CyberMentee
HU
Accessible version
Secure coding · DevSecOps · AI · NIS2-ready

Train your teams to build security in — not bolt it on.

CyberMentee is a hands-on application-security practice for engineering teams, CTOs, CISOs and security leads — working on your actual pipeline and codebase, real findings, real fixes.

A bug found in development costs a fraction of what it costs in production. Industry data puts that ratio at 100× or more.

Get in touch See the programs
Live · on your stack English & Hungarian NIS2-aligned
If this sounds familiar

The pentest came back. Forty pages of findings the team has seen before. Patching them one by one isn't the fix — the goal is developers who stop writing them in the first place.

  • The same vulnerability classes show up in every report — injection, broken auth, leaked secrets, vulnerable dependencies.
  • Generic e-learning gets clicked through and forgotten. It never touches your actual codebase or pipeline.
  • Security feels like something done to the team after the fact, instead of part of how they build.
The approach

Security woven into every stage of how your team already builds.

No separate “security phase.” We work inside your existing workflow — from the first commit to what's running in production — so good practice becomes the default, not an extra step.

Commit

Write it safe

Secure coding patterns, secret scanning, threat modeling a real feature.

AI-generated code goes through the same gates
Build

Catch it early

SAST and dependency scanning wired into the pipeline, tuned to cut the noise.

Test

Prove it

DAST, IaC scanning, and review gates that fail loud on what actually matters.

Deploy

Keep it safe

Supply-chain integrity and runtime checks, owned by the team that ships.

What we cover

Application security, taught as engineering.

Pick the topics your team needs most — every one is delivered hands-on, on your stack.

Secure coding

The OWASP Top 10 in your languages — injection, auth, secrets, and the patterns that prevent them.

Threat modeling

Find risk at design time on a real feature — trust boundaries, attack surface, blast radius.

Pipeline security

SAST, DAST and SCA wired into CI/CD as enforced quality gates — tuned, not noisy.

Dependencies & supply chain

Software composition analysis, SBOM and artifact integrity — so what you ship is what you built.

Secure SDLC & governance

Roles, approval gates and traceable evidence — an operating model, not a checklist.

NIS2-aligned training

Maps to the secure-development controls and produces documented, audit-ready completion records.

In focus

AI-assisted development

Copilot and LLM-generated code ships fast — and confidently reproduces vulnerability patterns it learned from decades of insecure public code. We cover review patterns for AI output, guardrails wired into the pipeline, and the failure modes AI gets confidently wrong.

Programs

Start small or go deep. Every format works on your code.

Three ways in, designed to fit how far your team wants to go. Pick a starting point — we scope the rest on a call.

Start here

Dev Security Taster

Half day · remote or on-site

A live session where the team finds and fixes real vulnerabilities in a sample app — and sees how it maps to their own code.

  • Hands-on from minute one
  • No prep required from your side
  • A clear read on where the gaps are

For: teams testing the waters before committing.

Book the taster
Most popular

Hands-on Workshop

1–2 days · your stack

The core program. Secure coding and DevSecOps built around your real pipeline — scanning wired in, a feature threat-modeled, live findings fixed together.

  • Built on your languages and pipeline
  • SAST / DAST / SCA, tuned not noisy
  • Team leaves with habits, not handouts

For: teams ready to change how they build.

Scope a workshop
Ongoing

Mentee Retainer

Monthly · remote

Security stays in the room after the workshop ends. Recurring pipeline review and open office hours for the dev team, on a monthly rhythm.

  • Regular review of new code and config
  • Office hours when the team hits a wall
  • A standing security voice, no headcount

For: teams who want it to last.

Talk retainer
Beyond the workshop

Need a full programme? We build it — in your brand.

Alongside live training, we design and produce complete, branded security learning for your organisation: curriculum, slides, hands-on labs and ready-to-run e-learning — mapped to roles and to NIS2, delivered in your look and your tone, in English and Hungarian.

