As software systems become more complex, cybersecurity is no longer just a matter of scanning for vulnerabilities or reacting to alerts. Modern organizations operate across cloud infrastructure, APIs, SaaS platforms, containerized workloads, AI systems, and distributed engineering teams. The security challenge is not simply finding risk. The harder problem is building systems that help teams understand, prioritize, assign, and reduce that risk at scale.
Mert Satilmaz, founder of SecPortal.io, has built his career around that problem. Based in Richmond upon Thames in the United Kingdom, Satilmaz works across security engineering, application security, cloud security, vulnerability management, compliance, AI security testing, and security automation. His public profile includes work as an OWASP Project Lead, security researcher, CVE discloser, founder, and speaker.
Satilmaz describes his work simply: building and leading security systems that operate at scale. That idea reflects the direction in which cybersecurity is moving. Security teams are expected to do far more than produce reports. They must support engineering teams, reduce real risk, improve compliance readiness, respond to incidents, and provide evidence that security programs are working.
His background combines software engineering and cybersecurity. Before focusing deeply on security, Satilmaz worked in quantitative development, building high-performance trading and market-making systems using technologies such as C++, Python, and Scala. That engineering background shaped his security philosophy. Security, in his view, should not live only in documents, dashboards, or manual review processes. It should be engineered into systems, workflows, automation, and product delivery.
That approach later informed his work in application security, cloud environments, vulnerability management, penetration testing, compliance engineering, and incident response. Across these areas, one recurring problem stood out: security teams often have visibility, but not execution. They can identify risks, but the process of triage, ownership, remediation, evidence collection, and reporting is often fragmented across scanners, spreadsheets, tickets, emails, documents, and meetings.
This problem becomes especially painful in vulnerability management. At small scale, teams can manually review scanner outputs and create remediation tasks. At enterprise scale, that model breaks down quickly. Thousands of findings can be generated across applications, APIs, infrastructure, containers, and cloud accounts. Without strong prioritization and ownership, vulnerability management becomes noise rather than risk reduction.
Satilmaz has worked on this challenge by building security automation and operational workflows that connect findings to action. His work has involved vulnerability management, security gates in CI/CD pipelines, cloud security governance, compliance validation, endpoint security, and incident response processes. The goal is not simply to find weaknesses, but to create systems that help organizations reduce them.
This engineering-led mindset led to the creation of SecPortal.io, an AI-native cybersecurity workflow management platform. SecPortal is designed for security teams that need to manage vulnerability scanning, triage, remediation tracking, reporting, security assessments, and compliance in one place. The platform reflects a practical understanding of how security work happens inside real organizations.
Rather than treating security as a collection of disconnected tasks, SecPortal focuses on the full security lifecycle. That includes discovering vulnerabilities, assessing severity, assigning ownership, tracking remediation, generating reports, and mapping work to compliance requirements. For teams dealing with application security, vulnerability management, audits, and customer assurance, this type of workflow matters because security programs are only useful when they produce measurable action.
Satilmaz’s work also extends into AI security. He is listed as OWASP Project Lead for the Agent Security Regression Harness, a project focused on advancing security testing for AI-driven systems. This reflects a growing concern in the industry: as AI agents become more capable and more deeply integrated into business workflows, security testing must evolve. Traditional application security models are not always enough for systems that interact with tools, users, data, and external services in dynamic ways.
Security testing for AI-driven systems requires new approaches to regression testing, adversarial behavior, prompt manipulation, tool abuse, data exposure, and agent reliability. Satilmaz’s work in this area sits at the intersection of software engineering, security research, and AI governance.
He is also a security researcher with publicly disclosed CVEs, identifying and reporting real-world vulnerabilities across production systems. CVE disclosures are important because they show practical security research beyond theory. They demonstrate the ability to identify weaknesses, document them responsibly, and contribute to the wider security ecosystem.
Alongside engineering and research, Satilmaz publishes technical research and security insights. His writing has been featured on HackerNoon, and he has spoken at industry events including SteelCon. His public work also includes a GitHub portfolio reflecting his broader engineering and security interests. Across these channels, his work covers themes such as security automation, vulnerability management, cloud security, application security, and the operational realities of modern cyber defense.
This combination of building, researching, writing, and speaking reflects a broader shift in cybersecurity. The most effective security professionals increasingly need to operate across disciplines. They must understand software architecture, cloud infrastructure, offensive techniques, compliance requirements, developer workflows, and executive risk language. They also need to turn complex technical problems into clear systems that teams can use.
Satilmaz’s experience as a Certified Cyber Essentials Plus Lead Assessor also connects technical security with organizational readiness. For many companies, improving security posture requires practical guidance, not just abstract recommendations. It means identifying gaps, helping teams remediate them, and creating evidence that controls are actually in place.
His academic background includes an MSc in Information Security from Royal Holloway, University of London. Combined with more than a decade of hands-on engineering experience, this gives him both technical depth and security specialization.
The future of cybersecurity will not be solved by more dashboards alone. Organizations already have scanners, alerts, logs, reports, and compliance frameworks. What many lack is the operational layer that turns information into accountable action. Security teams need systems that answer practical questions: which issues matter most, who owns them, how quickly are they being fixed, and how can leadership see whether risk is decreasing.
Satilmaz’s work with SecPortal, OWASP, security research, and security automation reflects that direction. His focus is not simply on identifying risk. It is on building the systems that help organizations manage it.
As AI adoption accelerates and enterprise technology environments become more complex, cybersecurity will increasingly depend on people who can combine engineering depth with security judgment. Mert Satilmaz represents that type of practitioner: a builder, researcher, founder, and security engineer focused on making security work at scale.
