I'm a former startup CTO. I do fractional CTO work, architecture
reviews, and hands-on rescue for founders who can't afford to
get the next technical decision wrong.
Built and led engineering at Bonjoro, one of Zapier's
fastest-growing apps · Co-founding maintainer of Scoop, an
open-source tool with ~4,000 daily installs · 18 years shipping
software
Services
Ways we might work together.
I'm:
Fractional CTO & Technical Advisory
The retainer.
I'm the senior engineer non-technical founders call when
they don't have one in-house. I help with big decisions,
hiring calls, AI adoption strategy, and second opinions
on technical candidates or contract teams. I tell you if
the code your team is shipping is actually any good. The
gut-check before a big bet.
I'm the senior engineer non-technical founders call when
they don't have one in-house. Architecture decisions,
hiring calls, second opinions on CTO candidates or
contract teams. AI adoption strategy and the gut-check
before a big bet.
This is for you if: you're a non-technical founder and you need a senior engineer you can lean on. Someone who can read the code your team is shipping and tell you if it's actually any good.
Retainer. A few hours a week.
Architecture Review & Second Opinions
The one-off.
You're about to make a big call. A raise, a rewrite, a
key hire, a new stack, a new vendor. You want someone
senior to look at it before you commit. I do the review,
write it up, walk you through it. Done.
You're about to make a big technical call. A raise, a
rewrite, a lead-engineer hire, a new stack, a vendor
signing. You want someone senior to look at it before
you commit. I do the review, write it up, walk you
through it. Done.
This is for you if: you're about to commit to a decision you can't easily reverse, and you want an independent senior engineer to pressure-test it before you sign.
Fixed scope, fixed fee. 1–2 weeks.
Hands-on Rescue & Modernisation
The project.
I go in and do the work. Updating old systems, moving to
better hosting, connecting tools that need to talk to
each other, fixing security issues. Often this is where
a review leads: the review finds what's broken, I fix
it.
I go in and do the work. Legacy modernisation, cloud
migration, critical integrations, shoring up security
findings. Often this is where an architecture review
leads: the review finds what's broken, I fix it.
This is for you if: your team is stuck on a codebase that used to work and doesn't any more, and you need a senior engineer who can actually go in and fix it instead of writing a report about it.
Weekly rate. 4–12 weeks.
Security & Cryptography Review
The deep dive.
I review how your system protects sensitive data. Login
flows, encryption, key management, who can access what.
I've built these systems from scratch, so I know where
the weak points hide. The code's on GitHub.
I review authentication, encryption, key management, and
data-handling architecture. Kept narrow on purpose. I've
implemented this stuff from first principles: KMIP,
libsodium, zero-trust KMS. The code's on GitHub.
This is for you if: your system depends on "secure by design" claims and you need an expert who's actually implemented this stuff to pressure-test them.
Fixed scope, fixed fee. 1–2 weeks.
Recent work
What this looks like in practice.
I'm:
Fractional CTO & Advisory · Hands-on Rescue
Advisor → rescue partner for a community-services provider
A Wollongong community-services and NDIS provider
reached out for a one-off security review on their
meal-delivery platform. I found seven critical
issues on the first pass. One would have let an
attacker take over any user's account. They fixed it
within three days.
The engagement didn't end there. The review became a
full website rebuild, then a retainer. I moved their
operations platform and marketing site from files
edited directly in a shared drive onto a proper
system where every change is tracked and reversible.
Passwords and secrets moved into a secure vault.
A Wollongong community-services and NDIS provider
reached out for a one-off Laravel security review on
their meal-delivery operations platform. I found
seven critical issues on the first pass. One was a
launch-blocking account-takeover vulnerability with
two distinct attack vectors. They remediated it
within three days of early notice.
The engagement didn't end there. The review became a
full website rebuild, then an infrastructure
retainer. I moved the operations platform and
marketing site off files edited directly in OneDrive
onto a modern deploy process where every change is
tracked and reversible. Secrets moved into
1Password.
One security review became a retainer, then a rebuild.
One client, three engagement types.
Hands-on Rescue · Security & Cryptography
Greenfield zero-trust key management for a data-sovereignty
startup
An Australian startup was building a personal data
vault where only the user holds the keys. The
company itself can't see customer data, even if
forced to. That promise is only as strong as the
security system underneath it.
I built that security system from scratch. When it
was done the team needed a mobile developer next.
That was in my wheelhouse, so I shifted to building
the Flutter mobile app on top of it. I released the
supporting code as open source, MIT-licensed, under
the byterix-labs GitHub organisation.
An Australian-founded data-sovereignty startup was
building a zero-knowledge personal data vault. Users
hold the only keys. The company can't decrypt
customer data even if compelled to. That promise is
only as strong as the crypto infrastructure
underneath it.
I built the greenfield cryptographic key management
service from first principles in Zig, a language
with almost no ecosystem support for the protocols
required. It implemented enough of the KMIP 2.0 spec
to meet our needs, with libsodium bindings and a
streaming data library with memory/filesystem
fallback. I released the supporting libraries
MIT-licensed back to the community under the byterix-labs GitHub organisation. When the KMS was done the team
needed a mobile developer next. That was in my wheelhouse,
so I shifted to building the greenfield Flutter mobile
client on top of it.
