Hi, I'm Elijah Winter.
I spent 7+ years securing systems and building security systems at Amazon and the CIA—the kinds of systems that protect hundreds of millions of users and some of the nation's most sensitive information.
At Amazon, I co-founded the AI Security Organization and created security frameworks used by 500+ development teams to build safe AI products. I partnered with 50+ engineering teams implementing access control systems, investigated 200+ security incidents, and built automation that reduced manual security work by 70%. Before that, I worked at the CIA on digital forensics, threat detection, and protecting classified networks.
Here's what I learned working at enterprise scale: most startups and mid-market companies face the same security challenges Amazon solved years ago—but they can't hire a 20-person security team to solve them.
That's the gap I fill.
I take the lessons I learned at Amazon scale and adapt them for fast-moving teams by using a combination of off the shelf tools and custom solutions to keep costs down. You get enterprise-quality security engineering without the enterprise overhead, complexity, or six-month timelines.
I also learned that the best security work happens when you deeply understand a company's context—their business model, their technical debt, their competitive pressure, their actual risks. As a consultant, I can focus entirely on your problems without the distractions of corporate politics or unrelated priorities.
I didn't learn security from tutorials or certifications—I built it at Amazon and the CIA. I've secured systems protecting millions of users, investigated actual breaches, and seen many edge cases. When you hire consultants who've only worked with 10-20 companies, you get theory. When you hire me, you get battle-tested experience from organizations that operate at a scale most companies will never reach. I focus my time less on theory and more on what actually works in practice.
At Amazon and the CIA, I partnered with VPs, CISOs, Directors and Chiefs, consulted with healthcare customers on architecture decisions, and advised leadership on enabling innovation safely. I learned that security isn't about saying "no"—it's about understanding what you're trying to accomplish and finding the secure path to get there. I care about your business outcomes, not just checking security boxes.
Most security consultants learned their craft before AI became critical infrastructure. I co-founded Amazon's AI Security Organization and spent years securing machine learning systems, from training pipelines to production models. I understand prompt injection, model inversion, data poisoning, and every other attack vector that didn't exist five years ago. If you're building AI-powered products, this expertise is rare and valuable.
The frameworks I use aren't just for today—they're designed to scale with you. I've seen how companies grow from 10 to 10,000 employees, and I know which security decisions will help that transition and which will become technical debt. You get architecture that works now and grows with you.
I spend time understanding your business, not just your tech stack. What are you optimizing for? Speed to market? Investor confidence? Compliance? Customer trust? The right security solution depends on your actual goals and constraints.
Perfect security doesn't exist, and even if it did, it would mean you'd never ship. I focus on the security controls you need now, with a clear roadmap for what comes later as you scale. My recommendations are always prioritized: quick wins first, then strategic improvements.
When I'm done, you should understand WHY we implemented things a certain way, not just WHAT we built. I document everything thoroughly and train your team so they can maintain and extend the work. You're not dependent on me forever.
Security isn't one-and-done. Systems change, threats evolve, companies grow. Many of my clients keep me on retainer because having someone who already knows your systems and can respond quickly is valuable. But even if we don't work together long-term, I'm available for questions.
When I'm not debugging authorization policies or investigating security incidents, I'm usually exploring new security research, contributing to open-source projects, or staying current on emerging threats (particularly in the AI security space).
I believe good work comes from a balanced life, and I apply the same systematic thinking to my personal interests as I do to security engineering. I'm based in Arlington, Virginia, which keeps me close to the government and tech communities that shaped my career.
Whether you're preparing for an audit, scaling your infrastructure, building AI features, or just know your security is behind where it should be—let's have an honest conversation.
I'll tell you if I'm the right fit. If not, I'll try to point you in the right direction.