A breach costs more than money.
It costs trust.
Independent audits, strategic consulting, and managed cybersecurity for South African organisations where cyber risk is a board-level concern — not just an IT one.
The numbers don't lie
Cyber attacks are increasing in frequency, sophistication, and cost. Most organisations are underprepared.
The attacker has new tools.
AI-augmented attacks — deepfake-enabled BEC, autonomous vulnerability discovery, agent-driven exfiltration — are no longer theoretical. South African firms are being hit this quarter.
Could this happen to you?
These aren't hypotheticals. They're composites of real incidents we've responded to — anonymised, but accurate.
A partner clicked a link. The firm lost R38 million.
A senior partner opened a convincing phishing email impersonating a client. Attackers gained access to the M&A deal room and redirected a completion payment to a fraudulent account.
No phishing training. No email filtering. No incident plan.
Ransomware hit on a Friday evening. Systems down for 11 days.
A fintech firm with 150 staff discovered ransomware had encrypted their production databases and backups. With no incident response retainer, they scrambled for help while the §22 notification clock to the Information Regulator ticked.
No endpoint detection. No network segmentation. No tested backups.
Patient records on the dark web. The Information Regulator came calling.
A healthcare provider's unpatched VPN appliance was exploited. Attackers exfiltrated 40,000 patient records before anyone noticed. The Information Regulator's enforcement engagement lasted 14 months.
No vulnerability scanning. No access monitoring. No patch management.
How an engagement works
Four steps, written down. No surprises in the middle. No hand-off to a junior at the end.
Initial consultation
A 30-minute conversation with a senior consultant. We listen, ask the questions you have not been asked before, and tell you what we would do differently. Free of charge, no obligation.
Scoping & proposal
A written agreement on objectives, depth, timeline, and price. Clear about what is in scope, what is not, and what evidence we will need from your team.
Audit & delivery
On-site or remote, evidence-based, structured. We review controls, test where appropriate, and document findings as we go — not at the end.
Report & roadmap
An executive summary your board will read, a technical findings register your engineers can act on, and a prioritised remediation roadmap with realistic dates.
What you walk away with
Every audit produces six tangible artefacts. Each one has a named audience and a real purpose.
Executive summary
A clear, board-ready narrative of where the organisation stands. No jargon, no padding — written to be read in ten minutes.
Technical findings register
Every finding catalogued with severity, evidence, affected systems, and recommended remediation. The artefact your engineers will work from.
Prioritised remediation roadmap
A 30/60/90/180-day plan ranked by risk reduction and effort. Pragmatic, not theoretical — sized to what your team can actually deliver.
Compliance gap analysis
Where you stand against POPIA, FSCA, FAIS, and CIS Controls — mapped to specific clauses, with evidence of compliance or the gap that needs closing.
Board-level debrief
A live session with the leadership team to walk through findings, surface trade-offs, and answer the questions that always come up after the report lands.
Retest after remediation
Once you have closed the findings, we re-verify. The final report goes into your compliance folder as evidence — and into your insurer's file as proof of due diligence.
Where engagements go from here
Most relationships start with an audit. Cyber, AI, or both — what happens next depends on what we find.
Cybersecurity Audit
An independent, evidence-based assessment of your controls, processes, and exposure. Built for regulated South African businesses where audit-grade documentation is the entry ticket.
See what's in an audit → Audit-first · AIAI Usage Audit
Most teams don't know which AI tools their employees are using. We map shadow tool usage, data egress, vendor T&Cs, and regulatory exposure — in a board-ready report.
See the AI Usage Audit →Managed IT Services
We run the whole IT function — security, cloud, devices, helpdesk, networking. The audit's findings flow into the managed engagement, where they get closed and stay closed.
See the managed service →Consulting & enterprise architecture
Senior-level advisory for South African regulated businesses. We understand the POPIA landscape, CIPC obligations, and local cloud considerations — and speak plainly about risk.
Explore consulting →Sectors we work in
Regulated, high-stakes industries where the cost of a misstep is measured in regulatory exposure, client trust, and operational downtime.
Financial services
Banks, fintechs, payment providers, asset managers. Joint Standard 2 of 2024 cyber resilience, third-party risk, incident reporting.
LPCLegal
Law firms handling M&A, conveyancing, and high-value litigation. Client confidentiality and trust account integrity are non-negotiable.
SAHPRAHealthcare
Private clinics, group practices, hospital groups. Patient data, HPCSA Booklet 20 obligations, SAHPRA AI/ML SaMD where applicable.
