Francisco Javier Barrena

CTO Senior Tech Lead Engineering Manager Application Security

+34 660 27 4444
Valencia, Spain

Personal website
Linkedin profile
My slides at Slideshare
Twitter profile

CTO and software architect with a strong track record delivering scalable, resilient, and business-aligned technology platforms. Expert in microservices and cloud-native architectures, with hands-on experience in Java/Spring Boot and Node.js/NestJS.

Proven leader driving DevOps and DevSecOps transformations, embedding security, CI/CD, and operational excellence across the software lifecycle. Background in security governance, risk management, and compliance.

Experienced in building and leading high-performing engineering teams, leveraging Docker and Kubernetes to deliver reliable, scalable infrastructure.

Focused on delivering measurable business impact through technology, team leadership, and continuous improvement.

Experience

  • CTO
    apr 2026 - act
    Promoted to CTO, taking full ownership of Vitio's engineering organization (~6 to 15 engineers across frontend, backend, mobile, and infrastructure, combining internal staff and external contractors) and technology strategy for a regulated medical device product.

    • Led infrastructure strategy and cost governance across four AKS clusters (~162 vCPU / 508 GiB RAM), identifying and resolving significant cloud cost anomalies (e.g., NAT Gateway spend), and producing formal architecture documentation for regulatory submission.
    • Directed the security and compliance architecture dossier for a formal submission to the regional health authority, covering connectivity, confidentiality, integrity, availability, traceability, and authentication for a Class-regulated medical device.
    • Designed a self-hosted, data-sovereign conversational AI system (Llama 3.3 70B / Qwen2.5 72B on Azure H100 with vLLM) for automated patient follow-up, including a full governance and auditability layer to meet regional healthcare data-sovereignty requirements, within a ~€70K/year infrastructure budget.
    • Built and rolled out a career development framework from scratch: a five-level IC ladder (Junior to Principal) across seven evaluation axes, with track-specific technical annexes and regulatory-competency validation deliberately sequenced ahead of performance review implementation.
    • Directed security posture management, including triage and resolution of a 162-item CVE backlog (Dependency-Track) and container base-image hardening for Java services.
    Healthcareproduct🐋 dockerkubernetessecuritymicroservicesspring boottypescriptnodejsnestjsTimescaleDBJavaTimescaleDBNATStestingscrumBDDMQTTAzure CloudLeadership

    english • spanish • remote

  • Tech Lead & Engineering Coordinator
    jun 2025 - apr 2026 (11 months)
    Vitio is a company with an MVP for patient remote monitoring. My mission upon joining the company is to transform that MVP into a production-ready, scalable solution that can be deployed as SaaS, but also on-premises.

    As Tech Lead, I lead a team of 7 backend engineers. I also provide technical coordination for the other areas of the company (frontend, mobile, and infrastructure) which together comprise a total of 17 engineers. In addition, I am the company's Information Security Officer, responsible for the security aspects related to the information handled by the product, which, being health-related data, has many restrictions.

    The technology stack we use consists of Java + Spring Boot, TypeScript + NestJS, Docker, Kubernetes, NATS, MQTT, Postgres, TimescaleDB, and Redis from the infrastructure and backend perspective, and React, Kotlin, and Swift from the frontend and mobile perspective.

    I also take care of organizing sprints and energizing teams through agile ceremonies (dailies, plannings, refinements, retrospectives...), and I'm involved in product meetings and customer related meetings.

    Some of the most significant goals I have achieved, and on which I have had a direct impact:

    • Successfully transitioning from a legacy product that could not scale and had significant technical debt to a new, scalable, decoupled, event-driven architecture. While the legacy product could not process more than 3,000 measurements per day, with the new architecture we have been able to process over 22 million measurements without scaling issues
    • Decoupling the product from vendor lock-in to enable deployment on any infrastructure, whether cloud-based or on-premises. This involved developing and implementing low-level tools—which are typically outsourced to the cloud—such as the messaging service with NATS. This gives us a significant competitive advantage, as we can adapt to any customer demand, and it has also reduced operating costs. For example, in the legacy product, we used Azure Event Stream, with a monthly bill of about $4,000 to process a few tens of thousands of messages. With the new architecture, we have eliminated that cost and saved many thousands of dollars, especially now with new customers and a message volume in the tens of millions.
    • Thanks to these changes, the product has become the most advanced telemonitoring project in the country; it has been adopted as a benchmark by the Spain's Ministry of Health and has been selected to represent Spain at the European Commission
    Healthcareproduct🐋 dockerkubernetessecuritymicroservicesspring boottypescriptnodejsnestjsTimescaleDBJavaTimescaleDBNATStestingscrumBDDMQTTAzure CloudLeadership

