Weaving your
safety net.

Technical depth meets regulatory fluency — for regulated SMBs, civil-protection NGOs, and local government.

Schedule a consultation How we work

What we do

Technical depth meets regulatory fluency — specialisation over scale, for regulated sectors and social resilience.

Penetration testing

Ethical hacking before someone else does. Web, mobile, API, AI/LLM, OT/ICS — with specialisation in regulated sectors.

PENTEST

ISO 27001 Pre-Audit

Preparation for ISO/IEC 27001 certification through an accredited body. Gap analysis, documentation, internal audit, Stage 1 and Stage 2 support.

ISO 27001

NIS2 and DORA Compliance

Sector-specific compliance packages — local government, healthcare, civil protection, non-bank fintech.

COMPLIANCE

OSINT

Open-source intelligence — investment due diligence, CTI, investigative, counter-disinformation.

OSINT

vCISO

Fractional CISO — formal Chief Information Security Officer function on a contract model. Standard and Premium tier.

vCISO

Threat Intelligence

Subscription-based sector threat intelligence — for pro-defence, civil protection, and finance sector.

CTI

Social Resilience

Cyber consulting for social resilience and civil protection. Grant application support for EU and national programmes. Industry and academic partnerships.

SOCIAL RESILIENCE

Cyberawareness

Two streams — sector-tailored training for organisations and community programmes for local authorities, schools, and senior citizens.

AWARENESS
SASTDASTOSINTPTES/NISTOWASP ASVSOWASP MASVSOWASP Top 10 for LLMNIST CSFISO/IEC 27001NIS2DORAKSCOSSTMM

How we work

A transparent, structured process — from briefing to final report with a remediation plan.

Scope & objectives

We define the scope, methodology, and project goals. We sign an NDA and Rules of Engagement. We agree on time windows and points of contact.

Reconnaissance & analysis

We gather information about the environment: OSINT, fingerprinting, attack surface mapping. Findings are documented in real time.

Project execution

Penetration testing, compliance audit, gap analysis — per the methodology agreed in the brief. Critical findings reported in real time.

Report & remediation

Technical report + executive summary. We review findings, prioritise actions, and support remediation. Retest of critical vulnerabilities is included in the pentest.

Who we work for

Choose your organisation type to see sectors and services tailored to your situation.

Choose your organisation type above to see sectors and services matched to your situation.

Selected projects

Project details are covered by NDA. Clients and system names are anonymised.

BANKING · WEB APPLICATION PENTEST

32 vulnerabilities in an internet banking system

Full web application pentest for a bank. Critical findings included a TLS 1.0 exploit with an active CVE on outdated encryption libraries, missing HSTS enabling HTTP downgrade, a flawed ASP.NET session refresh mechanism, and absent anti-CSRF mechanisms on financial operations.

CWE-326 Inadequate Encryption Strength CWE-319 Cleartext Transmission CWE-352 CSRF CWE-613 Insufficient Session Expiration
3 critical vulnerabilities (CVSS 9.1+) resolved before production deployment.
FINANCIAL SECTOR · API & WEB APPLICATION PENTEST

Stack trace exposure and Slowloris DoS vulnerability

Pentest of a fintech platform. The server exposed full stack traces on 500 errors, leaking backend architecture details. Discovered a Slowloris vulnerability (CVE-2007-6750), inconsistent authentication architecture, and missing critical HTTP security headers in server responses.

CWE-209 Information Exposure Through Error Messages CWE-400 Uncontrolled Resource Consumption CWE-306 Missing Authentication CWE-693 Protection Mechanism Failure
17 vulnerabilities — remediation plan implemented in 6 weeks.
E-COMMERCE · PAYMENT APPLICATION PENTEST

Customer IBAN in URL and SQL Injection vulnerability

Pentest of a payment platform. The customer's IBAN was passed as a URL parameter — accessible in server logs and browser history. Discovered lack of SQL sanitisation, Path Traversal vulnerability, SSRF/RFI risk via external file references, and beneficiary data tampering in basket operations.

