Security is what is left when the audit team has gone home and a motivated adversary is at the door. We help organisations build security programmes that hold up in that condition — pragmatic controls, credible response, and the assurance evidence to satisfy regulators along the way.
We have helped clients recover from real incidents. Nothing focuses an architecture conversation faster, and the lessons travel. We try to bring those lessons to clients before they need them.
Where we work
Architecture and controls
Identity, network, endpoint, application and data controls — designed to a recognised framework and tested against real attack patterns. Zero-trust where the substrate supports it, defence in depth where it does not.
Frameworks are scaffolding, not the building. We use NIST CSF or ISO 27001 as the structure for the conversation but the actual control set follows the threat model, not the framework's checklist.
Detection and response
SOC tooling, detection content, playbooks and the on-call model that turns a stack of products into an actual response capability. We are happy to build it, run it, or coach the in-house team to do both.
The biggest gap in most SOCs is not technology; it is the runbooks and the on-call discipline. We build both as products with their own lifecycle, not as side-effects of buying a SIEM.
OT and industrial security
Asset discovery, segmentation and monitoring for industrial environments — designed to safety-first failure modes and integrated with the corporate SOC rather than run as an island.
OT security is genuinely different from IT security. Safety constraints, vendor support models and the reality of decades-old PLCs mean the patch-and-detect playbook from IT does not transfer. We design accordingly.
AI and data security
Model risk, prompt-injection defence, data-loss controls and the documentation that comes with putting models in front of customers, employees or regulators.
AI security is one of the few areas where the threat surface is genuinely new. We have spent the last two years building the controls and the evals that hold up against the attack patterns we see in the wild.
Assurance
Penetration tests, red-team exercises, regulatory readiness and the evidence pack the audit teams will eventually ask for. Designed so the work earns its keep beyond the auditor's visit.
Sectors served
Financial services, energy and utilities, healthcare, manufacturing, retail, public sector. Common threads are regulated environments, high-value operational data, and the kind of incident that makes the news if mishandled.