Pragmatic Security Engineering at CYAN Security Group GmbH: Inside the Product, People, and Process with Alexander Zlatnik, Head of Product & Technology von cyan Digital Security

Context: A product-led tech organization with end-to-end responsibility

In our session with “Alexander Zlatnik, Head of Product & Technology von cyan Digital Security” at CYAN Security Group GmbH, we saw a refreshingly clear operating model for building and running security products. The technology department comprises roughly 50 people, organized around product outcomes rather than silos. Development, Quality Assurance, Solution Architecture, Project Management, and Operations sit within one coherent structure—because CYAN not only builds its platforms, it also operates them.

Two dedicated Product Owners steward the company’s two products. A Scrum Master supports the Product Owners and the organization. Solution Architects co-create and align solutions with customers. QA validates every increment. Operations, embedded in the technology group, ensures real-world stability and observability are part of everyday engineering, not an afterthought.

Delivery cadence and methods: Two-week cycles, Scrum or Kanban depending on context

CYAN runs in two-week rhythms and adapts practices to the work at hand:

• Internal product feature development: Scrum in two-week sprints.
• Customer-facing delivery: Kanban or a project cadence aligned to the client’s workflow.

Within each sprint, packages move to QA. Ideally, QA approves all tickets by the end; if not, items roll into the next sprint. In a security product environment, this discipline safeguards quality and predictability without forcing artificial finishes.

Team composition: Cross-functional by design, close to the customer and the run phase

Zlatnik outlines the key building blocks of the technology organization:

• Project Management: Coordination and oversight.
• Software Development: Java backend, C++ for on-customer-prem filter engines, mobile, and web.
• Solution Architecture: Direct engagement with customers to shape and agree on solutions.
• Quality Assurance: Currently heavy on manual testing, with a clear automation roadmap.
• Operations: Embedded in the tech team since CYAN operates its own platforms.

This end-to-end approach fosters shared ownership. When operations live within engineering, deployments, monitoring, and reliability become collaborative efforts. For an ISO-certified security company, this tight alignment between build and run is a competitive strength.

The tech stack: Proven where it matters, modern where it helps

Zlatnik is open about the core trade-off in security product development: candidates often seek the latest technologies; in security, you frequently need proven stacks for stability and risk control.

The stack is broad yet purposeful:

• Backend: Java
• Security-critical filter engines (deployed at customers): C++ with a strict performance focus
• Mobile: Kotlin (Android) and Swift (iOS) for the core; Flutter for the front-end layer
• Web front-ends: Angular
• Datastores: Postgres for large platform domains; MongoDB for smaller and speed-sensitive parts
• QA automation: Cucumber and Selenium (an active internal initiative)
• Infrastructure: Ansible; internal work on Kubernetes

The mobile architecture stands out. CYAN deliberately separates core and UI: the core remains native for performance and secure platform integration, while Flutter drives cross-platform UI speed and consistency.

This structure also solves a resourcing problem—no need for parallel, large Android and iOS teams—while preserving the strengths of native development where it counts.

Quality and security: ISO discipline, automation with intent, and realistic boundaries

CYAN is ISO-certified and applies the related processes, including regular library maintenance even where open source is used. In testing, the organization still relies heavily on manual efforts today, but is actively pushing automation with Cucumber and Selenium to increase coverage and repeatability, especially around mobile and UI flows.

Kubernetes is explored internally, but with a sober caveat: customers must be able to support the technology. Cutting-edge stacks are valuable—but only if they bring real advantages in customer environments.

This stance protects the team from tool-churn and keeps the focus where it belongs: product outcomes, customer constraints, and security.

Hiring: Lean, human, and decisive—with real team involvement

The hiring process is compact and well-calibrated:

1. Application: Directly via the website or through various channels.
2. Initial screening: By HR or the relevant team lead.
3. First interview: With the team lead, usually via video, preferably in person. Purpose: align expectations on both sides and probe the candidate’s profile and skillset. Shorter stints or frequent changes are openly discussed to understand context.
4. Second round (role-dependent): A case exercise—for software engineers and product managers alike—derived from previous projects. The focus is on how candidates handle ambiguity, make assumptions, and structure their approach. It is explicitly not a line-by-line code test.
5. Review and team conversation: The case is reviewed by the team lead or Product Owner, and the candidate meets the team (typically 3–4 people).