FAISInsurance
Short-term, long-term, MGAs, brokers. Conduct of business obligations, cyber underwriting due diligence, claims-data protection.
SAICAAccountancy
Practices managing client financial data, SARS eFiling submissions, and CIPC filings year-round.
POPIAManufacturing
Operational technology, supply-chain dependencies, the kind of downtime that empties a factory floor.
Recent engagements
Anonymised at the client's request. The detail is real — the names are not.
A mid-tier platinum producer in Limpopo detected unusual lateral movement targeting its operational technology environment in the week before a scheduled Asian shipment. A successful OT compromise would have triggered force-majeure exposure across three offtake contracts.
Senior-led OT/IT segmentation completed in 11 days. Lateral path closed; PLC firmware-update servers placed behind jump-host only. No production loss. Quarterly OT readiness reviews built into the ongoing managed service.
A 60-attorney conveyancing firm faced an LPC inquiry after R12 million was transferred from a section 86(4) trust account to a fraudulent beneficiary via spoofed-domain BEC. The transferring attorney had been social-engineered three weeks earlier.
Forensic timeline delivered to the LPC within seven days. Trust-account transfer controls hardened to a dual-channel verification protocol with sender-domain integrity checks. The inquiry closed without sanction; the firm now retains us on a 30-minute IR retainer.
A private hospital group operating across three provinces detected ransomware encryption on a Friday afternoon ahead of a long weekend. SAHPRA-classified clinical decision-support systems and HPCSA-supervised practitioners across the estate; manual fallback procedures untested in two facilities.
Containment within 6 hours. No clinical disruption — manual processes held until Monday in the affected sites. POPIA §22 notification delivered to the Information Regulator on Tuesday. Post-incident SAHPRA SaMD audit closed with no findings.
A practice, not a product.
We work with South African organisations where reliability, security, and compliance are non-negotiable — finance, legal, healthcare, and enterprise.
We operate the way a Big-4 advisory engagement does — senior consultants, written deliverables, board-ready summaries — at a scale that fits a mid-market practice.
Senior-led delivery
The consultant in your scoping call is the consultant doing the work. No junior hand-off. No surprises in invoicing.
AI-supervised operations
Our managed cybersecurity stack uses AI to triage alerts at machine speed — but a human owns every decision that matters.
Long-term relational depth
Managed clients aren't logos on a wall. We work in your environment week after week, year after year. Over time, we don't just secure your IT — we come to know your people, your processes, and your business. That depth makes every subsequent recommendation better than the last one.
Direct consultant access
No tier-one queues. Your engagement has named consultants you can reach. The same names appear in your monthly review.
Technology partners and frameworks
Vendor-neutral by policy. We carry deep operational experience across the platforms below, and align engagements to the frameworks our clients are accountable to.
What clients ask first.
We are smaller than the firms on your case-study page. Are we wasting your time?
If your business has board-level cyber risk — and almost every regulated firm does — we are the right shape of practice for you. The audits we run for a 40-person law firm look different from the ones we run for a 400-person fintech, but the rigour is the same.
We already have anti-virus, an MSP, and a firewall. Why an audit?
Because none of those answer the question your board will ask after an incident: did we know about this exposure, and if not, why not? An audit produces the document that answers that question — before the incident, not after.
How is this priced?
Fixed-fee against a written scope. We never charge by the hour for audits — the incentive should be on us to be efficient, not on you to watch the meter. Managed services are monthly retainer; consulting is project or fractional.
We do not have an internal IT team. Can you still help?
That is more common than you would think, particularly in mid-market professional services. We work alongside your outsourced IT supplier or, in managed engagements, take on the function in full.
What is your typical engagement timeline?
A standard cybersecurity audit runs four to six weeks from kick-off to final report. Managed services have a 30-day onboarding. Incident response is measured in hours, not weeks.
If we engage you for an audit, are you going to pitch us managed services?
We will tell you what we think the right shape of follow-on engagement is — including "you do not need a managed service, you need to fix three things and we will retest in six months." An audit that always ends in an upsell is not an audit.
Insights & resources
What we have written, and what we are about to publish.
What an FSCA cyber inspection actually looks like
A walk-through of the questions, the documents, and the moments the inspector pauses. Drawn from four engagements.
Read the article →Pre-audit readiness checklist
The 28-point list we send to clients in week one. Pragmatic, evidence-oriented, no theatre.
Coming soonIncident response playbook (template)
A board-ready IR playbook scaffold, including communication trees, regulator timelines, and forensic chain-of-custody.
Coming soon