Services

Three services. That's what we do well. If you need something else, we'll say so and point you to a suitable provider.

---

vCISO · Security leadership as a service

Who it's for. Organisations between 30 and 500 employees that don't yet need a full-time CISO but do need someone making security decisions with judgment, not a technician reacting to incidents.

What's included. A senior professional assigned to your account for an agreed number of monthly hours. Sets security strategy, prioritises investments, attends leadership committee meetings when relevant, directs your in-house technical team or external vendors, and represents you in front of auditors, insurers and clients.

How we work. After the initial assessment, we agree a quarterly plan with three to five measurable objectives. Monthly leadership review, weekly technical review with your team, quarterly report with metrics. No mandatory office presence if it adds no value.

Commitment. Quarterly minimum, no exit penalty after the first quarter. We don't bill for hours not consumed.

Monthly deliverable. Priority log, decisions register, live risk report and next month's plan.

Who delivers it. Senior engineer with more than ten years in operational security and prior experience as an in-house CISO or leadership consultant.

---

ISO/IEC 42001 · Responsible AI management certification

Who it's for. Organisations deploying their own or third-party AI systems that need to demonstrate responsible management: corporate clients ask for it, regulators will ask for it, and the EU AI Act reinforces it.

What ISO/IEC 42001 is. International standard published in 2023 defining the requirements for an AI management system. Covers governance, risk management, model lifecycle, human oversight, bias, traceability and continuous improvement.

What our support includes.

1. Gap analysis against the standard · one to two weeks depending on size.

2. Design of the documented management system adapted to your organisation.

3. Implementation of controls, procedures and records.

4. Training for the responsible team and AI committee.

5. Internal pre-audit and support during the external certification audit.

What we don't do. We don't issue the certificate. Certification is issued by an independent accredited body. We prepare you to pass it on the first attempt.

Typical timeline. Four to nine months depending on starting point and the maturity of your existing data governance.

---

OSINT Audit · Public exposure assessment

Who it's for. Any organisation with significant digital presence, visible leadership teams or exposure to social engineering. Particularly useful after a merger, before a significant public announcement, or after an incident suggesting a leak.

What we do. We collect, exclusively from open and lawful sources, all the information a moderately motivated attacker could obtain about your organisation in a week of work: domains and subdomains, exposed infrastructure, credentials leaked in public breaches, personal information about your leadership team, presence on forums and social platforms, and vendor footprints.

What we don't do. We don't access systems, we don't test vulnerabilities without authorisation, we don't contact employees with pretexts. OSINT is strictly passive and lawful.

Deliverable.

• Executive report of 12-20 pages.
• Prioritised findings list by criticality level.
• Mitigation plan with concrete actions, suggested owners and recommended sequence.
• Briefing session for leadership and technical team.

Timeline. Ten business days from contract signature and authorisation to start.

Repeatability. We recommend repeating the OSINT audit every twelve months, or after significant organisational changes.

---

How to start

The first step is always the initial assessment. One week. Free if we decide together not to move forward. We reply with the full name of the engineer who would handle it before any commitment.

Write to [email protected].