There’s a version of cyber security that looks impressive and doesn’t work. You’ve probably seen it: the dashboard with seventeen threat categories, the quarterly report with a risk score that went from amber to green, the certificate in the reception area. Plenty of activity. Hard to say whether any of it made the business more secure.
And then there’s the work that actually matters: finding out that your IT provider has been using a shared admin account for three years, getting multi-factor authentication on the email system that’s been “on the roadmap” since 2022, making sure the laptop your finance director lost on the train last month couldn’t be accessed by whoever found it.
That second kind of work is harder to package, harder to demo, and considerably harder to invoice at the rates the first kind commands. It’s also the work that keeps businesses secure. After spending years watching that gap widen, I started Malwise.
What I kept seeing
After spending years in the British Army, then working in cyber security and governance roles across two private defence companies, the same patterns came up again and again.
Businesses that thought they were secure because they’d spent money. A managed security operations centre contract, an endpoint detection and response tool, annual penetration testing. All of it in place. No one had checked whether the endpoint detection and response agent was actually installed on the finance team’s laptops. No one had looked at the penetration test report from eighteen months ago. The managed security operations centre was generating alerts nobody was reading.
Compliance treated as the destination rather than the floor. Cyber Essentials is a good baseline standard. It is not a security programme. Businesses that certified once, renewed annually, and considered the job done were routinely operating with significant gaps the certification doesn’t cover. The certificate was real. The security it implied often wasn’t.
Junior consultants delivered as senior consultants. You agree scope with a partner. The actual work is delivered by someone two years out of university who has never seen an environment like yours before and is learning on your time. It’s not malicious. It’s how consultancies fund growth. But it’s not what you paid for and it’s not what you need when the stakes are real.
Advice shaped by what the advisor sells. If your security consultant is also a reseller, their diagnosis of your problem will tend, somehow, towards solutions they happen to stock. The incentive is structural. The advice suffers.
Most UK businesses that get breached weren't lacking tools. They were lacking basic hygiene: credentials that hadn't been rotated, multi-factor authentication that hadn't been enforced, a patch that had been available for three months. The expensive tooling was there. The boring fundamentals weren't done.
What Malwise is
Malwise is a small UK cyber security consultancy. Licensed Cyber Essentials Certification Body. Penetration testers certified through The Cyber Scheme. Based in Salisbury, working with clients in London and across the UK.
I built it around three commitments that aren’t industry standard, which tells you something about the industry.
The person you meet is the person who does the work. No bait-and-switch. No juniors delivered as seniors. If you’re talking to me about your security, I’m the one doing the assessment, the testing, the report. That’s not just a positioning statement. It’s a structural choice that limits how fast I can grow. I’m comfortable with that.
We don’t sell what you don’t need. Malwise is not a reseller. There’s no vendor relationship shaping our recommendations. If your existing IT setup is doing the job, I’ll tell you. If it isn’t, I’ll point at the smallest change that addresses the biggest risk, not the most expensive one that generates the best margin.
Certification means the controls actually work. As a licensed Cyber Essentials Certification Body, I won’t certify something I don’t believe. A certificate that doesn’t reflect reality is worse than no certificate, because it creates false confidence. The point of the assessment is to establish what’s actually in place.
Who we work with
UK businesses that have real security obligations and real risk but no dedicated security function to handle them. Typically:
- Organisations that need Cyber Essentials or Cyber Essentials Plus for a contract, and want to understand what they’re actually certifying rather than just get through the questionnaire
- Businesses in the Microsoft 365 ecosystem that aren’t sure whether their configuration is secure or just looks secure
- Companies with IT support but no independent security input, who want a sanity check from someone with no stake in the existing setup
- Scale-ups that have grown faster than their security posture and need to close the gap before something goes wrong
We are not a managed security operations centre. We are not a 24/7 monitoring service. We are not an IT support function. We are independent security consultants who test, certify, and advise, leaving you better placed than we found you.
What this blog is for
Field notes, primarily. Things we’ve seen in real engagements. Technical issues that keep coming up. Plain-English explanations of things that matter when something complicated happens in the news.
When YellowKey (a zero-day that lets an attacker bypass BitLocker on Windows 11 with a USB stick and a few minutes of physical access) was published in May 2026, we tested it the same week. That kind of thing gets written up here because the people who need to know about it are IT managers and business owners, not just security researchers.
The bias is practical. If it doesn’t change what you do, it probably doesn’t belong here.
If there’s something you’d like us to look at, get in touch.