All services and capabilities

Clarifying and prioritizing risk models, understanding risk tolerance and mitigation techniques increase ROI on security investments by an order of magnitude.

We use FAIR, NIST SP 800-39, ISO 31000 and other methodologies along with decades of professional experience to deliver practical understanding: what should you be worried about and why, what should your spending priorities be and what does “acceptably secure” mean for various assets.

We can help you mitigate cybersecurity risks without compromising on usability and flexibility of your solutions. From setting long-term security goals to choosing efficient strategies for each stage, our experienced security managers and engineers will provide strategic and tactical advice along your journey.

Modern privacy regulations mandate security features and outline the expected outcomes. They are defined in terms of digital rights, loss avoidance, ability to manage risks. There is a growing gap between the general compliance demands — which cannot be implemented by a standardised checklist — and the practical implementation efforts.

We translate the language of compliance requirements to your business and your technological stack. We will guide you towards the right security efforts and clarify, what is a high priority and a “must-have”, and what sets the right balance between security, cost, and operational trade-offs.

We can run your security for a while. With our assistance, defining security architecture, managing data security strategy, implementing secure software development lifecycle and improving security infrastructure becomes an easy task. We help to prioritise security features, find appropriate automation tools, and always be in sync with the latest regulations and guidelines.

Whether it’s a few policies that are missing, a fully blown ITSM / ISO 27k security management system, or day-to-day decisions, – we can supplement your team and help you define, set up, maintain and improve crucial processes that improve security posture. From granular efforts like defining network and application security policies to large-scale programs like building Security Controls Framework coverage roadmaps, we’re happy to offer our experience in long-term planning and execution.

Designing e2ee and traditional crypto systems requires clear understanding of threat model, usage scenario, platform specificity, among other things. We’ve perfected our skills in designing and implementing end-to-end encrypted schemes for mobile and web applications, within microservice and traditional monolith server environments, both in our own products and within customers solutions.

Sometimes things you are working on don’t fit the traditional scenarios. Are you implementing a novel cryptographic feature for your blockchain system? Or designing a zero-knowledge authentication scheme that suits your needs but doesn’t have a community-vetted implementation? We can assist you in implementation, getting and passing 3rd party reviews and assessments, and gaining confidence in your tooling.

Cryptographic system audit consists of multiple layers — examining the cryptographic protocol for risks and flaws, making sure the implementation conforms with the protocol and reviewing the code itself for bugs and mistakes. Even if you have sufficient expertise in-house, vetting cryptographic decisions is a laborious process that requires many trained eyes to look at design docs and code.

When examining your products, we proceed layer by layer looking for design flaws, reviewing code manually and using automated techniques, writing unit and integration test suites. The resulting reports contain cryptographic analysis, security and logic issues in protocol and implementation, and improvement suggestions based on our experience in building cryptographic software.

Whether it’s one of our products, a custom solution, piece of code, or security architecture design — we are happy to provide ongoing support and oversight for them as these deliverables evolve and require improvements over time. We work via fixed SLAs on reaction time, with our own monitoring capacity if necessary.

Cybersecurity skills are scarce and hard to attain. In building your software, they're essential to mitigate business risks (business continuity, reputation) and compliance risks (such as GDPR and industry-specific regulations like HIPAA, PCI DSS).

Being good at software development does not equal having good cyber security skills. It takes more than reading a few manuals to get things right.

No engagement lasts forever. Whenever we start doing work with you – we’re already thinking how to help you hire the right people to run your security without us. We can help define organizational roles, required competences, interview key staff and make sure that whatever we build for you – they carry along well.

For existing staff and newly elected security champions – we’ve got a training program that educates builders on key aspects of how to build securely – so as a part of our engagements, we can train teams in basics of security architecture and engineering.

Training gets perfectly complemented by actually implementing security controls and systems together, if your team is up to it, delivering both learning and results in one shot.