Isometric server rack with audit findings overlay — power, drives, fans verified; open port, outdated kernel, and exposed admin panel flagged.

Hire ByteGuard for a one-off security review

Hire ByteGuard

I do a small number of paid one-off engagements for individuals and small teams running their own infrastructure. Not consulting in the traditional sense — I don't have an hourly rate, I don't write 80-page reports, and I don't do month-long engagements. I do fixed-scope work, fixed price, fixed timeline, with a clean handoff doc at the end.

If your stack is more than ~30 services or you have an in-house security team, I'm not the right fit. Try one of the bigger shops instead.

What I do

1. VPS hardening audit — €250

For an individual or small team running a self-hosted stack on a single VPS.

You get:

  • A short email questionnaire where you describe your stack and grant me SSH access (read-only sudoer). No call required — everything is async.
  • 3-5 working days of audit time. I go through every service, every port, every Docker container, the systemd units, the cron jobs, the backup configuration.
  • A written report (typically 8-12 pages) covering: critical findings (CVE / misconfig that could be exploited remotely now), important findings (would be exploitable under realistic conditions), minor findings (drift from best practice, no immediate risk), and an action checklist ranked by impact.
  • A follow-up email walking through the key findings in plain language.
  • One round of "I implemented these — does this look right?" review over email.

Scope: one VPS, up to ~15 services, one DNS zone. Not for: production SaaS, regulated workloads, anything HIPAA/PCI/SOC2-scoped.

Turnaround: 7-10 days from kickoff.

2. Docker security review — €180

For a team that has Docker / Docker Compose in production and wants someone to look at it with fresh eyes.

You get:

  • An email intake where you share your Compose files and describe the deployment. No call required.
  • Review of your Docker Compose / Swarm / k3s configs, image provenance, secrets handling, network exposure, volume permissions.
  • Written report with the same severity tiering as above.
  • A follow-up email summary of the key findings.

Scope: up to 20 containers across one or two compose files. Not for: Kubernetes at production scale, multi-cluster, anything requiring CKS-level depth.

Turnaround: 5-7 days from kickoff.

3. Incident response triage — €350 flat (when available)

For "something happened and we're not sure what" within the last 7 days. Suspected breach, unusual outbound traffic, ransomware suspicion, exposed credentials.

You get:

  • Same-day email response (I work CET/CEST; European business hours are ideal). Everything is handled over email — send me your logs, describe what you saw, and we go from there.
  • Up to 8 hours of triage: log analysis, indicator-of-compromise hunting, timeline reconstruction.
  • A written timeline + recommendation: contain, restore-from-backup, escalate to a forensics firm, or "it's a false alarm" — whichever is right.

Scope: triage only. If we determine this is a real incident requiring forensics or legal involvement, I'll hand you off to people who do that for a living and stay available for context. I am not a forensics firm.

Availability: I take at most one incident engagement per month; book ahead if you can.

How it works

1. Email me at hire@byte-guard.net with a short description of your stack and which engagement you want. Subject line tag: [hire].

2. I'll reply within 48 hours with either "yes, here's what I need from you to get started" or "I'm not the right fit, here's who I'd recommend." I turn down work I'm not confident I can do well — being honest about that is part of the value.

3. Payment: half upfront via PayPal, half on delivery.

4. Discretion: I treat engagement details as confidential and don't share client names, configs, or findings without explicit permission.

What I don't do

  • Pentests in the formal sense. I don't drop into a black-box engagement and try to break in. I review configurations and threat models — different skill set, different deliverable.
  • Compliance audits. I am not a QSA, I am not SOC2-certified, I cannot sign off on anything regulated.
  • Ongoing retainers. Each engagement is a one-shot. If you need ongoing security work, you need a fractional CISO or a security engineer — different shape of relationship.
  • Stack migration. If you want someone to move your infrastructure from AWS to Hetzner or from k8s to Docker Compose, that's an architecture engagement, not a security one. I'll help you write the brief, but I'm not the person to execute it.

What I run myself

If you've found this page, you've probably read the blog. Quick recap of what's at the other end of the SSH key:

  • ByteGuard infrastructure: Hetzner CPX22 (Helsinki) + Contabo (private side). Ghost blog, three FastAPI services, n8n automation, Uptime Kuma. Single-operator stack.
  • Years self-hosting: enough to have made every mistake on this list, including the ones I now charge to find for other people.
  • Reading material: the VPS Security pillar, the Self-Hosting pillar, and the Building ByteGuard writeup are good context.

Get in touch

hire@byte-guard.netPGP key.

Reply turnaround: 48 hours, usually faster.

— enim