severity, affected system, what evidence is needed, and a fix plan with effort estimate.

controls-review · acme-corp.report

demo data

Findings report

Cloud controls — Acme Corp

HIGH

MEDIUM

LOW

Finding	Severity	Affected system	Evidence requested	Fix
CloudTrail not enabled in 2 of 3 production accounts	High	AWS / CloudTrail	CloudTrail status export · org-level config	1–2 days
Service-account keys not rotated in 11 months	High	GCP / IAM	IAM key inventory · rotation policy	2–3 days
No required reviews on production deploy workflow	Medium	GitHub Actions	Branch protection screenshot · CODEOWNERS	≤ 1 day

+ 6 more findings · full report includes buyer/audit relevance, owner, and fix path for each.

The first finding above is the kind that blocks an enterprise security review. The buyer's procurement team will paste it back at you in week three of a six-week deal cycle.

— Musah's note

View full sample report9 findings · HTML + PDF

How it works

Two fixed-scope phases. Decide after 48 hours.

The first 48 hours give you the findings report and a real plan. The Sprint that follows ships the fixes and the evidence folder. No open-ended retainer required.

Step 148 hours

Controls Review

Read-only review of selected cloud, repo, CI/CD, logging, and compliance-platform evidence.

OutputPrioritized findings + implementation plan.

Step 21–2 weeks

Controls Sprint

Fixed-scope implementation sprint with merged fixes and packaged evidence.

OutputMerged PRs, evidence folder, questionnaire-ready answers.

Step 3Optional retainer

Follow-through

Continued remediation, auditor follow-up, or security-questionnaire support.

OutputOngoing evidence maintenance & response support.

Book a controls review15-minute fit call · clear yes or no

Verified

Google Cloud Professional DevOps Engineer

Credly →

About

One engineer, focused on cloud controls implementation.

I work directly with founders, CTOs, and platform leads at B2B SaaS and AI-product companies. The engagement is narrow on purpose: implement and document the cloud, CI/CD, logging, vulnerability, backup, and AI-workload controls that customer security reviews, auditors, and compliance platforms ask for.

I am not your auditor, your lawyer, or your pentester. Engagements are fixed-scope. The first 48 hours give you a written findings report; the 1–2 week sprint that follows ships merged fixes, an evidence folder, and questionnaire-ready answers.

Focus

Cloud controls (AWS · Azure · GCP)

SOC 2 readiness

Customer security questionnaires

AI workload controls

Evidence packaging

Read the writing See the sample report

Proof

Artifacts you can actually inspect

Every item below is verifiable. Open it, download it, or click the badge.

Sample findings report

See exactly what gets delivered after a 48-hour Controls Review — severity, evidence requested, fix path, and effort.

View sample report

Cloud Controls Evidence Kit

Controls map, evidence-folder template, questionnaire answers, and platform-specific evidence checklists. Free, MIT licensed.

View the kit

Google Cloud Professional DevOps Engineer

Certified by Google Cloud. Verifiable on Credly.

View on Credly

AI workload writing

Practical notes on securing RAG, agents, and LLM endpoints — what enterprise buyers ask about.

Read resources

Who this is for

Good fit

You sell B2B SaaS or AI software.
A customer, auditor, investor, or compliance platform is asking for evidence.
You use AWS, Azure, GCP, GitHub / GitLab, CI/CD, containers, or managed databases.
You need engineering implementation, not only policy writing.
You want a fixed-scope review before committing to larger work.

Not a fit

You need a CPA audit or formal SOC 2 attestation.
You need a legal opinion.
You need a full traditional pentest.
You cannot grant safe read-only access or provide evidence exports.
You only want generic compliance templates with no engineering implementation.

Frequently asked

Are you a SOC 2 auditor?: No. I am not your auditor. I implement and document the engineering controls and evidence your auditor, platform, or enterprise buyer asks for.
Do you work with Vanta, Drata, or Secureframe?: Yes. I fix failing controls and produce the engineering evidence those platforms expect — IAM, audit logs, branch protection, scanning, backups, and AI workload controls.
Which clouds do you support?: AWS, Azure, and GCP. Most engagements touch a primary cloud plus GitHub or GitLab. I do not position this as GCP-only.
What access do you need?: Read-only access to relevant cloud, repo, CI/CD, logging, and compliance-platform consoles, or exported evidence files. We scope access narrowly during the kickoff.
Can you work with our existing DevOps / security team?: Yes. The engagement is structured so your team owns the systems. I produce findings, fixes, and evidence — your team reviews and merges.
What do we get after the review?: A prioritized findings report (severity, system, evidence requested, fix path, effort), and an implementation plan. After the Controls Sprint you also get merged fixes, an evidence folder, and questionnaire-ready answers.
Can you help answer security questionnaires?: Yes. The Controls Sprint output is structured so the answers and evidence can be pasted directly into customer questionnaires and trust-center entries.
What if we are mostly on GCP?: Fine. GCP is one of three supported clouds. I hold the Google Cloud Professional DevOps Engineer certification, but engagements regularly cover AWS and Azure too.
What if we have AI features?: The AI add-on covers data access, prompt and tool-call logging, retention, tenant isolation, spend caps, and abuse handling for RAG, agents, and LLM endpoints.

Book the call

Need cloud evidence for a security review?

I'll take the call myself. 15 minutes. Clear yes or no after.

Book a controls reviewFixed-scope · Not an audit, attestation, legal review, or pentest.