A breach costs more than money.
It costs trust.
Independent audits, strategic consulting, and managed cybersecurity for South African organisations where cyber risk is a board-level concern — not just an IT one.
The numbers don't lie
Cyber attacks are increasing in frequency, sophistication, and cost. Most organisations are underprepared.
Could this happen to you?
These aren't hypotheticals. They're composites of real incidents we've responded to — anonymised, but accurate.
A partner clicked a link. The firm lost £2.1M.
A senior partner opened a convincing phishing email impersonating a client. Attackers gained access to the M&A deal room and redirected a completion payment to a fraudulent account.
No phishing training. No email filtering. No incident plan.
Ransomware hit on a Friday evening. Systems down for 11 days.
A fintech firm with 150 staff discovered ransomware had encrypted their production databases and backups. With no incident response retainer, they scrambled for help while the clock ticked on regulatory notification.
No endpoint detection. No network segmentation. No tested backups.
Patient records on the dark web. The ICO came calling.
A healthcare provider's unpatched VPN appliance was exploited. Attackers exfiltrated 40,000 patient records before anyone noticed. The ICO investigation lasted 14 months.
No vulnerability scanning. No access monitoring. No patch management.
How an engagement works
Four steps, written down. No surprises in the middle. No hand-off to a junior at the end.
Initial consultation
A 30-minute conversation with a senior consultant. We listen, ask the questions you have not been asked before, and tell you what we would do differently. Free of charge, no obligation.
Scoping & proposal
A written agreement on objectives, depth, timeline, and price. Clear about what is in scope, what is not, and what evidence we will need from your team.
Audit & delivery
On-site or remote, evidence-based, structured. We review controls, test where appropriate, and document findings as we go — not at the end.
Report & roadmap
An executive summary your board will read, a technical findings register your engineers can act on, and a prioritised remediation roadmap with realistic dates.
What you walk away with
Every audit produces six tangible artefacts. Each one has a named audience and a real purpose.
Executive summary
A clear, board-ready narrative of where the organisation stands. No jargon, no padding — written to be read in ten minutes.
Technical findings register
Every finding catalogued with severity, evidence, affected systems, and recommended remediation. The artefact your engineers will work from.
Prioritised remediation roadmap
A 30/60/90/180-day plan ranked by risk reduction and effort. Pragmatic, not theoretical — sized to what your team can actually deliver.
Compliance gap analysis
Where you stand against UK GDPR, FCA, ICO, and CIS Controls — mapped to specific clauses, with evidence of compliance or the gap that needs closing.
Board-level debrief
A live session with the leadership team to walk through findings, surface trade-offs, and answer the questions that always come up after the report lands.
Retest after remediation
Once you have closed the findings, we re-verify. The final report goes into your compliance folder as evidence — and into your insurer's file as proof of due diligence.
Where engagements go from here
Most relationships start with an audit. What happens next depends on what we find — and what you decide to do about it.
Cybersecurity audit
An independent, evidence-based assessment of your controls, processes, and exposure. Built for regulated UK businesses where audit-grade documentation is the entry ticket — not a nice-to-have.
See what's in an auditFully managed cybersecurity
Fully aligned with POPIA, CIPC, and South African regulatory requirements — so your compliance posture is maintained without the overhead.
See the managed service →Consulting & enterprise architecture
Senior-level advisory for South African regulated businesses. We understand the POPIA landscape, CIPC obligations, and local cloud considerations — and speak plainly about risk.
Explore consulting →Sectors we work in
Regulated, high-stakes industries where the cost of a misstep is measured in regulatory exposure, client trust, and operational downtime.
Financial services
Investment managers, fintechs, payments. Operational resilience, third-party risk, incident reporting.
SRALegal
Law firms handling M&A, conveyancing, and high-value litigation. Client confidentiality is non-negotiable.
NHS DSPTHealthcare
Private clinics, group practices, allied health. Patient data, DSPT readiness, ICO exposure.
