Network cables terminated in a patch panel

Home / IT Security

A complete program. No theatre.

Prevention, detection and response for small and mid-sized businesses — plus four specialist practices — each grounded in a published standard.

Our position

Everything here is one of three verbs: prevent, detect, respond. If a service cannot say which, it is marketing.

Security marketing sells fear. Security engineering removes options from an attacker. Only one of those is measurable.

We do not sell a dashboard and call it a program. Every engagement produces something concrete: a configuration that is harder to abuse, an identity system with fewer standing privileges, a monitoring rule that fires on a real technique, a restore that has been rehearsed, a written finding you can act on.

Where a claim can be checked against a standard, we cite the standard. Where something is a judgement call, we say so. And where a decision belongs to your compliance function or your counsel — not to an engineer — we hand it back.


The program

Eight services. Most clients start with an assessment; almost nobody needs all eight at once.

01

Security Assessment & Risk Analysis

Where every sensible program starts: what you have, what is exposed, what an incident would actually cost you — and a remediation plan ranked by risk instead of a finding dump ranked by nothing.

Read more
02

Penetration Testing

Authorized, scoped, human-driven testing of web applications, APIs, networks, cloud and Microsoft 365. Written rules of engagement before, a usable report after, and a retest once you have fixed things.

Read more
03

Vulnerability Management

Not an annual scan — a cycle. Asset discovery, authenticated scanning, prioritization by real-world exploitability (CISA KEV, not raw CVSS), coordinated fixes, and verification that they landed.

Read more
04

Monitoring & Detection

Identity, endpoint, network and cloud telemetry in one place, detections mapped to MITRE ATT&CK, alerts tuned until they mean something — and an escalation path that exists in writing.

Read more
05

Incident Response & Recovery

The plan, the rehearsal, and the 3 a.m. work itself: containment, eradication, forensics, evidence handling and recovery — aligned to NIST SP 800-61r3.

Read more
06

Backup & Disaster Recovery

The control every ransomware crew tests before you do. 3-2-1 with an offline or immutable copy, a stated RPO/RTO, and restores rehearsed on a schedule.

Read more
07

Security Awareness Training

Practical sessions and phishing simulations used as measurement, never as public shaming. The goal is a workforce that reports fast — because reporting speed decides incident cost.

Read more
08

GRC & Compliance Readiness

Policies people can follow, a risk register that gets read, continuity plans that have been walked through — and evidence prepared for SOC 2, ISO 27001, CMMC, HIPAA or PCI DSS audits.

Read more
Illuminated server racks in a data center

Prevention, detection, response. Everything else is commentary.

Specialist practices

The four disciplines we are known for. Each has its own page with the full technical scope.

S1

OPSEC — Operational Security

Operational security assessments: what an adversary must learn before acting, and how to take it away — hardening to CIS Benchmarks, segmentation, egress control, and detection mapped to MITRE ATT&CK.

Read more
S2

IAM — Identity & Access Management

Phishing-resistant MFA (FIDO2/WebAuthn), SSO over SAML and OIDC, RBAC/ABAC, lifecycle automation via SCIM, and privileged access — designed to the IAL/AAL/FAL assurance levels of NIST SP 800-63-4.

Read more
S3

KYC & AML Tooling

Compliance engineering for regulated businesses: CDD/EDD, sanctions and PEP screening, adverse media, transaction monitoring, case management and SAR/STR workflows — tuned against the FATF Recommendations. Tooling, not legal advice.

Read more
S4

OSINT — Open-Source Intelligence

External exposure and threat intelligence: digital footprint, attack surface, credential and breach exposure, impersonation and investigative due diligence — collected lawfully through the intelligence cycle.

Read more

Where to start

Three common entry points, honestly compared.

MOST COMPANIES

Assessment first

Two to four weeks. You end up knowing what you have, what is exposed, and what to fix in what order — whether or not you hire us to fix it.

Security assessment
SOMETHING HAPPENED

Respond first

Active incident or credible suspicion. Containment and evidence come first; the roadmap can wait until the bleeding stops.

Incident response
SOMEONE IS ASKING

Evidence first

A customer, insurer or auditor wants proof. We build the controls and the paper trail together — controls without evidence fail audits, evidence without controls is fraud.

GRC & readiness
Frameworks

What our work is measured against.

NIST CSF 2.0NIST SP 800-53NIST SP 800-61r3NIST SP 800-63-4NIST SP 800-115ISO/IEC 27001CIS Controls v8.1CIS BenchmarksMITRE ATT&CKOWASP ASVSOWASP WSTGCISA KEVFATF RecommendationsBank Secrecy ActGDPR

Which standard are you being measured against?

Tell us the framework and where you are stuck — or tell us you have never had an assessment and want the honest starting point. Either answer is fine.

Contact us
Response
Within one business day
Engagement
Project, managed retainer, or advisory