You’re taking too long to patch your software.

AI-powered vulnerability discovery is measured in hours. Your patch cycle isn't. Anthropic's Claude Mythos found a 27-year-old vulnerability in OpenBSD overnight. Only 40 companies have access today. That won't last.

Book a Call (opens in new tab)AI code quality

What's coming

  • You patch when something breaks, not before. The window between discovery and exploitation is collapsing.
  • Dependency trees full of libraries nobody on your team chose and nobody is tracking
  • We once found a 12-year-old version of Apache HTTP Components in production at a major financial services company. Nobody knew it was there.
  • Dependabot PRs piling up, ignored, breaking builds
  • Quarterly patching cycles leaving months of exposure
Tom Howard

I've built delivery pipelines and operational controls at Greater Bank, Essential Energy, MLC, AMP, and Pacific National.

400%
throughput increase per developer at Greater Bank
0 → 97%
compliance in 10 months at Westpac
25+
years of delivery leadership

Tom Howard founded Windy Road Technology. I've been working with AI since 1999: building autonomous agents at CSIRO, competing at the RoboCup World Cup, holding a patent, co-authoring research papers. Which means I understand how these tools reason and where they break.

At Greater Bank I introduced Software Delivery Fireteams that cut cycle time from 24 to 8 days and increased developer throughput by 400%, while growing the team by 50%. At Westpac I led FATCA/CRS compliance remediation across 5,300+ bankers, taking compliance from 0% to 97% in 10 months.

How we get you patch fit

  1. Diagnose

    You get a clear picture of your dependency staleness: forgotten libraries, outdated transitive dependencies, and how long your current patch cycle takes end-to-end.

  2. Implement

    You get automated dependency updates with CI gates that prevent regressions. Merge confidence scoring. Pipeline changes that make updating safe and routine.

  3. Embed

    Your team owns continuous patching. Updates flow through the pipeline without heroics. A critical CVE patch deploys like any other change.

Engagements

Engagements start at $9,000. No retainers, no long-term commitments.

  • Patch Fitness Assessment

    $9,000

    1 week

    We map dependency staleness across your codebase, measure your patch cycle time, and identify the riskiest gaps. You get first fixes shipped plus a prioritised remediation roadmap.

    Dependency map + first fixes shipped
    Book a Call (opens in new tab)

  • Embedded Delivery Lead

    $20,000/month

    Ongoing, ~8–10 hrs/week

    We embed with your team part-time. Hands-on: automated dependency updates, CI gates, merge confidence scoring, and coaching your developers to own the process.

    Continuous patching + team capability uplift
    Book a Call (opens in new tab)

  • Delivery Sprint

    $40,000

    4 weeks

    A focused engagement with a defined outcome: automated dependency pipeline with CI gates, patch cycle time reduced from weeks to hours, or supply chain visibility across your stack.

    Specific deliverable, shipped
    Book a Call (opens in new tab)

What others say

On engineering discipline

He didn’t simply manage BAU. He elevated it. By introducing structured root cause analysis, strengthening incident hygiene, and embedding Agile and Lean practices, he shifted the team from reactive fire-fighting to disciplined, data-driven service reliability. Reducing open incidents by half within a mission-critical freight system is a significant achievement.

Raymond LayProduct & AI Experience Design, Pacific National
On continuous delivery

He has an excellent understanding of software engineering principles, and applies them in the work he does. On the project where we worked together, he was instrumental in setting up our lean development processes, and driving us towards a best practice Continuous Delivery model.

Sidney ShekStaff Engineer, Stripe

Is this a good fit?

This Road

  • Your last dependency update was a multi-week project
  • You have Dependabot PRs piling up that nobody reviews
  • You patched Log4Shell as an emergency and nothing has changed since

Wrong Road

  • You already deploy continuously with automated dependency updates
  • Your pipeline catches regressions from dependency changes automatically
  • You need someone to manage your team full-time

Questions

We already use Dependabot.

Dependabot is good at surfacing what’s outdated. It opens the PRs. What it doesn’t do is merge them, validate them, or handle the transitive conflicts that make teams ignore them. Patch fitness means updates flow through your pipeline with confidence, not pile up in a backlog.

Our security team handles patching.

Your security team is good at triaging alerts and prioritising risk. What they don’t typically own is your build pipeline, your test suite, or the developer workflow that determines whether a patch ships in hours or weeks. Patch fitness is an engineering capability, not a security process.

We patch quarterly and that’s fine.

A quarterly cycle means up to 90 days of exposure. When AI-powered vulnerability discovery makes exploits available in hours, 90 days is not a risk you can carry.

What stack do you work with?

JavaScript/TypeScript, Python, Java, .NET, Go, and most modern stacks. If you’re not sure, book a call and we’ll figure it out.

Your patch cycle is measured in weeks. AI-powered vulnerability discovery is measured in hours. We help engineering teams close that gap.

Book a Call (opens in new tab)