    english • spanish • remote

  • Principal Engineer
    oct 2023 - jun 2025 (1 year and 9 months)
    Labster is a company that develops virtual laboratory simulations for science education. These simulations are designed to enhance traditional science education by providing students with interactive and immersive virtual experiments

    As Principal Engineer at Labster, my role covers different aspects of the software development landscape, from problem solving, system design, architecture and technical leadership to mentorship, innovation and collaboration with other teams within the company.

    Technically, we use different tools and languages at Labster, always following a microservice mindset with a strong focus on decoupling, security and performance. Particularly noteworthy is the use of Docker, NestJS and NodeJS, Typescript, MongoDB, Redis, VueJS and Kubernetes
    EdTechproduct🐋 dockerkubernetessecuritymicroservicesvuejstypescriptnodejsnestjsMongoDBRedistestingscrumBDD

    english • remote

  • Chief Technology Officer (Hands on)
    nov 2021 - nov 2023 (2 years)
    Kyso is an early stage b2b data science startup with a fast growing team backed by some great investors like Techstars, Lunar Ventures, Tribal Ventures and more. Responsible for the engineering side of the company and member of the executive. I wore many hats, from product owner, security, architecture, development, management and hiring. Also, I was in charge of technical customer relations. We implemented from scratch the technical culture of the company with very good results, building a great product with best engineering practices, focusing especially in maintainability and security.

    We focus primarily on the pharmaceutical sector, our main client being Johnson & Johnson, where we deployed the product globally, serving several thousand internal users.

    With a small team, we were able to build a production ready product quickly, thanks to the great team we were able to hire. The product was designed to be installed on-premises in customer's infrastructure. That was a challenge, because every customer has its own cloud provider, and Kyso must work in all of them. The deployment was prepared using Docker and Kubernetes, and we added support for Helm and Terraform later. In order to keep the product maintainable and extensible, we designed the architecture to be driven by events, using NATS as an event broker and developing a set of consumers which extends the core features of the product (notifications with slack and teams, analytics, etc.). The API was built using NestJS and Typescript, and the frontend was built using NextJS and Typescript as well.

    Responsible of SecDevOps implementation, defining CI/CD pipelines for: building software components, build docker images, assess quality code, assess security of the code, dependencies and Docker images. I built pipelines for automatic deployment in different environments (staging, production and testing), using Gitlab CI/CD and Github actions.

    Also, I was in charge of developing a proof of concept about a LLM (Large Language Model) using Open Source resources like
    PrivateGPT and HuggingFace Open Source Models. This LLM is trained on top of an Open Source model, for example Open Llama, with your data, generating a new LLM that can answer questions related to your data. As this model is trained with your data, and deployed in your infrastructure, your privacy is guaranteed. This model was integrated as well with Kyso's permission system, giving the users the power to decide who can use it.
    Pharma☕ javaspring bootAWSCI/CDDevOpsTerraformproducttechnical leadership🐋 dockerkubernetessecuritycustomer relationshipsnextjsreacttypescriptNodeJSNestJSelasticsearchjupyterLLM🤖 AIMongoDBElasticsearch

    english • remote

  • Professor
    2021 - 2022
    Professor of the subject "Machine Learning applied to Cybersecurity" at Big Data Analytics Master
    pythondata analytics🤖 AIcybersecurityjupyter

    spanish • on-site

  • Professor
    2021 - 2022
    Professor of the subject "Cybersecurity in the Cloud" at University Expert Course in the National Security Scheme (ENS)
    cloud cybersecurityensnist

