Services
Most security work is sold as a project: certify once, ship, forget. In AI-era systems — where data, models, prompts, tools and integrations change weekly — that model fails the day after the certificate is signed. We treat security and compliance as a continuous operating capability: designed in, evidenced automatically, and run to the standards your auditors, regulators and enterprise customers actually test you on.
This practice is led by Patrick — ten years in banking and financial services, a hands-on cybersecurity and enterprise-security-architecture (SABSA) background, and ex-Google. It's the same discipline we hold our own products to.
How we align with the standards that matter
We are not a certification body and we don't sell you a certificate. We design, build and operate your systems so they map to — and continuously produce evidence against — the control frameworks your auditors, regulators and customers' procurement teams test you on. When the SOC 2 readiness assessment, the regulator, or the 300-line security questionnaire arrives, the controls and the evidence already exist.
Security & cloud: ISO/IEC 27001, SOC 1 / SOC 2 (Type I & II) / SOC 3, PCI DSS v4.0, NIST SP 800-53, NIST Cybersecurity Framework (CSF) 2.0, CIS Controls & Benchmarks, CSA Cloud Controls Matrix (CCM) & STAR, ISO/IEC 27017 and 27018.
AI-specific: AI Trust & Safety — guardrails, red-teaming, evals and responsible-AI governance against ISO/IEC 42001, the NIST AI RMF, the OWASP LLM Top 10 and the EU AI Act — is its own practice. See our AI Trust & Safety service.
Privacy & data protection: GDPR, ISO/IEC 27701, the NZ Privacy Act 2020, the Australian Privacy Principles, and HIPAA where health data is in scope.
Sector & regional: APRA CPS 234 and CPS 230 for financial services, the ACSC Essential Eight, SABSA for enterprise security architecture, and MITRE ATT&CK for threat modelling.
What we design, build and operate
The controls that make the frameworks above real — wired into the systems, not bolted on after a breach.
Encryption & key management. Encryption at rest and in transit (TLS 1.3, mTLS between services), envelope encryption via cloud KMS, HSM-backed keys, and Bring-Your-Own-Key / Hold-Your-Own-Key so you keep custody. Tokenisation and field-level encryption where the data warrants it.
Secrets & rotation. Centralised secrets management, short-lived credentials, automated rotation on a defined cadence, and no long-lived keys in code or CI.
Identity & access. SSO and federation against your IdP (Okta, Microsoft Entra ID, Google), OAuth 2.0 / OIDC, SCIM provisioning, RBAC and ABAC, least-privilege by default — and intent-based authorisation for the agent era, where the "user" may be a human, a service account, or a chained tool call.
Network security. Private-by-default networking, segmentation and zero-trust service identity, scoped and monitored egress, and WAF / edge protection on anything public.
Auditing, logging & detection. Immutable, tamper-evident audit trails, structured logging, SIEM integration, alert routing that wakes the right person, and anomaly detection tuned to your workloads.
Vulnerability & supply chain. Dependency CVE tracking, software composition analysis, SAST and DAST in CI, an SBOM for every build, secure-SDLC gates, and penetration testing so the design is challenged before production.
Continuous compliance. Control evidence collected automatically, policy-as-code gates that catch drift in CI rather than in production, and a controls dashboard your CISO can read at a glance.
How it works
2–6 weeks to a baseline, then continuous. Per engagement:
Assess current posture against the framework that matters to you, and produce a prioritised gap-and-remediation plan.
Wire in continuous control-evidence collection and a controls dashboard.
Stand up secret rotation, CVE / dependency tracking, and SAST/DAST in your pipeline.
Build the audit trail and evidence pack your regulator or your customers' procurement team will ask for.
Output
A control-framework mapping (ISO 27001 / SOC 2 / PCI DSS / NIST — your choice) with a prioritised gap-and-remediation plan.
A continuous-controls dashboard your CISO can read at a glance.
A secret-rotation runbook running on schedule, plus CVE tracking and SAST/DAST in your build pipeline.
An audit-ready evidence pack, regenerable on demand, mapped to the framework you're answering to.
Cost: Engagement-based — scoped to your target framework and system footprint. Continuous-operation retainers available.
