ESENRODEFRIT
Contact

About OCIRIA

Who we are

OCIRIA is a boutique cybersecurity and compliance firm. We are based in Málaga (Spain) with a team in Romania, and we serve mid-market European companies that need a clear technical counterpart, a realistic calendar, and a signed report at the end of the engagement. Our public platform is ociria.com.

We were born out of fatigue. Fatigue of seeing technical reports the board could not read, audits that ended in hundred-slide decks without a single actionable data point, products sold as solutions when they were only pieces, and pitches that talked about "global leaders" before showing a single finding. We decided to do it differently: a small service, honest, technical, with verifiable numbers and committed deadlines.

What sets us apart

We do not sell absolute protection. Absolute protection does not exist. What we sell is judgement: seeing more, seeing earlier, understanding what we see. The report we sign describes what we saw, how we saw it, and what we still do not see. That last sentence, the "still do not see", is the one nobody wanted to put in writing. We do.

Defensive AI with a purpose. We apply artificial intelligence in triage, correlation, and pattern detection that a human analyst would need hours to cover. Not to demonstrate technology, but to give the team hours back. The internal metric we track is analyst hours saved per week in accounts under continuous monitoring.

Boutique speed. A small team, no bureaucratic layers. Initial diagnostic delivered in 10 business days, with a signed report and actionable next steps. If during the diagnostic we find something serious, we communicate it within 24 hours; we do not wait for the final report to put it in writing.

ES-RO dual jurisdiction. Legal entity in Spain (Málaga), operations in Romania. We do not boast "global presence"; we boast an actual understanding of the EU-East regulatory corridor as a single, fragmented space. The real transposition of NIS2 in Spain and in Romania is not the same, and working both sides forces us to know it.

Team (without inflation)

We are a small team, deliberately. We combine offensive security profiles with defensive judgement, compliance profiles with operational experience, and a data engineering node so that defensive AI is not a slogan. We do not publish inflated headcount figures: if you want to know who will run your account, we say so in the first meeting.

Where we are

Legal seat in Málaga (Spain), distributed operations in Romania. Coverage on UTC+2 business hours. The primary contact channel is [email protected] (the OCIRIA team replies within one business day). If your organisation is outside our usual corridor and you still want to work with us, we discuss it before signing, no commitment.

How we work in practice

1. First contact. A 30-45 minute conversation to understand context: size, sector, applicable regulatory framework, recent incidents if any, internal team and current suppliers.

2. Initial diagnostic. A week of intensive work: review of exposed surface, brand OSINT analysis, compliance assessment (NIS2, GDPR, ISO 27001 where relevant), technical interviews.

3. Signed report. PDF document delivered within 10 business days of diagnostic close. Findings referenced to reproducible evidence, prioritised action plan, effort estimate per block.

4. Optional accompaniment. If the client decides, we continue as monthly vCISO, quarterly review, or closed project to implement the priorities. Never mandatory.

What we do not do

We do not replace a SIEM that already works. We do not request rip-and-replace of the technology stack to "standardise". We do not sell fear. We do not publish client logos without written consent. We do not sign reports with conclusions we have not reached. And we do not promise certifications that depend on external bodies (ISO 27001, ISO 42001) as if we issued them ourselves: we prepare the road honestly.

Potential partners (open conversations, no public signature)

We keep active dialogue with providers specialised in incident response, managed SOC infrastructure, data protection legal advisory, and corporate awareness training. When a piece is not our specialty and the client needs it, we recommend a partner with judgement. When we sign formal partnerships, we will say so here. Until then, we will not.

Next step

If you have reached the end of this page and think a conversation would make sense, ask for one. No cost, no commitment, no follow-up with a sales script.

Email: [email protected] · Web: ociria.com · Data: [email protected] (privacy/GDPR)