We do not sell a product, a methodology or a framework. We sell judgement. Every engagement is shaped around the actual risk, the actual business, and the actual people in the room.
For most scaling businesses, a full-time CISO is premature. The role commands a significant salary, demands deep institutional knowledge, and often sits idle between the peaks of incident response and board cycles. A fractional CISO gives you the same seniority and accountability for a fraction of the cost.
We embed as your security leader, attending board and ExCo where needed, owning the security strategy, and being genuinely contactable when it matters. Not a consultant parachuting in with a slide deck. A person who knows your business, your team, and your risk appetite.
Engagements typically run on a retained monthly basis at one to four days per month. We can step up during incident response, regulatory review or fundraising without notice.
Most organisations do not have a clear picture of their own security posture. Controls exist, but nobody is certain they work as intended. Policies were written two years ago by someone who has since left. The last penetration test uncovered findings that were never remediated.
A programme review gives you an honest, independent view across your entire security landscape. We assess people, process and technology against a structured framework, weighted for your sector and growth stage. We do not produce a report that collects dust. We produce findings your leadership team can act on within a week.
Reviews are typically delivered over three to six weeks, with an executive summary and a working findings register your team can use immediately.
A target company may have excellent growth metrics and a weak security posture. The two are not mutually exclusive — but the risk needs to be quantified, priced, and managed. Too many due diligence processes treat cyber as a checkbox rather than a material risk factor.
We support buy-side and sell-side processes for private equity firms, venture-backed acquirers and strategic buyers. Our diligence is commercially framed: we translate technical findings into deal implications, remediation costs and post-close priority actions. We also support founders preparing for diligence, ensuring their posture does not become a chip in the negotiation.
We operate quickly and discreetly, producing findings that are useful for both the investment committee and the integration team.
Customers, investors and regulators increasingly expect demonstrable evidence of a functioning security programme. Whether the driver is an enterprise procurement process, a regulatory obligation or investor due diligence, the bar is rising — and the expectation is often a recognised framework or a completed questionnaire. The problem is that most readiness programmes are over-engineered for early-stage companies, producing documentation nobody reads and controls that burden the engineering team.
We take a different approach. We map your existing controls to the standard, identify the genuine gaps, and build a programme proportionate to your current size and maturity. The goal is to get you certified efficiently, without rebuilding your organisation around a compliance programme it will immediately outgrow.
We also support customer security questionnaire and RFP responses, so that compliance stays a background function rather than a recurring sprint that pulls engineers away from the product.
A short conversation is usually enough to work out where to begin.
Get in touch →