Skip to main content

Security Audit & Pentest

Security audit, pentest and advisory

Compliance, pentest, secure development, architecture review, anti-insider, vCISO — one team, one contract.

Talk to an architect
Audit Services Four tracks

What we deliver

Compliance audits, offensive testing, secure engineering and strategic advisory — combined into a single accountable engagement.

Compliance & governance

  • ISO 27001 readiness and certification support
  • NIS2 directive (EU operators)
  • DORA — financial digital operational resilience
  • GDPR programme: data inventory, DPIA, breach SOP, SAR, vendor DPA
  • SOX IT general controls (ITGC) audit
  • PCI-DSS scoping and gap assessment

Offensive security & testing

  • External and internal pentest (black/grey/white box, lateral movement)
  • Web (OWASP Top 10 + business logic) and mobile (iOS, Android)
  • Social engineering — phishing, vishing, physical (optional)
  • Red / Purple Teaming — 8–16 weeks, board-level buy-in
  • Perimeter VA — fast format, 2–4 weeks, Pareto quick wins
  • Leak detection & OSINT — credentials, keys, internal docs
  • Source code audit, supply-chain risk review
  • Web3 / DeFi smart-contract audit (Solidity, Vyper, Rust)

Engineering & architecture

  • Secure Development Lifecycle (SDLC) — threat modelling, SAST/SCA/DAST, secure code review
  • Security Architecture Review — segmentation, cryptography, IAM
  • Anti-insider programme — PAM design, UEBA, privacy-aware monitoring

Strategic advisory

  • Executive Security Consulting (vCISO) — strategy, roadmap, board reporting
  • Vendor selection and supply-chain risk advisory
  • Independent security opinion on existing programmes

Engagement formats

  • Perimeter VA: 2–4 weeks (quick start)
  • Full pentest: 4–8 weeks (typical)
  • Red/Purple Teaming: 8–16 weeks
  • vCISO: ongoing retainer

Scope your audit

Share the target — perimeter, app, ISO 27001 readiness, full programme — and we'll come back with a scoped proposal in 48 hours.

Talk to an architect
Track record Engagements under NDA

Delivered to date

10+

security audit and penetration testing projects

Covering all four tracks: offensive testing, compliance audit, secure SDLC and vCISO advisory.

Confidentiality

Customers and engagement specifics are under NDA. An extended reference for a concrete scenario can be prepared once a confidentiality agreement is in place.

Reference call

Need a relevant reference for board approval? Sign an NDA and we'll connect you with a delivery lead.

Request reference →
Differentiators Why us

What sets us apart

Identity-aware security

We audit through the lens of access management — often where the real risks hide. Direct cross with our IDM pillar.

Business-language reports

Findings translated to business risk. Board-ready summaries + engineer-ready remediation tickets.

Full stack in one contract

From executive strategy to code review — no fragmentation between consulting and testing firms.

Engagement frame

Fixed-scope or retainer. Insurance + NDA + DPA standard. Reports delivered in your preferred CMS or as PDF.

Quick start

30-minute scoping call. We'll come back with a proposal within 48 hours.

Book call →
Keep exploring

Related services & platforms

Where teams usually head next — adjacent practices and platforms from the same engineering team.

FAQ

Frequently asked questions

What's the difference between a security audit and a penetration test?

An audit assesses controls, processes and compliance posture (ISO 27001, NIS2, DORA, GDPR) against a framework; a penetration test actively exploits weaknesses to prove real-world impact. Most engagements combine both — the audit sets scope, the pentest validates it.

Can compliance and offensive testing run under one contract?

Yes. ISO 27001 / NIS2 / DORA / GDPR programmes, penetration testing, secure development and vCISO advisory are delivered by one team under one contract — no fragmentation between a consulting firm and a separate testing vendor.

What do the deliverables look like?

Two layers from the same findings: a board-ready summary in business-risk language, plus engineer-ready remediation tickets with reproduction steps and prioritisation — not a 200-page PDF nobody reads.

How fast can you start, and what's the smallest useful engagement?

A perimeter vulnerability assessment runs 2–4 weeks and surfaces the Pareto quick wins; a full red / purple team runs 8–16 weeks with board-level buy-in. We scope to your risk and timeline, not a fixed package.

Do you cover identity and access security specifically?

Yes — we audit through the access-management lens (IGA / IAM / PAM), often where the real risk hides, with a direct cross to our identity practice for remediation.