Security Engineering as Code: A CISO’s Framework for Building Consulting Value

Derek, this document is for you - a practical framework for building a security consulting practice using docs-as-code methodology. Everything here is yours to use and adapt. This isn’t just documentation - it’s intellectual property you can package into repeatable, sellable deliverables.

The Opportunity

The Problem Organizations Face

Most organizations struggle with:

  • Tribal knowledge - Critical security procedures exist only in someone’s head

  • Stale documentation - Word docs from 2019 that no one trusts

  • Inconsistent practices - Every engineer does it differently

  • No audit trail - "Who changed the firewall rule?" - nobody knows

  • Onboarding friction - New hires take months to become productive

  • Compliance gaps - Auditors ask for evidence that doesn’t exist

The Value Proposition

What if you could offer clients:

  • Turnkey security documentation systems - Version-controlled, auditable, always current

  • Reference architectures - Proven patterns they can adapt

  • Automation tooling - Scripts that validate security controls

  • Training programs - Teach their teams to maintain it themselves

  • Ongoing advisory - Quarterly reviews, updates, improvements

This is a recurring revenue model built on intellectual property you create once and adapt many times.

The Consulting Model

Industry Validation

Security Consulting Service Flow

Organizations Using This Approach:

  • Google - All internal documentation version controlled

  • GitLab - 2000+ page handbook, fully public: handbook.gitlab.com

  • Red Hat - All product docs in AsciiDoc, modular documentation framework

  • Microsoft - docs.microsoft.com runs on docs-as-code

  • Spotify - Backstage developer portal

  • HashiCorp - Terraform, Vault, Consul docs as code

  • Elastic - Elasticsearch docs in AsciiDoc

  • NIST - OSCAL (compliance as code)

  • MITRE ATT&CK - Framework as structured data

The Security Tooling Stack

This is what I run daily. Every tool is documented, every configuration is version-controlled, every procedure is repeatable.

Secrets Management with gopass + age

Problem: How do you store API keys, passwords, certificates securely while still being able to use them in scripts?

# gopass - team-friendly password manager built on GPG/age
# Initialize a new password store
gopass init

# Store a secret
gopass insert network/ise-admin-password

# Retrieve in scripts (never echoed to terminal history)
ISE_PASS=$(gopass show -o network/ise-admin-password)

# Sync across machines via Git
gopass sync
# age - modern encryption (simpler than GPG, audited, no legacy baggage)
# Generate identity (private key)
age-keygen -o ~/.age/identity.txt

# Encrypt a file
age -e -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p \
    secrets.yaml > secrets.yaml.age

# Decrypt
age -d -i ~/.age/identity.txt secrets.yaml.age > secrets.yaml

Consulting Value: Set up secrets management for clients. Train their teams. Audit existing practices. This is a $10-20K engagement for mid-size organizations.

SSH Hardening with Hardware Keys

Problem: SSH keys on laptops get stolen. Passwords get phished. How do you authenticate securely?

# Generate Ed25519 key (modern, fast, secure)
ssh-keygen -t ed25519 -C "evan@workstation" -f ~/.ssh/id_ed25519

# Even better: FIDO2 hardware key (YubiKey, SoloKey)
# Key never leaves the hardware - can't be exfiltrated
ssh-keygen -t ed25519-sk -C "evan@yubikey" -f ~/.ssh/id_ed25519_sk
# ~/.ssh/config - hardened SSH client configuration
Host *
    # Use only secure algorithms
    KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256
    HostKeyAlgorithms ssh-ed25519,sk-ssh-ed25519@openssh.com
    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
    MACs hmac-sha2-512-etm@openssh.com

    # Security hardening
    ForwardAgent no
    AddKeysToAgent yes
    IdentitiesOnly yes
    HashKnownHosts yes
    VisualHostKey yes

    # Connection settings
    ServerAliveInterval 60
    ServerAliveCountMax 3
# Post-quantum ready: ML-KEM hybrid key exchange
# Protects against future quantum attacks (harvest now, decrypt later)
Host sensitive-server
    KexAlgorithms sntrup761x25519-sha512@openssh.com
    # This combines classical (X25519) with post-quantum (NTRU Prime)

Consulting Value: SSH security assessments. Key rotation programs. Hardware key rollouts. $5-15K per engagement.

Full Disk Encryption with LUKS

Problem: Laptops get lost. Servers get decommissioned. How do you ensure data at rest is protected?