PRAInsurance
MGAs, brokers, underwriters. Solvency II adjacency, cyber underwriting due diligence.
ICAEWAccountancy
Practices managing client financial data, tax filings, and Companies House submissions year-round.
NIS2Manufacturing
Operational technology, supply-chain dependencies, the kind of downtime that empties a warehouse floor.
Recent engagements
Anonymised at the client's request. The detail is real — the names are not.
A boutique investment firm with £400M AUM needed a pre-FCA-inspection cyber audit and could not afford a single finding to be unanswered when the visit happened.
Full audit completed in 14 working days. 47 findings; 41 closed before the inspection. The remaining 6 were documented with a written remediation plan accepted by the regulator.
A 90-partner firm had outgrown its outsourced IT supplier and wanted to bring security in-house — but had no internal capacity to design the operating model.
We designed and ran the security operating model for nine months while the firm hired its first full-time CISO. Hand-over was clean; the team kept the playbooks we built.
A specialist clinic group discovered an active attacker in their environment on a Thursday afternoon. Patient records, appointment systems, the lot.
Containment within 4 hours. Forensic timeline delivered to the ICO within statutory window. No regulatory fine. Operations restored from clean backups inside 72 hours.
A practice, not a product.
We work with South African organisations where reliability, security, and compliance are non-negotiable — finance, legal, healthcare, and enterprise.
We operate the way a Big-4 advisory engagement does — senior consultants, written deliverables, board-ready summaries — at a scale that fits a mid-market practice.
Senior-led delivery
The consultant in your scoping call is the consultant doing the work. No junior hand-off. No surprises in invoicing.
AI-supervised operations
Our managed cybersecurity stack uses AI to triage alerts at machine speed — but a human owns every decision that matters.
Audit-first methodology
We start every relationship with an audit. You get evidence before you get an opinion, and a roadmap before you get a sales pitch.
Direct consultant access
No tier-one queues. Your engagement has named consultants you can reach. The same names appear in your monthly review.
Technology partners and frameworks
Vendor-neutral by policy. We carry deep operational experience across the platforms below, and align engagements to the frameworks our clients are accountable to.
What clients ask first.
We are smaller than the firms on your case-study page. Are we wasting your time?
If your business has board-level cyber risk — and almost every regulated firm does — we are the right shape of practice for you. The audits we run for a 40-person law firm look different from the ones we run for a 400-person fintech, but the rigour is the same.
We already have anti-virus, an MSP, and a firewall. Why an audit?
Because none of those answer the question your board will ask after an incident: did we know about this exposure, and if not, why not? An audit produces the document that answers that question — before the incident, not after.
How is this priced?
Fixed-fee against a written scope. We never charge by the hour for audits — the incentive should be on us to be efficient, not on you to watch the meter. Managed services are monthly retainer; consulting is project or fractional.
We do not have an internal IT team. Can you still help?
That is more common than you would think, particularly in mid-market professional services. We work alongside your outsourced IT supplier or, in managed engagements, take on the function in full.
What is your typical engagement timeline?
A standard cybersecurity audit runs four to six weeks from kick-off to final report. Managed services have a 30-day onboarding. Incident response is measured in hours, not weeks.
If we engage you for an audit, are you going to pitch us managed services?
We will tell you what we think the right shape of follow-on engagement is — including "you do not need a managed service, you need to fix three things and we will retest in six months." An audit that always ends in an upsell is not an audit.
Insights & resources
What we have written, and what we are about to publish.
What an FCA cyber inspection actually looks like
A walk-through of the questions, the documents, and the moments the inspector pauses. Drawn from four engagements.
Read the article →Pre-audit readiness checklist
The 28-point list we send to clients in week one. Pragmatic, evidence-oriented, no theatre.
Coming soonIncident response playbook (template)
A board-ready IR playbook scaffold, including communication trees, regulator timelines, and forensic chain-of-custody.
Coming soon