CRA and AI Act compliance, audit and hardening of your product and AI systems. For teams that take their security seriously, without slowing down the product roadmap.
Cyber Resilience Act and AI Act roll out in parallel between August 2026 and December 2027. At every milestone, binding obligations. Without demonstrated compliance, no more placement on the EU market, no more updates to already-deployed products. The preparation window is closing.
Prompt injection, data leakage, model poisoning, shadow AI, vendor dependency. Attacks on AI systems don't show up in classic pentests. The cost of an incident exceeds the technical bill by a wide margin.
Your enterprise customer security questionnaires are getting longer. Your investors ask precise questions about AI governance. A credible roadmap has become a commercial prerequisite, not a bonus.
A complete journey, from exposure mapping to technical implementation. To calmly meet the September 2026 and December 2027 milestones.
For editors integrating AI in production (AI natives), as well as those consuming third-party AI services (Bedrock, OpenAI, Mistral, copilots, embedded chatbots).
Each engagement is custom-scoped. The most-requested angles below have a dedicated page detailing methodology, deliverables and indicative pricing.
20 minutes to understand your product, your stack, your regulatory exposure and the questions your customers or investors are already asking. We validate together whether the engagement makes sense, and at what scope.
In-depth review: code, infrastructure, AI pipelines, internal processes. Identification of gaps vs. CRA, AI Act and best practices. Prioritization by business criticality, not dogma.
Implementation of remediations, directly or in-pair with your teams. Target architectures, controls, runbooks. Security is written in code, not in slides.
Complete dossier, audit-ready documentation, prioritized and budgeted roadmap for what comes next. Your teams know exactly what was done, why, and what remains to maintain, autonomously.
I founded WeeSec because product and AI security can't be solved by a checklist, nor by an off-the-shelf tool. It's built with your teams, in your code, over time.
Three pillars, no more: scope what must be scoped, harden what deserves it, and transfer enough so that you leave autonomous.
It depends entirely on scope. An audit can be scoped in a few weeks; a complete implementation spans several months. The initial scoping serves precisely to set a realistic range with you, no commitment.
Depending on the engagement: exposure mapping, detailed audit report, prioritized and budgeted roadmap, documented target architecture, operational runbooks, audit-ready documentation, knowledge transfer workshops. Everything is delivered in a format your teams can take over and evolve.
The founder personally leads engagements, and may bring in senior consultants when the mission calls for it.
Systematically, before any detailed technical exchange. The NDA can be yours or a standard one we provide. Confidentiality is non-negotiable. It's also the baseline posture in this trade.
Cyber Resilience Act, AI Act, ISO 27001, ISO 42001, NIST CSF, NIST AI RMF, OWASP (including LLM Top 10), SOC 2, depending on what serves your situation. The goal is to align with what your customers and the regulator actually expect, not to stack certifications.
Remote-first, with regular video sync points and structuring on-site workshops as needed (kick-off, restitutions, steering committee). Engagements are delivered in French or English. On-site travel is available anywhere in France and Europe when context justifies it.
B2B SaaS, fintech, healthtech, AI deeptech, e-commerce, industry. Clients are primarily SMBs, startups and scale-ups in France and Europe, with parallel experience on large groups (BNP Paribas, Société Générale, ENEDIS, GDF SUEZ Engie, TOTAL, Thales, AXA, EDF, L'Oréal, Allianz). Typical contexts: fundraising, security due diligence, ISO 27001 or SOC 2 certification, CRA or AI Act compliance, AI product hardening.
More than 80 CTOs and founders have been supported on product security, AI security, DevSecOps and compliance topics. Engagements range from short strategic scoping (1 to 2 weeks) to long operational implementation (6 months and beyond). Each engagement is conducted under NDA: no client logo is publicly displayed, that is the baseline posture in this profession.
A 20-minute scoping call on video, no commitment, bookable directly on Calendly. Goal: understand your context (size, stack, deadlines, regulatory constraints), identify priority issues, and determine whether an engagement makes sense — and in what format. If so, a scoped and budgeted proposal follows within 5 to 10 working days.
A short 1-2 week scoping engagement starts at a few thousand euros, a full audit or CRA / AI Act compliance scope runs in the tens of thousands depending on perimeter. Pricing never comes out of a catalog: it is anchored on what the engagement must actually produce for your customers, investors or regulator. Quotes are fixed-fee, not day-rate, which aligns my incentives with the outcome, not with duration.
If you place on the European market a product with digital elements — software, embedded SaaS, IoT, firmware — you are in scope. CRA applies fully from 11 December 2027, with a first milestone on 11 September 2026 for active critical incident reporting. Without a compliant CE marking, no placement on the EU market, including updates of already-deployed products. The perimeter is broader than RED or NIS2: each vendor must check its category (Important class I/II, others).
Yes. The "deployer" status in the AI Act (article 26) imposes obligations even if you are not the model provider. If your use case falls under Annex III (high-risk): risk management system, data quality, technical documentation, logging, transparency towards users, human oversight, robustness, cybersecurity. For limited-risk use (chatbots, content generation), a transparency obligation still applies. The operational start of high-risk obligations is 2 August 2026.
Three concrete gaps. One: the founder runs the engagement herself, you do not pay for a partner to sell and a junior to deliver. Two: deliverables are operational (architectures, code, runbooks), not just slides of findings. Three: zero vendor commissions, zero commercial ties to recommended tools — vendor-neutral by principle. The format is built for SMBs, startups and scale-ups that need actionable outcomes, not a binder no one reads.
No commitment, no cold commercial offer. We look together whether the engagement makes sense.
Book a Calendly call