# Check LUKS encryption status
sudo cryptsetup luksDump /dev/nvme0n1p2

# Backup LUKS header (CRITICAL for disaster recovery)
sudo cryptsetup luksHeaderBackup /dev/nvme0n1p2 \
    --header-backup-file luks-header-backup.img

# Encrypt the backup with age before storing
age -e -R ~/.age/recipients.txt luks-header-backup.img \
    > luks-header-backup.img.age

# Store encrypted backup in multiple locations:
# - Encrypted USB in safe deposit box
# - Encrypted cloud storage (separate from device)
# - Printed recovery codes in sealed envelope
# Verify encryption is working
lsblk -f
# Should show: nvme0n1p2  crypto_LUKS

# Check recovery capability
sudo cryptsetup luksOpen --test-passphrase /dev/nvme0n1p2

Consulting Value: Encryption policy development. Key escrow procedures. Disaster recovery planning. $8-25K engagements.

Certificate-Based Authentication (EAP-TLS)

Problem: Passwords are the weakest link. How do you authenticate devices and users without passwords?

# Generate CSR for machine certificate
openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \
    -keyout machine.key -out machine.csr -nodes \
    -subj "/CN=workstation.domain.com/O=Organization"

# wpa_supplicant configuration for 802.1X EAP-TLS
# /etc/wpa_supplicant/wpa_supplicant-wired.conf
# wpa_supplicant EAP-TLS configuration
ctrl_interface=/run/wpa_supplicant
ctrl_interface_group=wheel
eapol_version=2
ap_scan=0
fast_reauth=1

network={
    key_mgmt=IEEE8021X
    eap=TLS
    identity="host/workstation.domain.com"

    # Certificate paths
    ca_cert="/etc/pki/tls/certs/ca-chain.pem"
    client_cert="/etc/pki/tls/certs/machine.pem"
    private_key="/etc/pki/tls/private/machine.key"
    private_key_passwd=""

    eapol_flags=0
}
# Validate certificate chain
openssl verify -CAfile ca-chain.pem machine.pem

# Test 802.1X authentication
wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant-wired.conf \
    -i enp0s31f6 -D wired -d

Consulting Value: PKI design and deployment. 802.1X rollouts. Certificate lifecycle management. $20-50K+ engagements.

Zero-Trust Network Segmentation (dACLs)

Problem: Once an attacker is on the network, they move laterally. How do you contain breaches?

Zero-Trust Authentication Flow
! Downloadable ACL - Applied per-session by ISE
! Philosophy: Deny internal FIRST, then permit required services

ip access-list extended DACL-RESEARCH-WORKSTATION

  ! === BLOCK LATERAL MOVEMENT ===
  ! Deny all RFC1918 (internal) traffic first
  deny   ip any 10.0.0.0 0.255.255.255 log
  deny   ip any 172.16.0.0 0.15.255.255 log
  deny   ip any 192.168.0.0 0.0.255.255 log

  ! === PERMIT REQUIRED INFRASTRUCTURE ===
  ! DNS (required for everything)
  permit udp any host 10.50.1.1 eq 53

  ! Active Directory (authentication, group policy)
  permit tcp any host 10.50.1.10 eq 389     ! LDAP
  permit tcp any host 10.50.1.10 eq 636     ! LDAPS
  permit tcp any host 10.50.1.10 eq 88      ! Kerberos
  permit udp any host 10.50.1.10 eq 88      ! Kerberos

  ! ISE Posture (compliance checking)
  permit tcp any host 10.50.1.21 eq 8443    ! Posture
  permit tcp any host 10.50.1.21 eq 8905    ! Agent

  ! === PERMIT INTERNET ACCESS ===
  permit tcp any any eq 443                  ! HTTPS
  permit tcp any any eq 80                   ! HTTP (for redirects)

  ! === IMPLICIT DENY ===
  deny   ip any any log
# Validation script - prove the controls work
#!/bin/bash
echo "=== Testing BLOCKED traffic ==="

# Should FAIL - lateral movement blocked
ping -c 1 10.50.1.70 && echo "[FAIL] NAS reachable" || echo "[PASS] NAS blocked"
nc -zv 10.50.1.5 22 && echo "[FAIL] Switch SSH open" || echo "[PASS] Switch SSH blocked"

echo "=== Testing PERMITTED traffic ==="

# Should SUCCEED - required services
dig @10.50.1.1 google.com && echo "[PASS] DNS works" || echo "[FAIL] DNS blocked"
curl -sI https://google.com && echo "[PASS] HTTPS works" || echo "[FAIL] HTTPS blocked"

Consulting Value: Zero-trust architecture design. Network segmentation. Penetration testing. $25-75K+ engagements.

The Project Portfolio

These aren’t theoretical - they’re running systems with complete documentation.

Active Documentation Projects

Project Description Lines of Doc

PRJ-ISE-HOME-LINUX

Complete 802.1X/EAP-TLS deployment for Linux workstations. Includes wpa_supplicant configs, certificate enrollment (P-256 (prime256v1)), ISE policies, dACL designs, validation scripts.

