Services

Six disciplines.
One team you can call directly.

We do not have a sales layer. The person who scopes your engagement is the person who delivers it. Below is what that engagement can look like, and the honest limits of each service.

Service 01

Penetration Testing

A penetration test is a controlled attempt to do what an attacker would do. The value is in what it finds and how findings are documented — not in the size of the report.

We cover network infrastructure, web applications, APIs, and social engineering vectors. Before any technical work, we agree in writing on what is in scope, what is not, and what happens if we find something critical during the test.

Scope note: We do not perform red team exercises for organisations without a documented security baseline. If you have no prior security assessment, a vulnerability assessment or gap analysis should come first.

What typically includes

  • Pre-engagement scoping document and rules of engagement
  • OWASP-aligned web application testing
  • Network and infrastructure reconnaissance and testing
  • Phishing or pretexting simulation (optional)
  • Written findings report with CVSS-scored vulnerabilities
  • Executive summary for non-technical stakeholders
  • 30-day remediation support window
Discuss your scope
Service 02

Vulnerability Assessment & Management

A vulnerability assessment identifies and prioritises weaknesses in your systems before an attacker does. Unlike a pentest, the goal is not to exploit — it is to catalogue and rank your exposure so remediation effort goes to the right places first.

We combine automated scanning with manual verification to eliminate the false-positive noise that makes automated-only reports difficult to act on.

Scope note: Assessments are scoped to defined IP ranges or applications. Coverage of cloud environments (AWS, Azure, GCP) is available but scoped separately.

What typically includes

  • Authenticated and unauthenticated scanning
  • Manual verification of high and critical findings
  • Asset inventory as a deliverable
  • Prioritised remediation roadmap (effort vs. risk matrix)
  • Comparison report on re-assessment if applicable
  • Guidance on tooling for ongoing internal scanning
Discuss your scope
Service 03

Security Audit & Compliance

Compliance assessments that produce evidence your clients and regulators accept. We focus on three frameworks: ISO 27001, NIS2, and GDPR Article 32.

Most organisations do not need full certification immediately. We assess where you are, what a realistic path looks like, and what documentation you need to satisfy the next client security questionnaire or regulator request.

Scope note: We do not issue ISO 27001 certification — that requires an accredited certification body. We prepare you for certification and can recommend certification partners.

What typically includes

  • Gap analysis against target framework
  • Documented evidence of existing controls
  • Risk register and treatment plan
  • Policies and procedures that reflect your actual operations
  • Supplier and third-party risk assessment
  • Readiness report suitable for client or regulator review
See NIS2 and GDPR details
Service 04

Incident Response & Forensics

When something has gone wrong — or you suspect it has — the first hours matter. We help you understand what happened, contain the damage, and document the incident in the format regulators require.

We work with your existing IT team or MSP, not around them. If you need external forensics to satisfy your insurer or a regulator, we can produce documentation that meets that standard.

Scope note: Incident response retainer agreements are available for organisations that want guaranteed response times. Ad-hoc response is available subject to current capacity.

What typically includes

  • Initial triage and containment guidance
  • Timeline reconstruction from available logs and artefacts
  • Root cause analysis report
  • GDPR breach notification documentation (72-hour window)
  • Remediation recommendations to prevent recurrence
  • Board or regulator-ready incident summary
Discuss a retainer or incident
Service 05

Managed Security Monitoring

Continuous visibility into what is happening in your environment — without the cost of building an internal security operations function. We monitor for the signals that precede incidents, not just the incidents themselves.

This service is scoped to your actual infrastructure. We work with what you have, not what a perfect environment would look like.

Scope note: Minimum engagement is three months. Monitoring is advisory — we do not have direct access to block or modify your systems unless explicitly agreed in scope.

What typically includes

  • Log aggregation and anomaly detection setup
  • Weekly threat summary reports
  • Alert triage and false-positive filtering
  • Monthly review call with findings and recommendations
  • Escalation protocol for high-severity events
  • Quarterly threat landscape briefing relevant to your sector
Discuss monitoring scope
Service 06

Security Awareness Training

Most security incidents involve a human decision somewhere in the chain. Training works when it reflects the scenarios your team will actually encounter — not generic cybersecurity awareness content.

We design sessions around your industry, your common tools, and the specific tactics that target companies like yours. Delivered as a single workshop or a short programme.

Scope note: Training is available in English and German. Simulated phishing campaigns are available as a separate engagement with defined scope and employee communication protocols.

What typically includes

  • Pre-training risk profile based on your sector and tooling
  • Scenario-based sessions for non-technical staff
  • Data handling and GDPR obligations for employees
  • Safe reporting culture and escalation procedures
  • Reference materials for ongoing use
  • Optional: simulated phishing baseline measurement
Discuss training options

Not sure which service fits your situation?

Describe what you are trying to solve. We will tell you what makes sense and what does not, without a sales pitch attached.

Get in touch