A.01 ABOUT — 2026

I build security tools
that produce evidence,
and I run because
it makes the rest clearer.

Maximilian Richter — security engineer, working on AI-agent harnesses and pen-test tooling. Training for IRONMAN 70.3 Kraichgau on the side. Based in the Allgäu.

READ THE LONG VERSION
A.02 NOW
LIVE — UPDATED JUST NOW
SHIPPING
richter-max / PortfolioSite
chore: refresh live stats (2026-05-28)
TRAINING
31-week streak · 162 sessions YTD
Last run · Tuesday · 8.4 km
CADENCE
0
contributions · last 30 days
NEXT
IRONMAN 70.3 · Kraichgau
31 May 2026 · 1.9 swim · 90 bike · 21.1 run
A.03 · BIO M.R · 1999
Maximilian Richter at a railing in Shenzhen, skyline behind.
SHENZHEN · 2025
BORN
2004 · Sonthofen
BASED
Allgäu · CET (UTC+1)
EDUCATED
Ausbildung · Application Developer
FOCUS
AI agent security · Pen-test tooling
STACK
Python · TypeScript · Three.js · GSAP
TRAINING
Running · Triathlon · Table tennis
REACH
max.richter.dev@proton.me
A.04 STORY

How I ended up
doing both.

I came into security through tooling, not bug-hunting. The first thing I built that felt right was a small CLI that ran ten reconnaissance steps in one command and dumped a JSONL trace — same reflex I now apply to agent evaluations. The output isn't a verdict, it's evidence the next person can re-run, argue with, and disprove.

The endurance side started in parallel. Long sessions made the same point the engineering already wanted: a 90-minute run that's well paced gets you further than a 60-minute hero run that flames out. A guard layer that's auditable is more useful than a black-box filter with a higher single-metric score. Different vocabulary, same shape.

Most of what's on this site I work on solo. One artifact a quarter — case study, open-source release, or a race — and over time it adds up. Nothing dramatic about it.

A.05 PRACTICE
FIVE HABITS

How the work
actually runs.

  1. 01

    I write the trace first.

    Every benchmark drops one JSONL line per event before anything gets aggregated. Makes it easy to ask new questions later.

  2. 02

    I stack thin layers.

    Three cheap guards in series catch more than one expensive filter does on its own. Same idea works in training — easy weeks and hard weeks, not constant medium ones.

  3. 03

    I sandbox before I integrate.

    Mocked tools, deterministic runs, no real side effects until everything's settled. A security tool that can break its own host isn't worth much.

  4. 04

    I keep arcs finishable.

    Half before full. Demo before live model. Each step gets to be a thing on its own first.

  5. 05

    I aim for one shipped thing a quarter.

    Case study, open-source release, race finish — whatever's ready. Nothing dramatic, just keeps things moving.

If any of this matches
the kind of work you
want done — write me.

OPEN A CONVERSATION →
AEGIS CASE STUDY → FIELD NOTES →