About the author

Built by a practitioner, not a marketing team

FwChange is not a product written by people who read about firewalls. I built it after seventeen years inside enterprise security operations, and after watching the same migrations fail the same preventable way. The software encodes the method I already used by hand.

Read the methodology → Read the whitepaper

The background

Seventeen years inside the change window

I have spent my career as a hands-on network security architect: migrating firewall estates, rationalizing rule bases, and standing in front of auditors who want to know who changed what, when, and why.

Across 280+ firewall migration projects I worked inside Tier-1 European and KRITIS-regulated environments: banking, insurance, enterprise software, automotive, chemicals, payments, energy, consumer goods, heavy machinery and telecommunications. Names stay anonymized; the patterns do not. The same preventable failures repeat at every scale: shadow rules nobody finds, manual translation errors between vendor syntaxes, and compliance evidence reconstructed under deadline because no system captured it as the change happened.

FwChange exists because I got tired of solving those problems by hand. It encodes seventeen years of field-tested method into software, so the analysis that used to live in my head is now a step in the workflow.

17+ years enterprise securityField

280+ firewall migrationsDelivered

11 Tier-1 European enterprisesAnonymized

KRITIS / regulated infrastructureSpecialism

Built FwChange from the methodOutcome

Credentials

Ten certifications behind the method

Six industry credentials across network security, enterprise architecture, cloud security and AI engineering, plus four vendor certifications across the firewall platforms FwChange actually speaks to.

CCIE Security (Written)Cisco

ISO 27001 Lead ImplementerPECB / BSI

TOGAF 9 CertifiedThe Open Group

AI-102: Azure AI EngineerMicrosoft

AZ-500: Azure Security EngineerMicrosoft

CEH: Certified Ethical HackerEC-Council

PCNSEPalo Alto Networks

CCNP SecurityCisco

NSE 4 / 7Fortinet

CCSA / CCSECheck Point

Where the work happened

Eleven Tier-1 European enterprises, sectors only

Client names stay under NDA, but the regulated sectors that shaped the method are the same ones FwChange now serves. The migrations behind the platform sit across these industries.

Banking Insurance Enterprise software Automotive Chemicals Payments Energy Consumer goods Heavy machinery Telecommunications Critical infrastructure (KRITIS)

Specialization

What I actually go deep on

The work sits where regulated infrastructure meets multi-vendor firewall estates, the place where a wrong rule is both a security incident and an audit finding.

KRITIS & regulated infrastructure, firewall policy and segmentation for BSI-regulated operators.
PCI-DSS firewall rationalization and audit-trail documentation for payment environments.
BSI IT-Grundschutz aligned controls for German regulated enterprise.
Zero Trust, micro-segmentation that scales change management instead of breaking it.
OT/IT convergence, segmentation where the network spans both worlds.
Multi-vendor migration, cross-syntax translation without losing intent.

KRITIS segmentationDeep

PCI-DSS firewall scopeDeep

BSI IT-GrundschutzDeep

Zero Trust micro-segActive

OT/IT convergenceActive

Multi-vendor migrationCore

FwChange was born from one observation repeated across 280+ projects: enterprise firewall migrations fail the same preventable way: undetected shadow rules, manual translation errors between vendor syntaxes, and compliance evidence that has to be reconstructed after the fact. The platform turns each of those into a step the software handles, not a thing a senior engineer has to remember.

See the method, not the pitch

The platform is the proof. The methodology page walks the thinking behind every part of it, the same reasoning I used in the field before any of it was code.

Read the methodology See the platform →