Risk
First principle
8+
Consulting domains
0
Vendor bias
100%
Actionable outputs
01 Services
What we advise on.
Focused engagements that answer specific security questions — from a one-week risk assessment to a multi-month program build.
Risk
Risk Assessment & Threat Modelling
Systematic identification of your most critical attack paths, business impact analysis, and risk prioritisation tied to real threat scenarios — not generic checklists.
STRIDE
Attack paths
BIA
↗
Strategy
Security Program Design
We help you build or mature a security program from the ground up — governance structure, capability roadmap, KPIs, and a prioritised investment plan.
Roadmap
Governance
Maturity model
↗
Compliance
Compliance Gap Analysis
Gap analysis against regulatory frameworks and standards. We identify what's missing, map controls to requirements, and produce a remediation plan with prioritised actions.
ISO 27001
GDPR
PCI DSS
↗
Architecture
Security Architecture Review
Independent review of your proposed or existing architecture — identifying design flaws, control gaps, and integration weaknesses before they become incidents.
Design review
Zero Trust
Control gaps
↗
Vendor
Technology & Vendor Evaluation
Independent, criteria-based evaluation of security products and vendors. We define requirements, score options, and give you a recommendation you can defend to stakeholders.
RFP support
Scoring
Vendor-agnostic
↗
Incident
Incident Readiness Review
Assess your incident response capability before an incident tests it. We review your playbooks, team structure, detection coverage, and communication flows.
IR playbooks
Detection gaps
Comms plan
↗
Cloud
Cloud Security Advisory
Cloud migration security reviews, cloud-native control selection, shared responsibility clarification, and posture assessments for Azure, AWS, and hybrid environments.
Azure / AWS
Migration review
Posture
↗
CISO
Virtual CISO (vCISO)
Fractional security leadership for organisations without a full-time CISO — strategic oversight, board reporting, vendor management, and program accountability on a retainer basis.
Retainer
Board-ready
Strategic
↗
M&A
M&A Security Due Diligence
Security review as part of merger or acquisition processes — identifying inherited risks, technical debt, compliance gaps, and integration complexity before the deal closes.
Due diligence
Risk inventory
Integration
↗
02 Frameworks
What we work against.
We map findings and recommendations to recognised frameworks — so outputs are defensible, comparable, and actionable for your team and stakeholders.
NIST CSF 2.0
Risk framework
Govern, Identify, Protect, Detect, Respond, Recover — used as baseline for security program maturity assessments and roadmap design.
ISO/IEC 27001
Management standard
Gap analysis, control mapping, and evidence preparation for certification readiness or internal assurance programmes.
MITRE ATT&CK
Threat intelligence
Threat modelling and detection coverage mapping against adversary techniques — used to ground risk assessments in real attacker behaviour.
CIS Controls v8
Controls framework
Prioritised control implementation guidance — used for baseline assessments and quick-win identification across implementation groups.
GDPR / Local DPA
Regulation
Data protection compliance advisory including DPIA support, controller/processor mapping, and breach notification readiness.
Zero Trust
Architecture model
NIST SP 800-207 aligned advisory on identity-centric, least-privilege architecture — covering network, workload, and data pillars.
03 Process
How an engagement runs.
A consistent delivery structure — adapted to the scope — so you always know what to expect at each stage.
01
Scoping call
We discuss your question, context, constraints, and what a useful output looks like for your organisation. 45 minutes. No preparation required from your side.
02
Proposal & agreement
We send a clear scope of work: deliverables, timeline, access requirements, and pricing. Fixed-price where possible — no surprise invoices.
03
Discovery & analysis
Interviews, documentation review, environment access where needed. We ask the uncomfortable questions. We don't rely solely on what we're shown.
04
Findings & recommendations
A written report with prioritised findings, root causes, and specific remediation actions — not generic best-practice lists. We walk you through everything.
05
Follow-through
Optional: we stay engaged to support implementation, validate remediation, or answer questions as your team acts on recommendations. Accountability doesn't end at delivery.
04 Engagement
How we engage.
Choose the format that fits your timeline and internal capacity.
Project
Fixed-Scope Engagement
A defined deliverable with a clear timeline — risk assessment, compliance gap analysis, architecture review, vendor evaluation. Scoped and priced upfront.
Fixed price
Defined output
1–8 weeks
PRJ
Fixed scope
Retainer
Advisory Retainer
Ongoing access to senior security expertise — for recurring decisions, second opinions, and strategic guidance without hiring a full-time resource.
Monthly
Priority access
vCISO option
RET
Ongoing advisory
Workshop
Facilitated Workshop
A structured half-day or full-day session — threat modelling, risk prioritisation, architecture design sprint, or IR tabletop — with your team, led by us.
½ or 1 day
Your team
Remote / on-site
WRK
Facilitated session
Embedded
Embedded Advisor
A senior consultant works alongside your team for a defined period — attending sprints, reviewing decisions in real time, and transferring knowledge throughout.
T&M
2–12 weeks
Knowledge transfer
EMB
In-team advisor
start here
Have a security question that needs an answer?
Tell us what you're trying to resolve — we'll suggest the right engagement type, scope, and timeline.