Below you will find the services we provide. If you did not find a service that fulfils your needs and requirements, please feel free to reach out to us, so we can tailor a solution that fits your needs.
Retest and reevaluation of previous assessments can be added as part of an engagement. In that case, a smaller report will be created detailing the progress from the initial test to the retest. This will be provided in two versions, one complete for internal use and another version for sharing with external stakeholders.
"Get hacked!" - Practical cybersecurity assessment of your IT network.
Enhance your organisation's security posture by conducting a simulated network compromise.
This is a "hands-on" audit of the organisation's security posture and technical security controls. During the engagement, we will perform lateral movement and escalate privileges to demonstrate how cybercriminals might compromise key parts of your organisation.
The final product is a report with all issues found and recommendations for remediation/mitigation for these. We will also include which controls were operating effectively. The report will include descriptions of issues, recommendations, and a list of findings. This constitutes what is sometimes referred to as the "risks". Think of these as the individual points, or 'nodes,' in a graph, where each node represents a specific risk or finding. Then these findings/risks will be chained together in an "attack map" showing how issues relate to impact the core IT infrastructure. These "attack vectors" or "techniques" are sometimes referred to as "threats". Think of them as the edges between nodes in a graph. Additionally, key findings from a vulnerability scan are included, with the vulnerability scan report being included separately as an appendix.
All findings are provided with CIS 18 and MITRE ATT&CK references wherever applicable.
The following checks are the default items to be examined during an engagement. However, based on our startup meeting on the first day, we will tailor it based on your business model and infrastructure.
All of this is done in a hands-on approach, where vulnerabilities are exploited and chained together to show you the actual impact on the overall security of the organisation.
| [00-1] [Active Directory] |
The Active Directory portion of the engagement is an assessment of the setup and configuration of your on-prem Active Directory.
This involves:
|
| [00-2] [Endpoint Hardening and Intrusion Detection] |
This is an audit of the hardening and configuration of endpoints on your network.
The servers and workstations/laptops are reviewed for their resilience against attack.
And the configuration of detection and response capabilities on these.
Among the items tested for are:
|
| [00-3] [Network Architecture and Configuration] |
During the engagement, we will assess and review the network security of your organisation, which includes:
|
| [00-4] [Cloud] |
Lastly, we will assess the cloud assets of the organisation, which are most often some integration with Microsoft 360 and MS Office, or AWS. We evaluate these based on how they relate to the business model of the organisation and how they are integrated into other supporting infrastructure. |
| [00-5] [Other] |
During engagements, we often find niche technologies, setups such as DevOps or Operational Technology (OT). If time allows, during the engagement, we evaluate these as well. |
Practical cybersecurity assessment of your IT network and IT security governance structure.
We use a mix of technical assessment, interviews, and reviews to assess the state of cybersecurity in your organisation, from framework to technical security controls. Gain insight into all aspects of the security of your organisation. Starting with an "Assumed Breach Assessment" and ending with reviews of policies and procedures. We provide a full review of the cybersecurity of your organisation.
As part of the evaluation, we will provide guidance and help create the missing documentation. Meaning that remediation post-assessment will be quick and effective.
We start with an "Assumed Breach Engagement" to gather information about the state of technical security controls of the organisation. In ISACA terms, this fulfils the requirement for "Risk Assessment" and "Threat Assessment". This will result in a report with purely technical findings, related to the security controls of the organisation.
The overall structure of the engagement follows the general methodology laid out by the NIST CSF:
All of the work above will result in two reports, one containing the technical findings from the "Assumed Breach Assessment" and another from the "Governance Assessment". We chose two separate reports since the contents will target two different groups in the organisation.
We use NIS2 or NIST CSF as our cybersecurity framework, and our recommendations are based on this.
For our overall evaluation, we use the CMMI framework to assess and communicate maturity level.
We use the CIS18 framework for the assessment of security controls and their maturity level.
Other frameworks can be substituted on request.
As this assessment is a full review of the organisation's security posture, from firewall rules to polices and governance documents. A few additional assessment methodologies will be used throughout the engagement. In short, these are:
| [Technical assessment] | These are an audit of the appropriate configuration/setup/architecture and are verified independently. |
| [Document review] | Here, we review an appropriate piece of documentation to ensure compliance with a given standard; this could be the Business Impact Assessment (BIA) documents needed for proper disaster/data recovery procedures (CIS Control 11: Data Recovery). |
| [Interviews] | Interviews will be conducted with appropriate stakeholders in order to assess the state of implementation of the appropriate control(s). |
At the end of the engagement, you will receive the following:
| [REPORTS] | A technical report with the findings of the "Assumed Breach Assessment" and a strategic report with the findings from the "Governance Assessment". |
| [DRAFTS] |
We will provide drafts for any documentation we did not find during the assessment.
Such as:
|
These will be agreed upon and further defined during the scoping process.
Practical cyber security assessment of multiple companies with reporting to group management.
Gain insight into the security posture across a portfolio of companies and subsidiaries.
Multiple "Assumed Breach Assessments" or "Governance Security Assessments" will be combined across multiple companies. To assess the individual security of entities.
These will be combined into an overall assessment of the portfolio as a whole. Resulting in a report for each entity and a report for the parent company detailing the individual risks and the risks as a whole.
In short, the deliverables from this assessment are:
For the individual companies:
For the parent company: