Security Consulting
Senior advice without senior consultancy fees. Risk assessments, architecture reviews, incident response planning, and strategic security leadership on demand.
Most UK businesses don't need a full-time security team. They need the right advice at the right time.
Security consulting covers the work that doesn't fit neatly into a penetration test or a certification. The architecture decision being made under time pressure. The board presentation that needs to convey risk clearly without drowning in technical detail. The acquisition that's two weeks from completion and nobody has looked at the target's security posture.
Engagements range from a single day spent on a specific question, to ongoing fractional security leadership where we sit alongside your leadership team and represent security as a discipline across the business. All of it delivered at the senior level: the person you talk to is the person who does the work.
What we help with.
Risk and gap assessments
Where are you actually exposed, and what should you fix first? We produce ranked, business-aware risk assessments that reflect your specific environment and obligations. Useful for boards, insurers, investors, and your own planning. Not generic checklists.
Security architecture
Designing or reviewing the security dimension of your technical stack. Identity architecture, network segmentation, secrets management, data flow controls. Particularly relevant during cloud migrations, scale-up phases, or post-acquisition integration where security needs to be built in rather than bolted on.
Compliance strategy
ISO 27001, SOC 2, the General Data Protection Regulation, sector-specific requirements including Financial Conduct Authority obligations, NHS Data Security and Protection Toolkit, and Ministry of Defence supply chain standards. We help you decide what's actually worth pursuing, in what order, and build a realistic programme to get there. For ISO 27001 specifically, see our dedicated ISO 27001 consultancy.
Incident response readiness
You don't want to be writing your incident response plan during an incident. We build runbooks for the most likely scenarios, run tabletop exercises to test them, and help you establish the relationships you'll need before anything goes wrong: legal, digital forensics, cyber insurance, and regulators.
Mergers and acquisitions due diligence
Buying a business means inheriting its security posture, its exposure, its undisclosed incidents, and its remediation cost. We assess the cyber risk you're actually taking on before completion. Selling? We help you present a clean picture, identify what needs addressing before data rooms open, and pre-empt the questions that typically surface during due diligence.
Fractional security leadership
For organisations that need senior security leadership but can't justify a full-time hire. We join leadership calls, lead board-level security reporting, manage the security programme, and represent you to clients, regulators, and prospective investors. Typically one to four days per month on a retainer basis. This is now a dedicated service: fractional CISO and Information Security Manager.
Three ways to work together.
Day-rate
For specific pieces of work with a clear scope. Architecture review, board presentation preparation, pre-acquisition assessment. Fixed scope, fixed price.
Fixed-price packages
Defined deliverables: gap analysis, architecture review, incident response plan. Scoped, priced, delivered. No hourly billing or scope creep.
Retained advisory
Ongoing access to senior security input. Typically one to four days per month. Available for questions, reviews, leadership calls, and emerging issues without a new engagement each time.
When to consider security consulting.
Security consulting tends to come up at inflection points: when something has changed in the business, when something is about to change, or when something has gone wrong.
Related capabilities
Penetration Testing
A penetration test answers one question: could a determined attacker do real harm to this business? Everything else (checklists, …
Read moreVulnerability Management
Penetration testing tells you what an attacker could do today. Vulnerability management tells you what’s changing, every …
Read moreFractional CISO & Information Security Manager
In most growing businesses, the person who answers for security is whoever is nearest. The managing director signs the Cyber …
Read more