Decisions follow within one or two days. Offers go out by email, and once accepted, paperwork wraps up the process. For candidates, this feels lean and respectful—few hoops, real conversations, tangible feedback.

Onboarding: Structured, cross-functional, and honest about the ramp-up

CYAN runs a defined onboarding program:

• Cross-department tour: New hires meet all departments, with a roughly two-hour session led by each team lead.
• Product and Sales immersion: Product Management walks through products, customers, and rollout patterns; Sales covers sales materials and presentations.
• Early productivity: New engineers start hands-on early with smaller, non-core tasks to touch interfaces and code paths, then advance step-by-step.

Crucially, expectations are realistic. No one is expected to ship on day one.

This clarity reduces stress and fosters sustainable growth.

Customer collaboration: Solution Architects as the bridge, QA as the guardrail

Solution Architects partner with customers to shape solutions up front. Delivery then runs in two-week increments, feeding QA within the sprint. If tickets aren’t ready at sprint end, they move forward without drama. In a security product company, this conservatism is a feature, not a bug: it favors stability, traceability, and the kind of predictability customers rely on.

Engineering culture: Ownership, judgment, and respect for constraints

Three cultural signals stand out:

• Ownership over buzzwords: Decisions are grounded in customer outcomes, security, and maintainability, not trend-chasing.
• Measured modernization: Flutter on mobile UIs and test automation in QA are introduced where they truly improve flow; native cores remain for security and performance.
• Reality-aware adoption: Technologies like Kubernetes are adopted only when customers can support them. CYAN invests in internal know-how first, then advocates externally based on evidence.

This culture appeals to engineers who want to build real, durable systems—teams that value reliability and product impact more than a laundry list of shiny tools.

Why join CYAN? What stood out to us

From a DevJobs.at employer-brand perspective, several points make CYAN compelling:

• Fast, fair decisions: Offers can go out within one or two days after the final round. This respects candidate time and momentum.
• Thoughtful onboarding: Cross-functional introductions, early hands-on with smaller tasks, and a realistic three-to-six-month runway to autonomy.
• End-to-end responsibility: Engineering and Operations under one roof. You build it, you help run it—especially important in security.
• Pragmatic stack: Native mobile cores (Kotlin/Swift) plus Flutter for UI agility, Java on the backend, C++ for performance-critical engines, Angular on the web, Postgres and MongoDB where each fits best.
• Real quality posture: ISO certification, disciplined library maintenance, and a concrete path to QA automation with Cucumber and Selenium.
• Practical agility: Two-week sprints, QA within the sprint, Kanban where customer workflows demand it.
• Customer proximity: Solution Architecture brings the voice of the customer right into the design and delivery process.

If you prefer substance over hype—modern tools where they add value, proven technologies where safety and performance demand it—CYAN offers the kind of environment where your engineering decisions matter.

What the hiring case studies reveal about the work

Zlatnik’s description of second-round case studies is telling: they are designed to surface a candidate’s problem-solving method, not to nitpick code syntax.

• How do you handle missing information?
• What assumptions do you make, and how do you communicate them?
• How do you structure your approach when requirements are incomplete?

These are exactly the muscles teams use daily when building security products with real customers. If that excites you, the work will feel meaningful here.

Mobile strategy: A scalable best-of-both-worlds

CYAN’s decision to keep the core native (Kotlin/Swift) and use Flutter for the UI front ends emerged from practical team realities. It preserves performance and platform integration while accelerating cross-platform UI delivery. It also avoids the staffing knot of maintaining parallel, large native teams.

Zlatnik notes that the setup has changed “drastically” over recent years—evolution driven by product needs rather than trend-chasing.