CWE-89 SQL Injection CWE-22 Path Traversal CWE-918 SSRF CWE-598 Sensitive Data in URL Parameters
16 vulnerabilities — critical issues fixed on an emergency basis before the regulator's audit.
TECHNOLOGY · SPA + REST API PENTEST

Session leakage and client-side JSON Injection

Pentest of a React application with a REST API backend. Session IDs exposed in URLs (visible in logs), missing Session Binding with user context, client-side JSON Injection, weakened CSP, and missing Strict-Transport-Security header. AngularJS 1.x on Extended Support — legacy technology with unpatched CVEs.

CWE-598 Session ID in URL CWE-384 Session Fixation CWE-74 JSON Injection CWE-1021 Improper Frame Restriction
20 vulnerabilities — retest confirmed after 8 weeks of remediation.
OT / MANUFACTURING · NETWORK SECURITY AUDIT

No IT/OT segmentation and unprotected industrial protocols

OT network audit of a steel plant per IEC 62443. IT and OT networks ran on a shared segment — breaching one layer gave access to PLC controllers. Absent access management, unencrypted machine communication protocols, and no backup procedures for device configurations.

CWE-1188 Insecure Default Initialization CWE-306 Missing Authentication for Critical Function CWE-319 Cleartext Transmission of Sensitive Information
14-point remediation plan implemented in 90 days with no production downtime.
COMPLIANCE · ISO 27001 PRE-AUDIT

ISO 27001 certification preparation for a 200+ organisation

ISO 27001 pre-audit and certification preparation for a 200+ organisation. Gap analysis, documentation, internal audit, Stage 1 and Stage 2 support with an accredited body.

ISO 27001:2022 Annex A Clause 9.2 (Internal audit) Stage 1 + Stage 2
Organisation prepared for Stage 1 within 4 months of project start.

Team specialisations

Our team combines pentest-level technical depth with regulatory fluency. Areas we work in daily:

Financial-sector penetration testing

Banking and fintech applications, payment institutions, AML systems. Project experience in environments handling transactions and sensitive client data.

AI / LLM penetration testing

Prompt injection, jailbreaks, data exfiltration via LLMs. Adversarial testing of ML pipelines and AI-native applications.

NIS2 / DORA compliance

Sector packages — local government, healthcare, non-bank fintech, civil protection. Sector-specific scope, not generic audits.

ISO 27001 pre-audit

Preparation for certification through an accredited body. Gap analysis, documentation, internal audit, Stage 1 and Stage 2 support.

OSINT investigative and CTI

Investment due diligence, cyber threat intelligence, investigative OSINT, counter-disinformation. Two competency dimensions — cyber and finance-compliance.

Civil protection and social resilience

Cyber consulting for civil-protection NGOs, pro-defence sector, crisis management. Grant application support — Horizon Europe, EDF, EUDIS.

Frequently asked questions

For a standard web application, the testing scope takes 5–10 business days. The timeline depends on complexity and the agreed scope. We set the schedule individually before signing the contract.
No. We conduct tests in safe mode without requiring downtime. For OT/ICS environments, we apply a separate safety protocol agreed with the operator.
We deliver a technical report (full vulnerability descriptions, CVSS scores, PoC, attack paths) and an executive summary for management. Each vulnerability includes prioritised remediation recommendations.
Yes. We offer technical consulting, patch retesting, and support for the development team. Retest of critical vulnerabilities is included as standard in the pentest.
Before every project we sign an NDA, an engagement agreement (Rules of Engagement), and a test scope document. For critical infrastructure we require written authorisation from the system owner.
NIS2 covers essential and important entities in 18 sectors — energy, transport, banking, digital infrastructure, healthcare, administration, and others. Criteria are sector of activity and size thresholds (typically 50+ employees or EUR 10m turnover). We'll confirm your classification in a free preliminary assessment.

Ready to talk?

Get in touch — the first consultation is free.

Write to us

Data submitted via the form is processed in accordance with our privacy policy. We do not use external trackers or advertising cookies.