3,000+

PRJ-SECRETS

Secrets management framework using gopass + age. Key generation, rotation policies, team onboarding, disaster recovery.

800+

PRJ-RECOVERY

Disaster recovery procedures. LUKS header backups, SSH key escrow (Ed25519), system rebuild runbooks.

1,200+

PRJ-PKI

Certificate authority hierarchy. Root CA, issuing CA, certificate templates, enrollment procedures, revocation.

1,500+

PRJ-NETAPI

Python CLI for Cisco ISE automation. Session monitoring, policy management, bulk operations.

2,000+ (code + docs)

PRJ-AERC

Terminal email client configuration. OAuth2 authentication, address book integration, encryption.

500+

Sample Documentation Output

From a single AsciiDoc source file, the build system generates:

  • HTML - Browsable documentation sites with navigation, search, syntax highlighting

  • PDF - Professional runbooks for operations teams (this document is an example)

  • DOCX - For stakeholders who need Word format

  • Antora Site - Multi-version documentation portals with cross-references

Business Model for CISO Consulting

Service Offerings

Service Description Price Range

Security Documentation Audit

Review existing documentation. Identify gaps. Provide remediation roadmap.

$5,000 - $15,000

Docs-as-Code Implementation

Set up Git repos, build pipelines, templates. Train team on workflow.

$15,000 - $35,000

Reference Architecture Deployment

Deploy proven security patterns (802.1X, zero-trust, PKI) with full documentation.

$25,000 - $75,000

Secrets Management Program

Implement gopass/age/Vault. Rotation policies. Team training. Audit procedures.

$10,000 - $30,000

SSH Hardening Program

Assess current state. Deploy hardware keys (Ed25519). Update configurations. Document procedures.

$8,000 - $20,000

Compliance Documentation

HIPAA, SOC2, ISO 27001 evidence packages built from living documentation.

$20,000 - $50,000

Retainer/Advisory

Quarterly reviews, updates, on-call advisory, documentation maintenance.

$2,000 - $5,000/month

Revenue Potential

Year 1 (Building Practice):

  • 4-6 documentation audits: $40,000 - $60,000

  • 2-3 implementations: $50,000 - $100,000

  • 2 retainer clients: $48,000 - $120,000

  • Total: $138,000 - $280,000

Year 2+ (Established Practice):

  • Repeat clients, referrals, larger engagements

  • Training workshops, speaking engagements

  • Template licensing, white-label partnerships

  • Potential: $250,000 - $500,000+

Differentiation

Why clients hire you instead of a Big 4 firm:

  • Practitioner, not just advisor - You’ve built and run these systems

  • Artifacts they keep - Documentation belongs to them, not locked in your proprietary tools

  • Knowledge transfer - Train their team to maintain it

  • Right-sized - Not paying for 10 consultants when they need 1-2

  • Speed - Reference architectures mean faster time-to-value

Collaboration Framework

What We Can Build Together

  1. Shared Reference Architecture Library

    • Proven patterns for common security challenges

    • Customizable templates for different industries (healthcare, finance, etc.)

    • Validation scripts and compliance evidence generators

  2. Training Curriculum

    • Docs-as-code fundamentals

    • Security automation with Python

    • Zero-trust architecture design

    • Secrets management best practices

  3. Joint Consulting Engagements

    • Complementary skills (strategy + implementation)

    • Larger scope projects neither could do alone

    • Geographic coverage

Technical Setup

# Private GitHub/GitLab repository for collaboration
git clone git@github.com:security-consulting/reference-architectures.git

# Structure
reference-architectures/
β”œβ”€β”€ templates/              # Starter templates for new projects
β”œβ”€β”€ patterns/
β”‚   β”œβ”€β”€ zero-trust/        # dACL designs, segmentation
β”‚   β”œβ”€β”€ pki/               # Certificate authority patterns
β”‚   β”œβ”€β”€ secrets/           # gopass, Vault, age configs
β”‚   └── 802.1x/            # EAP-TLS, MAB, ISE policies
β”œβ”€β”€ scripts/
β”‚   β”œβ”€β”€ validation/        # Security control verification
β”‚   └── automation/        # Deployment helpers
└── training/              # Workshop materials

Next Steps

  1. Set up shared Git repository - Private repo for collaboration

  2. Review reference architectures - Identify what to include first

  3. Define first joint offering - Security documentation audit package

  4. Create marketing materials - One-pager, case studies, website

  5. Identify target clients - Healthcare, finance, mid-market enterprises

Resources

Tools

Learning

Contact

Evan Rosado
evan.rosado@domusdigitalis.dev

This document was written in AsciiDoc and generated to PDF, HTML, and DOCX from a single source file. The methodology described here produced this deliverable.