    spanish • remote

  • Software Architect
    oct 2019 - nov 2021 (2 years and 1 month)
    Responsible for the refactoring of the CloudManager (website and public documentation), a tool to manage Hybrid Cloud infrastructure that works on top of VCloud and VCenter (VMWare), AWS, Azure and Veeam. Starting from a legacy code base, we refactored module by module to a new modern and scalable architecture. I was responsible for recruiting staff too. The technologies we used were Java and Golang for the backend, Angular for the frontend and Docker and Kubernetes for packaging and deployment. The integration with the Cloud infrastructure was done directly through VCenter and VCloud API (an other vendors), together with an event broker that triggers serverless functions based on OpenFaaS.

    I was as well responsible of SecDevOps implementation, defining CI/CD pipelines for: building software components, build docker images, assess quality code, assess security of the code, dependencies and Docker images. I built pipelines for automatic deployment in different environments (staging, production and testing), using Gitlab CI/CD.
    ☕ javaspring bootCI/CDDevOpsproductkubernetes🐋 dockermanagementsecurityangularreactvmwarenodejsMySQLElasticsearchopenfaasInfluxDBAzure

    spanish • remote

  • Head of Cybersecurity Research Group (Hands on)
    oct 2019 - nov 2021 (2 years and 1 month)
    Technical Leader, responsible for opening a new line of work on cybersecurity, focusing on application security and Cloud environments and using new security paradigms, based on Machine Learning, Big Data, SecDevOps and Security as a Code. Those works were part of different research projects, in which the OPOSSUM project highlights, as I coordinated a technical team to develop technology based on Machine Learning to improve the security of the applications, through a next-generation Web Application & API Protection (WAAP) prototype, using Rust, Java, Angular, Kubernetes, NodeJS and Docker as technologies

    Also, I was working on projects related to data and AI on the following sectors: energy, manufacturing, automotive and software. Specially interesting was the ZDMP project, an european R&D project aimed to achieve a Zero Defect Manufacturing Processes. I was the technical manager of a consortium of 35 partners like FORD Spain, Software AG, Mondragon Assembly, Continental, among others. Also, I was the principal engineer of the AI Analytics Runtime, a core component in the ZDMP architecture responsible of the training and versioning of models. ZDMP architecture was heavily inspired on Kubeflow. As technical manager, I drove the technical culture of the project, laying the foundation of the architecture, the pipelines and the collaboration rules between the consortium.

    Finally, I was responsible as well of SecDevOps implementation, defining CI/CD pipelines for: building software components, build docker images, assess quality code, assess security of the code, dependencies and Docker images. I built pipelines for automatic deployment in different environments (staging, production and testing), using Gitlab CI/CD. As the project had data science and AI implications, we used Kubeflow to configure and define the pipelines related to data science and AI, covering the following phases of the AI pipeline: data acquisition and cleaning, data processing, data enrichment, training, packaging and deployment into production.
    ☕ javaspring bootCI/CDKubeflowR&Dproductmanagementtechnical leadershipcybersecurity🦀 rustangularreactkubernetesnodejs🐋 docker🤖 AIPostgreSQLCassandraMongoDBElasticsearchMySQL

    english • spanish • hybrid remote

  • Head of Engineering
    ene 2018 - jun 2019 (1 year and 6 months)
    Responsible for the technical execution and software engineering of all ITI R&D projects. Management of a technical team of 26 engineers. Big Data, Machine Learning, IoT, Cloud Computing, choice of technologies and SecDevOps. Promoter of Open Source initiatives.

    I was responsible as well of SecDevOps implementation, defining CI/CD pipelines for: building software components, build docker images, assess quality code, assess security of the code, dependencies and Docker images. I built pipelines for automatic deployment in different environments (staging, production and testing), using Gitlab CI/CD. As many projects project had data science and AI implications, we used Kubeflow to configure and define the pipelines related to data science and AI, covering the following phases of the pipeline: data acquisition and cleaning, data processing, data enrichment, training, packaging and deployment into production.

