I'm a former startup CTO. I do fractional CTO work, architecture reviews,
and hands-on rescue for founders who can't afford to get the next technical
decision wrong.
Built and led engineering at Bonjoro, one of Zapier's fastest-growing apps · Co-founding maintainer of Scoop, an open-source tool with ~4,000 daily installs · 18 years shipping software
Services
Ways we might work together.
I'm:
Fractional CTO & Technical Advisory
The retainer.
I'm the senior engineer non-technical founders call when they don't have one in-house. I help with big decisions, hiring calls, AI adoption strategy, and second opinions on technical candidates or contract teams. I tell you if the code your team is shipping is actually any good. The gut-check before a big bet.
I'm the senior engineer non-technical founders call when they don't have one in-house. Architecture decisions, hiring calls, second opinions on CTO candidates or contract teams. AI adoption strategy and the gut-check before a big bet.
This is for you if: you're a non-technical founder and you need a senior engineer you can lean on. Someone who can read the code your team is shipping and tell you if it's actually any good.
Retainer. A few hours a week.
Architecture Review & Second Opinions
The one-off.
You're about to make a big call. A raise, a rewrite, a key hire, a new stack, a new vendor. You want someone senior to look at it before you commit. I do the review, write it up, walk you through it. Done.
You're about to make a big technical call. A raise, a rewrite, a lead-engineer hire, a new stack, a vendor signing. You want someone senior to look at it before you commit. I do the review, write it up, walk you through it. Done.
This is for you if: you're about to commit to a decision you can't easily reverse, and you want an independent senior engineer to pressure-test it before you sign.
Fixed scope, fixed fee. 1–2 weeks.
Hands-on Rescue & Modernisation
The project.
I go in and do the work. Updating old systems, moving to better hosting, connecting tools that need to talk to each other, fixing security issues. Often this is where a review leads: the review finds what's broken, I fix it.
I go in and do the work. Legacy modernisation, cloud migration, critical integrations, shoring up security findings. Often this is where an architecture review leads: the review finds what's broken, I fix it.
This is for you if: your team is stuck on a codebase that used to work and doesn't any more, and you need a senior engineer who can actually go in and fix it instead of writing a report about it.
Weekly rate. 4–12 weeks.
Security & Cryptography Review
The deep dive.
I review how your system protects sensitive data. Login flows, encryption, key management, who can access what. I've built these systems from scratch, so I know where the weak points hide. The code's on GitHub.
I review authentication, encryption, key management, and data-handling architecture. Kept narrow on purpose. I've implemented this stuff from first principles: KMIP, libsodium, zero-trust KMS. The code's on GitHub.
This is for you if: your system depends on "secure by design" claims and you need an expert who's actually implemented this stuff to pressure-test them.
Fixed scope, fixed fee. 1–2 weeks.
Recent work
What this looks like in practice.
I'm:
Fractional CTO & Advisory · Hands-on Rescue
Advisor → rescue partner for a community-services provider
A Wollongong community-services and NDIS provider reached out for a one-off security review on their meal-delivery platform. I found seven critical issues on the first pass. One would have let an attacker take over any user's account. They fixed it within three days.
The engagement didn't end there. The review became a full website rebuild, then a retainer. I moved their operations platform and marketing site from files edited directly in a shared drive onto a proper system where every change is tracked and reversible. Passwords and secrets moved into a secure vault.
A Wollongong community-services and NDIS provider reached out for a one-off Laravel security review on their meal-delivery operations platform. I found seven critical issues on the first pass. One was a launch-blocking account-takeover vulnerability with two distinct attack vectors. They remediated it within three days of early notice.
The engagement didn't end there. The review became a full website rebuild, then an infrastructure retainer. I moved the operations platform and marketing site off files edited directly in OneDrive onto a modern deploy process where every change is tracked and reversible. Secrets moved into 1Password.
One security review became a retainer, then a rebuild. One client, three engagement types.
Hands-on Rescue · Security & Cryptography
Greenfield zero-trust key management for a data-sovereignty startup
An Australian startup was building a personal data vault where only the user holds the keys. The company itself can't see customer data, even if forced to. That promise is only as strong as the security system underneath it.
I built that security system from scratch. When it was done the team needed a mobile developer next. That was in my wheelhouse, so I shifted to building the Flutter mobile app on top of it. I released the supporting code as open source, MIT-licensed, under the byterix-labs GitHub organisation.
An Australian-founded data-sovereignty startup was building a zero-knowledge personal data vault. Users hold the only keys. The company can't decrypt customer data even if compelled to. That promise is only as strong as the crypto infrastructure underneath it.
I built the greenfield cryptographic key management service from first principles in Zig, a language with almost no ecosystem support for the protocols required. It implemented enough of the KMIP 2.0 spec to meet our needs, with libsodium bindings and a streaming data library with memory/filesystem fallback. I released the supporting libraries MIT-licensed back to the community under the byterix-labs GitHub organisation. When the KMS was done the team needed a mobile developer next. That was in my wheelhouse, so I shifted to building the greenfield Flutter mobile client on top of it.
