Cyber Security Consultant – Product Security & Regulatory Compliance (m/f/d)

A company in the medical technology sector is looking for an experienced Cyber Security Consultant to act as an independent advisor at the intersection of software architecture, DevOps, and regulatory affairs. The project goal is to develop and secure innovative digital health products (Software as a Medical Device / Connected Devices). The role involves purely technical consulting, technical assessments, and the delivery of validated security artifacts, without operational management decisions. The focus is on translating regulatory requirements (FDA, MDR, EU CRA, NIS2) into technical solutions and objectively assessing security risks.

• Holistic Threat Modeling: Conducting STRIDE-based analyses for APIs, cloud-native services, AI components, and CI/CD pipelines, as well as maintaining formal Threat Model Reports.
• Security Architecture & Design: Creating technical data flow diagrams (DFDs) and Security Architecture Review Reports to document security decisions in cloud and container environments.
• DevSecOps & Supply Chain Security: Advising on hardening CI/CD pipelines, implementing "security-by-default," and managing SBOM artifacts (third-party risk).
• Penetration Testing Support: Defining the scope for pen tests and fuzzing, as well as technically validating the results and CVSS scores.
• Vulnerability Management: Assessing vulnerabilities (Vulnerability Impact Assessments) and creating remediation plans.
• Audit Preparation: Compiling technical evidence and documentation for regulatory submissions (FDA, MDR, MDS2).

• Completed degree (Computer Science, Cyber Security, Engineering).
• 5–8+ years of project experience in product security, application security, or security architecture.
• Excellent knowledge of threat modeling (STRIDE, PASTA), risk assessments (CVSS), and secure SDLC.
• Deep expertise in cloud security (Azure/AWS), containerization (Kubernetes/Docker), API security, and CI/CD toolchains.
• Experience with AI/ML security is a plus.
• Proven experience with medical technology standards (FDA Cybersecurity Guidelines, EU MDR, ISO 14971, IEC 62304) or equivalent critical standards (ISO 21434, IEC 62443).
• Ability to drive technical topics independently as an external consultant, as well as a structured, "audit-ready" documentation style.
• Business fluent English (C1/C2) is mandatory (project and documentation language).
• Fluent German (B2/C1) is desirable.
• Relevant certifications such as CISSP, CCSP, CSSLP, CISM, or OSCP are strongly preferred.