About
Hey, I’m Lars Backman, a security consultant based just outside Stockholm. I live on a farm with my girlfriend, have a motorcycle I ride too infrequently, and more animals than I ever planned for.
I’ve been hooked on computers basically my whole life. Security clicked when I was a teenager. I’d watch hacking talks online and think it was the coolest thing I’d ever seen, while also being pretty convinced I’d never be smart enough to actually do it. After a lot of work, and help from some very good mentors and colleagues along the way, I’ve helped secure some of the most successful startups and scale-ups in Sweden.
How I got here
I started out as a Linux sysadmin. Understanding systems before trying to break them still shows up in how I work.
From there I went through F-Secure’s Cyber Security Academy in Copenhagen and ended up as their Cloud Security Lead for Sweden, working with clients on cloud security architecture, pentests, and security reviews.
After that, it’s been mostly fintech and legal tech:
Tink. Open banking platform, connecting banks across Europe. I joined as the acquisition was happening. The mission was to bring Tink’s security posture from Swedish startup to Visa enterprise, fast. Mostly application security, infrastructure, and threat modelling.
Juni. Fintech for e-commerce businesses, EMI-licensed, PCI DSS environment. I built the security infrastructure layer from scratch: pipeline controls, secrets management, IaC scanning, and a full SOAR platform on AWS Step Functions with automated remediations and self-service account security for end users. The idea was to handle security at the infrastructure level so it didn’t have to live in engineers’ heads.
Legora. AI platform for lawyers. I was the first security hire. The company had about 40 people then. It’s now closing in on 500, and went from $1M to $100M ARR in 18 months. I covered IT, security, GRC, and solutions engineering for enterprise customers. I built all of it as the company scaled.
How I think about security
Many security risks can be engineered away. Not just mitigated or monitored. Removed from the equation by building systems where the secure path is the default and the insecure path doesn’t exist.
Secure defaults mean engineers don’t have to make the right security choice every time. They get it automatically. Golden paths take this further: build the approved, secure way to do something so easy that no one reaches for the alternative.
Strong identity is the clearest example of this in practice. Passwords are done. Every system should be connected via SSO and SCIM, and your central IDP should only accept WebAuthn or FIDO2-based authentication. Passkeys, hardware keys. No passwords, no SMS codes. The entire class of phishing-based credential attacks goes away when you do this properly.
Zero trust follows from the same logic. Don’t rely on where a request comes from. Verify everything, assume nothing, give people the minimum access they actually need.
Compliance is a byproduct of building things this way, not the goal. If you’re operating under DORA, GDPR, PCI DSS, or ISO 27001, building secure by default is the most direct path to certification. And being open about how something works doesn’t make it less secure. Usually it’s the opposite.
If you want to work together, reach out.