Martin Stühmer

Who I Am

I’m Martin, CTO at Integrated Worlds GmbH in the Stuttgart region. I’ve been building .NET systems for nearly 20 years — since Framework 2.0, when SOAP was cutting-edge and ORMs were controversial.

Today I lead technology strategy for cloud-native solutions on Azure. Before this, I was Director of Consulting Services at CGI, working with enterprise teams on architecture and digital transformation across multiple industries.

Credentials and recognition:

Microsoft Certified Trainer (MCT)
IHK-certified instructor (Industrie- und Handelskammer)
Open-source maintainer — NuGet packages used by development teams I’ve never met
LinkedIn: martin-stuehmer · GitHub: samtrion · Bluesky: @samtrion.net

Areas of Expertise

Nearly two decades of production work has concentrated into a few areas where I have both depth and strong opinions:

Modern .NET and C# — From the framework era through .NET 10. Performance engineering, source generators, Roslyn analyzers, testing strategies, static analysis, and the long arc of what actually improved versus what just changed.

Cloud-native architecture on Azure — Azure Kubernetes Service (AKS) at scale, multi-cluster networking, zero-downtime upgrades, cost governance, observability, and the gap between what Azure can do and what makes sense to use.

DevOps and supply-chain security — GitHub Actions, dependency management, container security, infrastructure-as-code compliance with Bicep, and the organisational practices that make automated pipelines trustworthy.

Application security and privacy — Secrets management with Azure Key Vault, managed identities, content exclusions in AI coding tools, data minimisation patterns, GDPR-relevant implementation in .NET and ASP.NET Core.

Engineering culture and pragmatism — What AI coding assistants actually change about software quality, how to introduce static analysis without breaking teams, and when “best practices” are cargo-cult repetition versus earned principle.

What I Do

As CTO, I don’t just make decisions from a distance. I write code, review PRs, debug production issues, and mentor teams. Technology leadership means staying hands-on and feeling the consequences of your choices.

As a trainer and mentor, I focus on fundamentals that outlast framework hype. Static analyzers, testing strategies, performance patterns, maintainable architecture — the stuff that actually prevents production fires.

As an open-source maintainer, I publish packages that solve problems I’ve hit repeatedly in real systems. When strangers depend on your code, you write better tests and clearer docs.

What I’ve Learned

Almost two decades means I’ve made every mistake: over-engineered systems, bet on Silverlight and WCF (oops), built “flexible” architectures that were just complicated, shipped code I’m not proud of.

Here’s what stuck:

Quality isn’t optional – Analyzers catch bugs in milliseconds, tests prevent regressions, and both are faster than firefighting
Fundamentals outlast frameworks – Patterns and principles survive; specific tools don’t always
Context beats dogma – “Best practices” depend on your team, domain, and constraints
Evidence beats opinion – Measure, benchmark, validate before deciding
Pragmatism wins – Good-enough architecture that ships beats perfect architecture that doesn’t

What I Write About

I share perspectives from production systems and real teams — not tutorials recycled from documentation. Topics I cover regularly:

.NET and C#: performance, source generators, analyzers, testing, language evolution
Azure and AKS: architecture decisions, networking, scaling, cost, security posture
DevOps: GitHub Actions, dependency security, CI/CD pipeline design, supply-chain risk
Application security and GDPR: secrets handling, access control, data minimisation, audit logging
AI coding tools: what Copilot, Claude Code, and similar tools actually change (and what they don’t)
Engineering culture: technical debt, code quality, the economics of shortcuts

I’m skeptical of buzzword-driven development and allergic to cargo-cult practices. If a trend lacks substance or a pattern doesn’t hold up under pressure, I’ll say so. The articles are written for developers, solution architects, and operators who maintain production systems and care about quality, not just shipping fast.

Published blogs

Source Generators: The Build Performance Killer Nobody Warned You About

Source generators are powerful. They are also running on every single build, blocking IntelliSense, breaking Hot Reload, and multiplying their cost across every target framework you support. Nobody mentions this in the getting started guides. Here is how to measure the damage, find the culprits, and decide when source generators are actually worth it.

.claudeignore Doesn't Exist. Here's What Does.

Claude is indexing your bin/ and obj/ directories right now. You asked it how to stop that. It told you about .claudeignore. You added it, committed it, and felt responsible. There is just one problem: .claudeignore does not exist. Claude invented it, the internet spread it, and your secrets were never protected. Here is what actually works.

Your Privacy Docs Are Fiction: Let's Fix That with .NET CLI Tools

Spreadsheet-based privacy audits examine yesterday’s system while today’s code deploys undocumented PII. Build .NET CLI tools that discover all personal data, catch expired consents, and verify deletions. Then fail builds when compliance breaks.

Security Tests That Prove Themselves

Your security tests run. They pass. But can you prove when they ran and against which code version? Most security testing lives in Word documents, Postman exports, and screenshot folders on SharePoint. The tests themselves might be valid. The evidence trail is not. This article shows how to build CLI-based test suites using xUnit and WebApplicationFactory that generate their own proof: structured logs with timestamps, commit hashes, and correlation IDs captured automatically in CI/CD pipelines. No more quarterly reports that could have been written yesterday. Instead, 847 test executions across 23 deployments, each linked to a specific commit and preserved for 90 days.

Certified, Filed, Forgotten: The Compliance Trainwreck

Organization gets certified. Consultants cash their checks. Documentation gets filed somewhere. Then compliance becomes a Word document ritual: screenshot the portal, sign the checklist, ship it. Three months later, an audit exposes configuration drift, hardcoded secrets, and vulnerable dependencies nobody noticed. The forensic evidence disagrees with the signatures. The fix isn’t stricter sign-offs or more checklists. It’s treating compliance as an engineering problem with automated CLI tools that run on every deployment.