Thinking Machine
Open menu
Work

Anonymised engagements. Real numbers, no client names.

We publish case studies after engagements close and clients approve the anonymised text. We also publish methodology references — anonymised summaries of internal preparedness work. Others remain under reference embargo and are available on request.

Recent engagement contexts EU mental-health services providerMulti-tenant SaaS vendorIndustrial software vendorEU manufacturer of connected productsTier-1 European energy operator
If you only read one

Clinical-grade video consultation platform for an EU mental-health services provider — the most distinctive engagement in the portfolio. Opens on a deliberate refusal: declining the AI Act's medical exemption for emotion recognition, anchored on a 1,000-study meta-analysis. Then the architecture and the 98% storage reduction.

Architecture design & technology selection · anonymised internal reference · EU mental-health services provider · 2026

Clinical-grade video consultation platform for an EU mental-health services provider

Designed and specified a self-hosted, EU-only video-consultation platform purpose-built for clinical mental-health consultations. Edge-ML architecture — face-mesh extraction, noise cancellation, ROI encoding, and adaptive framerate all run on the client; the server is a smart switch. Made the deliberate architectural choice not to do emotion recognition, despite the EU AI Act's medical exemption permitting it, because the clinical evidence does not support reliable emotion inference from facial expression. A six-dimension cost-and-quality framework (CPU, RAM, storage, bandwidth, clinical quality, network resilience) applied across codec, recording, transcription, and storage tiering achieves an end-to-end **98% storage reduction** at the cold tier — €2,190/month down to €45–55/month at 500 sessions/day. Per-session AES-256-GCM keys from HashiCorp Vault, crypto-shredding for GDPR Article 9 right-to-erasure in under 24 hours.

Read case study
Applied platform-engineering work · anonymised internal reference · Multi-tenant SaaS vendor · 2024

Software supply-chain controls and platform-IaC rescue for a multi-tenant SaaS vendor

Reconstructed a five-year-old Ansible/Semaphore IaC stack end-to-end across four repositories — orchestration playbooks, production nginx reverse proxy, PostgreSQL container, analytics-stack feature branch. Designed and shipped a gated software supply-chain layer (Composer/Satis, npm/Verdaccio, SQL/Redgate, container/GitLab Registry) with per-package static analysis, vulnerability scanning, and approval before any developer could resolve a third-party dependency. Approximately 30% of the engagement; implemented in 2024, two years before CRA Cliff 2 (11 December 2027) makes SBOM and supply-chain integrity a regulatory obligation across the EU.

Read case study
40-hour fixed-scope advisory · Industrial software vendor · 2026

Cloud cost assessment for a multi-installation SaaS vendor

A vendor preparing to quote a cloud-managed SaaS deal to a tier-1 enterprise customer needed a defensible per-installation pricing model — without access to the incumbent's hosting baseline. We delivered a triangulated baseline, multi-scenario pricing playbook, and a customer-side cost calculator.

Read case study
Applied preparedness work · anonymised internal reference · EU manufacturer of connected products · 2026

Cyber Resilience Act readiness for an EU manufacturer of connected products

Applied preparedness work on CRA Cliff 1 (September 2026) for an EU manufacturer-operator of connected products. Roughly 240 pages of audit-defensible evidence across 13 documents — checklists, briefings, the Article 14 runbook, the RACI, the execution plan — anchored on five-pass verbatim verification of the Official Journal. Published as a methodology reference; client unidentified.

Read case study
Pre-contract due diligence — structured NFR response · Tier-1 European energy operator · 2026

NFR compliance response for a tier-1 European energy operator

A multi-domain NFR matrix from an enterprise procurement team — roughly fifty line items across security and data architecture — required a structured response that would survive procurement review. We produced the compliance register, a deep-dive sheet for the difficult items, and a source-verification log.

Read case study

Want to discuss work that's not on this page?

Some of our engagements remain confidential. We are happy to discuss them under NDA on a first call.