Data and performance: The right tool for the job

Postgres underpins the big platform domains; MongoDB supports smaller, speed-focused workloads. The pattern is pragmatic and familiar to modern product teams. Meanwhile, C++ powers the on-customer filter engines with a clear mandate: speed and throughput first.

This combination of proven and targeted technologies minimizes risk and supports the reliability bar demanded in security markets.

QA transition: From manual-heavy to automation where it counts

While manual testing remains significant today, CYAN is investing in automation with Cucumber and Selenium. The approach is incremental and value-driven: automate flows with the highest repetition and stability needs, especially around mobile apps. This avoids the trap of automating everything indiscriminately and keeps efforts tied to product impact.

Infrastructure: Ansible as a staple, Kubernetes with caution

Ansible anchors provisioning and configuration management. Kubernetes is an internal initiative rather than a customer default—because not every customer can support it yet. For a company that both builds and runs platforms in a sensitive domain, this prioritization is sensible and respectful of real-world constraints.

Quote highlights

• “Two-week sprints … Kanban or Scrum depending on the project.”
• “QA ideally approves all tickets by the end of the sprint—otherwise items move to the next sprint.”
• “Case exercises to see the approach—not counting code lines.”
• “A four-, six-, eight-eyes principle over gut feel—decisions in one or two days.”
• “Onboarding with department tours and early small tasks—three to six months to autonomy.”
• “Core native (Kotlin/Swift), UI with Flutter—flexible and dynamic.”
• “C++ for on-customer filter engines—performance first.”
• “ISO processes, open-source hygiene, automation with Cucumber/Selenium.”
• “Kubernetes internally—customer use only when supportable.”

Conclusion: A security-first product organization that treats responsibility seriously

Follow “Alexander Zlatnik, Head of Product & Technology von cyan Digital Security” closely and a coherent picture emerges. CYAN Security Group GmbH builds and operates security products—and aligns processes, tooling, and team structures to that responsibility.

• Technically: A deliberate mix of Java, C++, Kotlin/Swift, Flutter, Angular, Postgres, MongoDB, and Ansible—with Kubernetes explored pragmatically.
• Process-wise: Two-week sprints, QA within the sprint, Kanban for customer-facing work, ISO-compliant hygiene for dependencies and libraries.
• Culturally: Ownership for run as well as build, strong quality guardrails, and realistic expectations for new joiners.
• As an employer: Lean, respectful hiring with quick decisions; onboarding that orients and enables real autonomy over three to six months.

For engineers, QA, and operations professionals who value impact over buzzwords, CYAN offers substance: modern tools where they genuinely help, proven stacks where safety and performance demand them. It’s a combination that builds trust—with customers and with the teams who ship the software.

• 

  

  Milen, Teamlead Project Managemtn at CYAN Security Group

  Watch now
• 

  

  Alexander Zlatnik, Head of Product and Development at CYAN Security Group

  Watch now
• 

  

  Markus Cserna, CTO von cyan Digital Security

  Markus Cserna von cyan Digital Security umreißt im Interview die Organisation des Cybersecurity Unternehmens, mit welchen Technologien dort gearbeitet wird und gibt Einblicke in das Recruiting und Onboarding neuer Mitarbeiter.

  Watch now

• 

  

  René Bürke, Technical Product Manager bei cyan Digital Security

  René Bürke von cyan Digital Security erzählt im Interview über seinen Karriereweg bis hin zur aktuellen Arbeit im Technical Product Management und gibt Tipps für Neueinsteiger.

  Watch now
• 

  

  Jorge Costa, Product Manager bei cyan Digital Security

  Jorge Costa von cyan Digital Security fasst im Interview seinen beruflichen Weg bis hin zur aktuellen Arbeit als Product Manager zusammen, redet über die Besonderheiten des Unternehmens und gibt Tipps für Neueinsteiger.

  Watch now
• 

  

  Mislav Findrik, Research Engineering Lead bei cyan Digital Security

  Mislav Findrik von cyan Digital Security spricht im Interview über seinen Werdegang – angefangen von der Schule bis hin zu seiner aktuellen Arbeit – und gibt Tipps für Beginner.

  Watch now