Service, project-based
A structured maturity assessment of your cybersecurity posture. Two workshops, review of documentation and asset inventory, and a report giving leadership a prioritized roadmap instead of a vulnerability list.
Mapped against NIST CSF 2.0, ISO 27001:2022, the NIS2 Directive, the CRA (Cyber Resilience Act) and, where OT exposure exists, IEC 62443. Delivered as a 4 to 6 week project.
What we review
The areas below come from frameworks like NIST CSF, ISO 27001 and NIS2. Scope is tuned to your industry and exposure, but we give a read on each where it is relevant.
What systems, services and information assets exist today, who owns them, where they live, what their classification is. This is the foundation, because nothing that follows can be done in a way that holds over time if this is fuzzy.
IAM maturity, MFA coverage, SSO strategy, segregation of duties, least privilege. How identities are handled for both staff and external systems, and what happens when someone leaves.
Scan cadence (quarterly, on release), patch cycles, exception process, vendor security patching. How risk is kept down between recurring external pentests.
Segmentation between zones, VLAN strategy, firewall rules, SOC/MDR status, SIEM coverage, EDR on endpoints. If an attacker breaks in, how quickly it is detected and how far they can move.
IR plan, BCP/DR documentation, RTO/RPO for critical systems, exercises and scenarios, contact chains, reporting requirements (NIS2 has short deadlines). Roles and responsibilities, not tools.
Gap analysis against NIS2, CRA readiness, ISO 27001 status, GDPR Art. 28 compliance in the supplier chain, security annex in procurement, CISO role and GRC function.
How it works
We walk through scope, your priorities, which frameworks are mandatory for you, and who from your side will join the workshop.
Two full days with key people. Assets, risks, dependencies, documentation, threat modelling. Whiteboard, not powerpoint.
We analyse network diagrams, policies, asset list and workshop output against frameworks. Draft the report, map gaps, prioritise.
Written final delivery plus a verbal briefing with leadership. Within 60 days we follow up to see what has moved.
Where it fits in
This service does not answer the question "what vulnerabilities do I have today". That is what our continuous platform does, every day.
It answers the question "where should we invest, and in what order". Both are needed. Customers typically pair a Strategic Security Assessment every 18 to 24 months with ongoing continuous monitoring in between.
Read more about the continuous side: Verification Engine and MCP for AI agents.
We talk through whether a Strategic Security Assessment fits you right now, or whether something else is a better fit. We will tell you if we think you do not need it.