    Also, combining it with my management tasks, I participated in research projects in different sectors such as the industrial sector and the health sector. Regarding the latter, the BigSalud and Helpsalud projects stand out, in which I designed, configured and deployed Big Data processing infrastructure to support the processing of different information, such as medical imaging and genomic streams, with the aim of training Machine Learning models for early detection of certain diseases such as breast cancer, using technologies as Spark, Hadoop, HDFS, Kafka, ActiveMQ or Kibana, among others. Finally, I was a proactive agent in the company's internal training, teaching more than 15 courses (many of them, with multiple editions), and thus training all the company's engineers in topics such as frontend (react, angular), backend (java , hibernate, node, nestjs), infrastructure (docker, kubernetes) and security (ENS, SecDevOps). These courses were offered as well for external companies.
    ☕ javaspring bootCI/CDKubeflowR&Dleadershipbig data🤖 AImanagementnestjsnodejsangularreactpythonsparkcloud🐋 dockerPostgreSQLCassandraMongoDBElasticsearchMySQL

    english • spanish • on-site

  • CTO & Co-Founder
    feb 2017 - mar 2018 (1 year and 1 month)
    Architecture, design and head of implementation of a travel portal specialized in ecological destinations
    ☕ javaspring bootstartupproductleadershipmanagementsecuritynestjsangulartypescript🐋 dockerPostgreSQLElasticsearchMySQLDB2

    english • spanish • on-site

  • Software Architect & Team Leader
    2015 - ene 2018 (4 years)
    Architect and manager of a team of seven engineers. Driver of the change to architectures based on microservices and front-back decoupling, becoming the development standard of the company. Technological stack: Java, JPA, Hibernate, JAX-WS, Maven, Spring, Angular. Relevant projects: Consum Asset Management, BoxPlus, Java applications optimization for Orizon
    ☕ javaspring bootCI/CDteam management🐋 dockerenterpriseperformanceangulartypescriptPostgreSQLSQL ServerMySQL

    spanish • on-site

  • Software Engineer
    2011 - 2015 (3 years)
    Java FullStack Developer for end customers and R&D projects. Technological stack: Spring, JPA, Hibernate, JAX-WS, JSF, JSP, Maven. Deployment on Tomcat and JBoss servers. Relevant projects: Episteme, Fet-Eye.eu, PangeaMT, Consum Energía
    CI/CD☕ javaspringenterpriseliferaysharepointPostgreSQLSQL ServerMySQL

    spanish • on-site

  • Software Engineer
    2008 - 2011 (3 years)
    Development of applications in .NET on SharePoint. Java application development with Liferay. Direct deal with the client, capture of requirements, change and time management. Relevant projects: CHGUV, Repsol, Mapfre and La Caixa
    ☕ javaenterprisespringliferaysharepointSQL ServerMySQL

    spanish • on-site

  • 2024Cookieggeddon! Bye to 3rd Party Cookies and how that will affect your software
    YoutubeSlideshare
  • 2023API Security & Testing - A pragmatic guide
  • 2022Speaker at a round table about API Security
  • 2022API Security & Testing - A pragmatic guide
  • 2022API Security: Workshop to harden your API
    Slideshare
  • 2021Hard as a pod. How to secure your Kubernetes Deployments
    YoutubeSlideshare
  • 2021Welcome to Gotham. New and terrifying ways of cyberattacks
    YoutubeSlideshare
  • 2021The Rustalorian. This is the way
    Slideshare
  • 2020Stop being the weakest rival with DevSecOps
    YoutubeSlideshare
  • 2020Big Data in Cybersecurity: Better to die on your feet than to live on your knees
    YoutubeSlideshare
  • 2020Speaker at a round table about API Security
    Youtube
  • 2020Pirates of the Cloud: whose responsibility is it?
    YoutubeSlideshare
  • 2020OSINT Techniques that will leave you with a crooked ass
    YoutubeSlideshare
  • 2020Speaker at a round table of cybersecurity experts
    Youtube
  • 2019Machine Learning at full throttle with GraalVM
    YoutubeSlideshare
  • 2019Insanely fast apps with Quarkus
    Slideshare
  • 2019Kubernetes: The Cloud King
    Slideshare
  • 2018NestJS: Backends in Node for Javas' & DotNets'
    YoutubeSlideshare