Security as a
written contract
Security is not a posture; it's a set of written controls, mapped to evidence, tested on a schedule, reviewed after every incident. We build that layer into the product, not around it.
CAPABILITIES
Six surfaces under one security contract
Audit, access, vulnerabilities, cloud risk, detection, compliance — engineered together. Every control traces to written policy and measurable evidence.
Audit & risk mapping
Threat model, asset inventory, trust boundary diagrams, likelihood × impact scoring. The written basis for every security decision that follows.
Access policies · IAM
Least-privilege across clouds, SSO with step-up auth, SCIM, break-glass procedures. Who-can-do-what written in code and tested in CI.
Vulnerability review
SAST, DAST, SCA, IaC scanning, supply-chain integrity. Findings triaged by blast radius, not by CVSS alone.
Cloud risk
Guardrails across AWS / GCP / Azure, encryption defaults, network segmentation, managed-service patterns reviewed per workload.
Detection & response
Logs, EDR, SIEM rules that actually fire on the right signals. Pages that wake the right person with context, not noise.
Compliance mapping
SOC 2, ISO 27001, HIPAA, PCI-DSS, GDPR, EU AI Act. Controls traced to evidence — ready for the next audit without a sprint of screenshot archaeology.
FINDINGS LEDGER
Six findings from a real audit, ranked and actioned
A worked example of the findings ledger we hand back at the end of an audit. Every row names an action — not a generic "review policy". Severity is blast-radius ranked, not CVSS alone.
Public S3 bucket with prod credentials
Cloud · IAMBucket policy · rotate credentials · audit access log
SAML group mapping bypass on SaaS-X
Access · IAMSCIM sync · step-up auth · break-glass drill
Unpatched CVE in transitive dependency
Supply chainRenovate · SCA · pinned lockfiles · release gate
Secrets in CI logs under sparse redaction
CI · secretsCentralised secret store · log redaction · policy
Overly permissive IAM role on workloads
Cloud · IAMPolicy tightening · access analyser · least privilege
Verbose error pages reveal stack frames
App · errorsError sanitisation · observability → errors to backend only
Access policy, network segmentation, data protection and supply-chain controls work only if they live in code and tests, not in a PDF.
CONTROL LANES
Identity · network · data · supply chain
The four lanes every hardening engagement runs on. Each item is a shipped control — we don't recommend what we don't build.
Identity
- SSO · SCIM · MFA / WebAuthn
- Step-up auth for sensitive ops
- Break-glass rotation drill
- Audit every admin action
Network
- VPC segmentation · private subnets
- Zero-trust access (Cloudflare, Tailscale)
- WAF · rate limits · bot detection
- Egress controls + allowlists
Data
- At-rest + in-transit encryption
- KMS · envelope encryption
- PII minimisation · tokenisation
- Retention + delete-on-request
Supply chain
- Signed artefacts · SBOM · SLSA
- Dependency pinning · Renovate
- GitHub advanced security
- SCA across all registries
Adjacent disciplines
Where security connects
DevOps & Cloud Infrastructure
IAM, network segmentation, secrets management and the CI/CD the supply-chain controls live inside.
ReleaseQA & Release Governance
SAST, DAST, dependency scans and supply-chain gates on the release pipeline.
RegulatedFinancial Technology
PCI-DSS, SOC 2, PSD2, fraud tooling and the compliance stack for payment systems.
AIMLOps & Governance
Model-risk management, privacy engineering (differential privacy), bias audit and EU AI Act mapping.
Put security in writing, in code and in the release pipeline
Share the architecture, the compliance profile and the incident history (under NDA). We come back with a threat model, findings ledger and remediation calendar inside ten working days.