Discuss a custom programme
Who's behind it

Most security trainers can teach or they can ship. CyberMentee does both.

CyberMentee is led by someone who has spent a career on both sides of the screen — securing real systems under real pressure, and teaching engineers how it's done, at university and in their own courses. That's why the training lands as engineering, not theatre — and why it actually sticks.

Dr. Sándor Barnabás

Barnabás Sándor, Ph.D.

Founder & lead trainer

I build security into engineering — not on top of it. Over 15+ years I've worked hands-on with DevSecOps, security architecture and automation at MOL Group, 4iG Group, GE Digital and Morgan Stanley — leading security teams and rolling out DevSecOps across several organisations. I hold a PhD in cybersecurity and teach developers at university and in my own courses, so the training doesn't just deploy frameworks — it teaches why they work, from someone who's shipped under real pressure and taught it for years.

Connect on LinkedIn
15+yrs securing real systems 8yrs teaching developers PhD · Óbuda University lecturer
Previously at4iG Group · MOL Group · GE Digital · Morgan Stanley
Questions

The things teams ask first.

Who is the training for?
Software engineering teams, tech leads and architects who ship code — from product and platform teams to DevOps and SRE. No prior security background is needed: we meet developers where they are and build up from the code they already write, whether that's a single squad or a whole engineering org.
Do you train on our actual code and pipeline?
Yes — that's the heart of it. The workshop is built around your languages, repositories and CI/CD setup, with scanning wired into a real pipeline and an actual feature threat-modeled live. Because the examples are yours, the habits carry straight into the next sprint instead of staying abstract.
Does this help with NIS2 compliance?
Yes. NIS2 explicitly requires secure software-development practices and documented, recurring cybersecurity training for staff. Our programs map to those secure-development controls, and every session produces attendance and completion records you can keep as audit evidence. We can also align the content with your existing ISMS or ISO 27001 controls.
Which languages and tech stacks do you cover?
Most modern stacks — JavaScript/TypeScript, Python, Java, C#/.NET, Go and PHP — across web, API and cloud-native apps. The CI/CD work covers common platforms like GitHub Actions, GitLab CI, Azure DevOps and Jenkins. If your stack isn't on the list, ask: the principles are the same and we tailor the examples to you.
Do you cover AI-generated code and Copilot security?
Yes — it runs through the whole program rather than being a separate slide. AI assistants reproduce insecure patterns from their training data, and they do it confidently and at speed. We show developers how to review AI output for the typical failure modes, and how to wire guardrails into the pipeline so velocity doesn't outrun security. Teams using Copilot or similar tools get the most out of this.
How long is it, and what's the format?
From a half-day taster to a one- or two-day hands-on workshop, plus an optional monthly retainer. Sessions are lab-based rather than slide-driven — developers spend most of the time finding and fixing real issues, not watching.
Is it remote or on-site, and in which languages?
Both. Workshops run on-site across the EU or fully remote, whichever suits the team, and the retainer is delivered remotely. Sessions and materials are available in English and Hungarian.
What does it cost?
It depends on the format, team size and how much we tailor to your stack. The taster is a low-commitment way to start; workshops and the retainer are scoped on a short call. Tell us your team size and goals and you'll get a clear quote — no obligation.
How is this different from generic security e-learning?
Generic e-learning gets watched once, forgotten, and never touches your code. This is the opposite: live and hands-on, on your own repositories and pipeline, taught by someone who has both secured production systems and taught engineers for years. The goal is changed habits, not a completion badge.
How do we get started?
Start with a half-day taster, or book a 30-minute scoping call. We figure out where your developers are, what's worth fixing first, and which format fits — and you leave with a clear next step either way.
Get in touch

Tell us about your team and your stack.

Tell us about your team and stack, and what triggered this. We'll reply with where we'd start and which format fits — no pitch deck.

Let's start