WORK
Illustrative engagements
Selected examples of how SecureForge AI helps Canadian organizations harden architecture, eliminate configuration drift and govern AI workloads. Client names anonymized; outcomes represent past work and are not promises of future results.
ARCHITECTURE HARDENING · FINTECH
Pre-audit configuration drift in a BC payments platform
A Vancouver fintech preparing for SOC 2 Type II had grown its AWS estate faster than its security baselines. Standing admin roles on production databases, open security-group rules from a deprecated migration and three S3 buckets without encryption-at-rest policies sat unnoticed for months.
SecureForge AI mapped 140 configuration classes across twelve accounts, prioritized findings by audit impact and blast radius, and delivered remediation templates as Terraform modules the platform team could merge incrementally. Engineer-verified evidence packages supported the external assessor review. Three critical drift items were resolved before the audit window opened.
Outcome: Audit passed without major findings on infrastructure configuration. Repeated misconfiguration classes dropped 67% in the following quarter through sustained drift monitoring.
SUPPLY CHAIN · SAAS
Build-pipeline hardening for a Canadian HR platform
A mid-market SaaS company shipping weekly releases had no artifact signing, stored long-lived CI secrets in plain environment variables and allowed any developer to promote builds to production without approval gates.
We reviewed their GitHub Actions pipelines, container build process and deployment hooks. Deliverables included signed-artifact requirements, short-lived OIDC federation to cloud deploy roles, branch-protection rules and a secrets-rotation schedule. A tabletop exercise validated their incident runbook for a compromised build credential scenario.
Outcome: Mean time to detect unauthorized pipeline changes dropped from days to under four hours. Production deploy approvals now require two-party sign-off.
AI GOVERNANCE · HEALTH DATA
LLM endpoint hardening for a clinical documentation pilot
A health-technology firm piloting an LLM-assisted documentation tool needed to demonstrate PIPEDA and BC PIPA-aligned controls before expanding beyond internal testers. The inference endpoint was reachable from staging networks without IP restrictions, logs captured full prompt text including patient identifiers and the vector store retained embeddings indefinitely.
SecureForge AI reviewed the RAG pipeline end to end. We implemented network-boundary recommendations, prompt-log redaction patterns, retention policies for embeddings and access controls separating training data from inference contexts. Engineer-verified documentation supported their privacy impact assessment.
Outcome: Pilot expanded to controlled production use with privacy officer sign-off. No PHI appeared in application logs after hardening.
IDENTITY ENGINEERING · LOGISTICS
Service-account sprawl in a multi-tenant logistics API
Over four years, a logistics API platform accumulated 230 service accounts — many tied to decommissioned integrations, several with project-level owner roles. No central inventory existed and offboarding was manual.
We built a service-account registry, classified accounts by blast radius, removed 89 orphaned credentials and implemented quarterly recertification with automated expiry warnings. Least-privilege templates now govern new account creation.
Outcome: Standing privileged credentials reduced by 61%. New integration onboarding follows a documented approval workflow.
Discuss your hardening goals
Every engagement starts with understanding your architecture and constraints. Tell us what you are building and where you need engineering support.
Request an architecture review