Security Assessment & Risk Analysis
Where every sensible program starts: what you have, what is exposed, what an incident would actually cost you — and a remediation plan ranked by risk instead of a finding dump ranked by nothing.
Read more
Home / IT Security
Prevention, detection and response for small and mid-sized businesses — plus four specialist practices — each grounded in a published standard.
Everything here is one of three verbs: prevent, detect, respond. If a service cannot say which, it is marketing.
Security marketing sells fear. Security engineering removes options from an attacker. Only one of those is measurable.
We do not sell a dashboard and call it a program. Every engagement produces something concrete: a configuration that is harder to abuse, an identity system with fewer standing privileges, a monitoring rule that fires on a real technique, a restore that has been rehearsed, a written finding you can act on.
Where a claim can be checked against a standard, we cite the standard. Where something is a judgement call, we say so. And where a decision belongs to your compliance function or your counsel — not to an engineer — we hand it back.
Eight services. Most clients start with an assessment; almost nobody needs all eight at once.
Where every sensible program starts: what you have, what is exposed, what an incident would actually cost you — and a remediation plan ranked by risk instead of a finding dump ranked by nothing.
Read moreAuthorized, scoped, human-driven testing of web applications, APIs, networks, cloud and Microsoft 365. Written rules of engagement before, a usable report after, and a retest once you have fixed things.
Read moreNot an annual scan — a cycle. Asset discovery, authenticated scanning, prioritization by real-world exploitability (CISA KEV, not raw CVSS), coordinated fixes, and verification that they landed.
Read moreIdentity, endpoint, network and cloud telemetry in one place, detections mapped to MITRE ATT&CK, alerts tuned until they mean something — and an escalation path that exists in writing.
Read moreThe plan, the rehearsal, and the 3 a.m. work itself: containment, eradication, forensics, evidence handling and recovery — aligned to NIST SP 800-61r3.
Read moreThe control every ransomware crew tests before you do. 3-2-1 with an offline or immutable copy, a stated RPO/RTO, and restores rehearsed on a schedule.
Read morePractical sessions and phishing simulations used as measurement, never as public shaming. The goal is a workforce that reports fast — because reporting speed decides incident cost.
Read morePolicies people can follow, a risk register that gets read, continuity plans that have been walked through — and evidence prepared for SOC 2, ISO 27001, CMMC, HIPAA or PCI DSS audits.
Read more
The four disciplines we are known for. Each has its own page with the full technical scope.
Operational security assessments: what an adversary must learn before acting, and how to take it away — hardening to CIS Benchmarks, segmentation, egress control, and detection mapped to MITRE ATT&CK.
Read morePhishing-resistant MFA (FIDO2/WebAuthn), SSO over SAML and OIDC, RBAC/ABAC, lifecycle automation via SCIM, and privileged access — designed to the IAL/AAL/FAL assurance levels of NIST SP 800-63-4.
Read moreCompliance engineering for regulated businesses: CDD/EDD, sanctions and PEP screening, adverse media, transaction monitoring, case management and SAR/STR workflows — tuned against the FATF Recommendations. Tooling, not legal advice.
Read moreExternal exposure and threat intelligence: digital footprint, attack surface, credential and breach exposure, impersonation and investigative due diligence — collected lawfully through the intelligence cycle.
Read moreThree common entry points, honestly compared.
Two to four weeks. You end up knowing what you have, what is exposed, and what to fix in what order — whether or not you hire us to fix it.
Security assessmentActive incident or credible suspicion. Containment and evidence come first; the roadmap can wait until the bleeding stops.
Incident responseA customer, insurer or auditor wants proof. We build the controls and the paper trail together — controls without evidence fail audits, evidence without controls is fraud.
GRC & readinessWhat our work is measured against.
Tell us the framework and where you are stuck — or tell us you have never had an assessment and want the honest starting point. Either answer is fine.
Contact us