/ 01
Threat modelling
STRIDE, attack trees, and architectural review. Models written so they remain useful six months after the workshop.
/ 03 — Discipline
Engineering security. Not security theatre.
We model the threats your business actually faces, harden the systems that matter, and document the controls auditors will ask about. No padlocks on slide decks; no fear sold by the kilogram.
Capabilities
What we build.
/ 02
Identity & access
Single sign-on, least-privilege role design, just-in-time access, workload identity, joiner/mover/leaver automation.
/ 03
Cryptography
Key management, rotation policy, envelope encryption, HSM integration, certificate lifecycle, mTLS at scale.
/ 04
Vulnerability management
SAST, DAST, dependency scanning, container and IaC scanning. Triage process that closes findings, not tickets.
/ 05
Detection & response
SIEM tuning, detection-as-code, runbooks for IR, tabletop exercises, forensics-ready logging.
/ 06
Application security
Secure SDLC, code review, OWASP ASVS coverage, threat-driven testing, security champions programme.
Engagement spec
How an engagement is shaped.
| Duration | 6–24 weeks. Diagnostic two weeks; remediation scoped by finding severity and business risk. |
|---|---|
| Deliverables | Threat model, IAM design, key management policy, detection rules, runbooks, evidence pack for audit. |
| Standards | NIST CSF 2.0, OWASP ASVS L2/L3, CIS Benchmarks, SOC 2 Trust Services Criteria. |
| Instrumentation | Mean time to detect, mean time to contain, vulnerability ageing, control coverage, audit findings closed. |
| Handover | Security operating model documented; controls handed to internal security team or co-managed under SLA. |
Bring us the finding you cannot close.
Audit report, pen test, or risk register entry. We respond within one business day, UTC.