What we do
Six disciplines. One team you can call directly.
Penetration Testing
Network, web application, and social engineering tests scoped to your actual environment — not a checkbox exercise.
View scope →Vulnerability Assessment
Systematic identification and prioritisation of vulnerabilities across your infrastructure — with remediation guidance that fits your team's capacity.
View scope →Security Audit & Compliance
ISO 27001, NIS2, and GDPR readiness assessments that produce evidence your clients and regulators actually accept.
View scope →Incident Response & Forensics
When something goes wrong, we help you contain it, understand it, and document it properly for regulators and stakeholders.
View scope →Managed Security Monitoring
Continuous visibility into your environment without building an internal SOC. We alert on the signals that matter.
View scope →Security Awareness Training
Practical training for non-technical teams that covers the scenarios they will actually encounter — phishing, social engineering, data handling.
View scope →Why work with us
A different kind of engagement.
Audit before recommendation
We spend the first engagement understanding your environment. What you actually need may not be what a standard package includes. We tell you that upfront.
EU regulatory context built in
NIS2, GDPR Article 32, DSGVO — we know what German and EU regulators look for, and we document findings in language that holds up when a client questionnaire or auditor asks.
Direct access, no account managers
You work with the consultant running the engagement. Questions go to the person doing the work, not a project manager relaying messages.
Scope-honest from the start
If something is outside our capability, or if your situation calls for a different provider, we say so. No engagements we are not qualified to deliver.
The process
Three steps before any technical work begins.
We spend 30–60 minutes understanding your environment, what you are protecting, and what a useful outcome looks like for your situation. No sales pitch.
We send a written scope of work that defines what is in, what is out, the methodology, timeline, and what you get at the end. Revisions until it fits your actual needs.
Technical work is followed by a structured debrief and documented findings. We stay available for questions as your team works through remediation.
Threat Intel
Recent briefings
NIS2 Readiness: The 12-Point Checklist EU Operations Teams Are Using
Practical steps for organisations that need to demonstrate NIS2 compliance to regulators or enterprise clients.
Read briefing →
The GDPR Security Gap: What Article 32 Actually Requires vs. What Most Companies Have
Why "we have a password policy" is not an Article 32 response, and what auditors look for instead.
Read briefing →
What to Expect from a Penetration Test: A Non-Technical Guide for Operations Directors
How to scope, run, and get actionable results from a pentest — without being a security engineer.
Read briefing →Start with a conversation
Not sure where to start?
Neither are most of our clients.
A 30-minute scoping call costs nothing. We will tell you what we can help with and what falls outside our scope. No follow-up calls unless you want them.