A greenfield KMS and a greenfield mobile client, with a single engineer.
Fractional CTO & Technical Advisory
Fractional CTO for an AI-imaging founder
A non-technical founder was building an AI classifier to triage hip and knee x-rays, to help reduce surgical waitlists. A regional Australian hospital was running a pilot. The founder needed a fractional CTO, long-term and part-time.
Over thirteen months I set up the codebase, recommended the AI engineer, worked with him on the model, and contributed to the formal hospital-pilot report. The system analyses knee x-rays and reached ~83% accuracy at detecting osteoarthritis across a 1,656-image test set.
Over thirteen months I set up the repository and codebase, recommended the AI engineer, worked with him on the model, and contributed to the formal hospital-pilot report. We trained a two-stage deep learning pipeline (YOLOv8 knee-joint detection → ResNet-18 KL grading) on 5,778 labelled knee x-rays. It reached ~83% accuracy on binary osteoarthritis detection across a 1,656-image held-out test set.
The founder focused on the clinical, regulatory, and commercial sides of the business knowing the technical side was covered.
Architecture Review · Fractional CTO & Advisory
The founder who came back twice: Anthony Ngo (Studio Gema & NoteJam)
The first engagement was small and specific. Anthony, a non-technical founder building a mobile game at Studio Gema, needed to hire a technical co-founder and knew enough to know he wasn't technical enough to evaluate candidates on his own. Tightly scoped: interview briefs, sit on the technical interviews, write up a recommendation. Fixed fee. Two candidates. Done in a week.
Eighteen months later, Anthony was back. New company: NoteJam, a B2B SaaS notes app for sales reps, built from scratch with a contract development team. Exactly the same need: a senior engineer on the decisions he couldn't afford to get wrong. The second engagement was bigger and broader. A few months of advisory across the MVP build (how the app connects to existing sales tools, hosting, technology choices, strategy deck Q&A), followed by another co-founder interview pass. This time with four candidates instead of two.
The first engagement was small and specific. Anthony, a non-technical founder building a mobile game at Studio Gema, needed to hire a technical co-founder and knew enough to know he wasn't technical enough to evaluate candidates at depth on his own. Tightly scoped: interview briefs, sit on the technical interviews, write up a recommendation. Fixed fee. Two candidates. Done in a week.
Eighteen months later, Anthony was back. New company: NoteJam, a B2B SaaS notes app for sales reps, built from scratch with a contract development team. Exactly the same need: a senior engineer on the decisions he couldn't afford to get wrong. The second engagement was bigger and broader. A few months of fractional-CTO advisory across the MVP build (CRM integration architecture, hosting issues, tech stack review, strategy deck Q&A), followed by another CTO co-founder interview pass. This time with four candidates instead of two.
A founder who hires the same senior engineer twice, at two different companies, for two different decisions, is telling you what the service is actually worth.
Hands-on Rescue & Modernisation
Unblocking a stuck mobile team at a renewable-energy platform
An Australian renewable-energy platform had three problems. Their mobile app had become a bottleneck, blocking features the product team wanted to ship. Infrastructure changes were being made by hand and going undocumented. And the data pipelines pulling readings from hardware in the field were unreliable enough to be untrustworthy.
I worked through all three. I got the mobile app back to a state where the team could ship features again. I converted the manual infrastructure changes into a system that could be reviewed, reproduced, and rolled back. I rewrote the data pipelines for reliability, and the readings became something the team could trust.
An Australian renewable-energy and distributed-energy-resources platform had three problems. On the mobile side, a legacy Ionic Angular app had become a bottleneck, blocking features the product team wanted to ship. On the infrastructure side, cloud changes were being made manually and going undocumented. On the data side, Python ETL pipelines ingesting telemetry from field hardware were unreliable enough to be untrustworthy for downstream decisions.
I worked through all three. I got the mobile app back to a state where the team could ship features again. I converted the manual cloud changes into version-controlled Terraform deploys that could be reviewed, reproduced, and rolled back. I rewrote the ETL pipelines for reliability, and the telemetry became something the team could trust.
A team that could ship again, on infrastructure they could reason about.
Open source
Public code, for the Google-check.
If someone referred you in and you're doing the "is this guy actually as senior as they said" check, this is the fastest way to settle it. A few highlights across community tooling, cloud infrastructure, and systems programming:
I'm Simon Hartcher. I've been shipping software professionally for eighteen years. Nearly nine of those were at Bonjoro, six as CTO. I led engineering while it became one of Zapier's fastest-growing apps. Later I rewrote the mobile app from native iOS and Android into React Native, when two codebases stopped being worth the cost.
I'm based in Wollongong, Australia. I work with founders across AU, the US, UK, and EU. Lately that's been healthcare, renewable energy, legal tech, charities, and zero-trust data platforms. I build as much as I advise.
Outside client work, I run the Siligong Valley game-dev meetup in Wollongong and write about engineering, infrastructure, and leading teams. Read the posts →
Get in touch
Tell me what you're working on.
A sentence or three is enough to get us started. I read every message and reply personally.