A greenfield KMS and a greenfield mobile client, with a
single engineer.
Fractional CTO & Technical Advisory
Fractional CTO for an AI-imaging founder
A non-technical founder was building an AI classifier to
triage hip and knee x-rays, to help reduce surgical
waitlists. A regional Australian hospital was running a
pilot. The founder needed a fractional CTO, long-term and
part-time.
Over thirteen months I set up the codebase, recommended
the AI engineer, worked with him on the model, and
contributed to the formal hospital-pilot report. The
system analyses knee x-rays and reached ~83% accuracy at detecting osteoarthritis across a 1,656-image test set.
Over thirteen months I set up the repository and
codebase, recommended the AI engineer, worked with him
on the model, and contributed to the formal
hospital-pilot report. We trained a two-stage deep
learning pipeline (YOLOv8 knee-joint detection →
ResNet-18 KL grading) on 5,778 labelled knee
x-rays. It reached ~83% accuracy on binary
osteoarthritis detection across a 1,656-image held-out test set.
The founder focused on the clinical, regulatory, and
commercial sides of the business knowing the technical
side was covered.
Architecture Review · Fractional CTO & Advisory
The founder who came back twice: Anthony Ngo (Studio Gema
& NoteJam)
The first engagement was small and specific.
Anthony, a non-technical founder building a mobile
game at Studio Gema, needed to hire a technical
co-founder and knew enough to know he wasn't
technical enough to evaluate candidates on his own.
Eighteen months later, Anthony was back. New
company: NoteJam, a B2B SaaS notes app for sales
reps, built from scratch with a contract development
team. Exactly the same need: a senior engineer on
the decisions he couldn't afford to get wrong. The
second engagement was bigger and broader. A few
months of advisory across the MVP build (how the app
connects to existing sales tools, hosting,
technology choices, strategy deck Q&A), followed
by another co-founder interview pass. This time with four candidates instead of two.
The first engagement was small and specific.
Anthony, a non-technical founder building a mobile
game at Studio Gema, needed to hire a technical
co-founder and knew enough to know he wasn't
technical enough to evaluate candidates at depth on
his own.
Eighteen months later, Anthony was back. New
company: NoteJam, a B2B SaaS notes app for sales
reps, built from scratch with a contract development
team. Exactly the same need: a senior engineer on
the decisions he couldn't afford to get wrong. The
second engagement was bigger and broader. A few
months of fractional-CTO advisory across the MVP
build (CRM integration architecture, hosting issues,
tech stack review, strategy deck Q&A), followed
by another CTO co-founder interview pass. This time
with four candidates instead of two.
A founder who hires the same senior engineer twice, at
two different companies, for two different decisions, is
telling you what the service is actually worth.
Hands-on Rescue & Modernisation
Unblocking a stuck mobile team at a renewable-energy
platform
An Australian renewable-energy platform had three
problems. Their mobile app had become a bottleneck,
blocking features the product team wanted to ship.
Infrastructure changes were being made by hand and
going undocumented. And the data pipelines pulling
readings from hardware in the field were unreliable
enough to be untrustworthy.
I worked through all three. I got the mobile app
back to a state where the team could ship features
again. I converted the manual infrastructure changes
into a system that could be reviewed, reproduced,
and rolled back. I rewrote the data pipelines for
reliability, and the readings became something the
team could trust.
An Australian renewable-energy and
distributed-energy-resources platform had three
problems. On the mobile side, a legacy Ionic Angular
app had become a bottleneck, blocking features the
product team wanted to ship. On the infrastructure
side, cloud changes were being made manually and
going undocumented. On the data side, Python ETL
pipelines ingesting telemetry from field hardware
were unreliable enough to be untrustworthy for
downstream decisions.
I worked through all three. I got the mobile app
back to a state where the team could ship features
again. I converted the manual cloud changes into
version-controlled Terraform deploys that could be
reviewed, reproduced, and rolled back. I rewrote the
ETL pipelines for reliability, and the telemetry
became something the team could trust.
A team that could ship again, on infrastructure they
could reason about.
Open source
Public code, for the Google-check.
If someone referred you in and you're doing the "is this guy actually as senior as they said" check, this is the fastest way to settle it. A few highlights across community tooling, cloud infrastructure, and systems programming:
I'm Simon Hartcher. I've been shipping software professionally
for eighteen years. Nearly nine of those were at Bonjoro, six as CTO. I led engineering while it became one of Zapier's
fastest-growing apps. Later I rewrote the mobile app from native
iOS and Android into React Native, when two codebases stopped
being worth the cost.
I'm based in Wollongong, Australia. I work with founders across
AU, the US, UK, and EU. Lately that's been healthcare, renewable
energy, legal tech, charities, and zero-trust data platforms. I
build as much as I advise.
Outside client work, I run the Siligong Valley game-dev meetup in Wollongong and write about engineering, infrastructure,
and leading teams. Read the posts →
Get in touch
Tell me what you're working on.
A sentence or three is enough to get us started. I read every
message and reply personally.