Cyber Defence & Threat Exposure
Specialist cyber defence — assessment, dark-web exposure monitoring, rapid and discreet incident response, industrial security, and red-team operations. Niche work for organisations that take their security posture seriously.
Five capabilities, each delivered as its own service.
Pen testing, continuous TEM monitoring, OT segmentation review, and rapid IR are different services with different lifecycles. Each section sets out its own approach and the deliverables you receive.
Cyber Security Assessment
Vulnerability assessment, penetration testing across web applications, networks, mobile, cloud, and identity. Operators chain findings into demonstrable attack paths — beyond automated scanning. Risk-prioritised reporting suited to board-level review.
- Scope and rules of engagement aligned with the threat model and operational risk tolerance
- External and internal reconnaissance — passive OSINT, surface mapping, authenticated where applicable
- Web-application testing per OWASP Testing Guide / ASVS; network testing per OSSTMM and PTES; mobile per OWASP MASVS; cloud per CIS Benchmarks (AWS / Azure / GCP); identity per Active Directory / Azure AD / Okta hardening review
- Manual exploitation, vulnerability chaining, post-exploitation validation
- Lateral-movement and privilege-escalation paths mapped to the asset model
- Wireless, segmentation, and physical-access testing where authorised
- Re-test on remediation when requested
- Full technical report with attack chains, proof-of-concept artefacts, CVE / CWE mappings
- Risk-prioritised remediation guidance with effort estimates
- Executive summary in business-risk language (board-ready)
- Optional re-test letter and "before / after" attestation
- Briefing session for the in-house security team
Threat Exposure Management (TEM)
Continuous monitoring across the surface, deep, and dark web. Leaked credentials, brand impersonation, third-party / supply-chain exposure, illicit-marketplace surveillance for organisational data. Ongoing service, not a project.
- Curated coverage across dark-web forums, Telegram channels (58,000+ tracked), ransomware leak sites, paste sites, illicit marketplaces, and stealer-log corpora
- Leaked-credential detection mapped to identity providers (Active Directory / Azure AD / Okta / Workspace) for immediate revocation
- Brand-impersonation and counterfeit-domain surveillance with takedown workflows for hosting providers and registrars
- Third-party and supply-chain exposure detection — partner / vendor breaches correlated to your organisational graph
- Threat-actor profiling and historical search across forums and breach data
- AI-assisted multilingual translation of dark-web discussions into structured intelligence
- Real-time prioritised alerts (high-severity → named-analyst escalation)
- Monthly briefing report with threat-landscape narrative and KPI dashboard
- Takedown management for brand impersonation and counterfeit domains
- Integration into your SIEM / SOAR / ticketing (Splunk, Sentinel, QRadar, ServiceNow) where required
- Quarterly threat-actor profile updates relevant to your sector
- Named analyst as a single point of contact
Incident Response — Quick & Discreet
Rapid activation when a breach is suspected or confirmed. Discreet across reporting and communications. 24/7 retainer-eligible.
- 24/7 activation hotline with named first-response analyst within agreed SLA
- Triage and threat-actor classification — group, tooling fingerprint, likely objectives
- Containment without unnecessary business disruption — segmentation, account isolation, controlled traffic blocks
- Forensic preservation across endpoint memory, disk, network, cloud workloads, identity audit logs, and SaaS audit trails per ISO/IEC 27037
- Root-cause analysis mapped to MITRE ATT&CK and the Diamond Model; NIST 800-61-aligned playbook execution
- Communications support where retained (legal, regulatory disclosure, media holding statements)
- Post-incident threat hunt for residual access and parallel intrusions; hardening roadmap based on observed failure points
- Forensic report admissible to chain-of-custody standards
- IOC list and TTP-mapped attacker profile
- Timeline of intrusion with detection-and-response opportunities
- Containment-and-recovery decisions log (defensible to regulators / insurers / counsel)
- Post-mortem briefing and hardening roadmap
- Threat-hunt report covering the wider environment
Industrial / SCADA / OT Security
Specialist security assessment for environments where downtime is not an option — pharma, energy, water, logistics, transport, manufacturing.
- Passive observation and asset discovery before any active testing — span-port capture, controlled traffic analysis (no aggressive scanning of OT)
- Asset inventory across PLC, HMI, RTU, DCS, SCADA, historian, and engineering workstations
- Segmentation review against the Purdue Reference Model and IEC 62443 zone-and-conduit architecture
- IT/OT boundary review — DMZ controls, firewall rules, jump-host hygiene, USB / removable-media policies, vendor-access pathways
- Engineering-workstation hardening review (Windows / vendor-OEM)
- Controlled active testing only during agreed maintenance windows
- Methodology aligned to ICS-CERT, NIST 800-82, IEC 62443, and IEC 61850 (where power infrastructure is in scope)
- OT asset inventory with criticality mapping
- Segmentation map (current state vs. target state per IEC 62443 zones and conduits)
- Ranked exposure findings with downtime-impact assessment
- Hardening roadmap sequenced for maintenance windows
- Optional tabletop exercise for OT-specific incident response (cascading failure, ransomware-on-OT)
Red Team & Adversary Simulation
Realistic adversary simulations against organisations with mature security programmes. Stealth, evasion, and detection-and-response validation. MITRE ATT&CK-aligned tactics. For corporate, financial, and critical-infrastructure clients ready for advanced testing.
- 01Plan, scope, and threat model — including ROE, agreed assumed-breach starting points, blue-team awareness level, success criteria
- 02Reconnaissance and intelligence gathering — OSINT, dark-web pre-attack intel, supply-chain mapping
- 03Initial access — phishing, exposed services, supply-chain or physical / drop-vector entry points
- 04Privilege escalation, persistence, and lateral movement against agreed objectives
- 05Objective completion — data exfiltration simulation, critical-system access, controlled
- 06Optional purple-team phase — collaborative detection-engineering with the blue team
- 07Joint red/blue debrief
- TTP-mapped technical report with full attack timeline
- ATT&CK heatmap — techniques used vs detected vs missed
- Video proof-of-concept for high-impact moments where applicable
- Detection-rule and control-improvement recommendations (Splunk / Sentinel / SIEM-agnostic)
- Joint red/blue debrief session
Speak with a cyber defence specialist.
We will respond within one business day. Initial conversations are confidential and without obligation.
Request a Quote