Most managed-security engagements take a quarter. Ours take a week. We've factored every step of onboarding — assess, instrument, baseline, go-live — into a tight, repeatable runbook so your team can get on with running the business.
No statement of work negotiations. No professional services engagement. We meet on Monday and your environment is under live monitoring by Friday — your owner's first weekly digest lands the following Tuesday.
No stage takes longer than 48 hours. Every artefact you'll need for SOC 2, ISO 27001, and cyber-insurance is generated as a by-product.
A single 90-minute conversation. We learn what your business does, what data matters, what tools you already run. You leave with a written plan.
Endpoints, cloud accounts, identity provider, business-critical SaaS, where the crown-jewel data lives.
Industry-specific threat profile (BEC for professional services, ransomware for logistics, etc.).
What frameworks you need to meet — SOC 2, ISO 27001, HIPAA, IRAP, ADGM — and which controls we cover.
You leave with a one-page onboarding plan and a price locked for 24 months.
Connect your identity, cloud, and SaaS sources via OAuth and read-only roles — no API keys to manage. Most customers finish this in well under a day of IT-lead time.
No service accounts to manage. Every connector is OAuth, scoped, and revocable.
Telemetry connectors never have write scopes. Response actions use a separate, opt-in role.
If you prefer infrastructure-as-code, our Terraform module provisions the AWS/GCP roles in 4 lines.
For environments without cloud SIEM, a small forwarder VM ships logs over mTLS to our ingestion fabric.
A signed agent package pushed via your existing MDM (Intune, Jamf, Kandji, JumpCloud). No user action. No reboot. Median deployment: 22 minutes from package upload to 100% fleet coverage on a 200-device tenant.
The agent collects telemetry; detection runs server-side. Battery and CPU impact is measured in tenths of a percent.
Agent integrity verified at every check-in. Removal requires customer-portal authorisation.
Already running an EDR you like? We layer on top — our agent becomes optional supplemental telemetry. No rip-and-replace.
For customers who let us help with onboarding new laptops, we ship CIS-benchmark-aligned baseline images.
For 14 days, the model learns what "normal" looks like for your business — login patterns, working hours, geographies, app usage, file movement. By day 14, anomaly scoring is calibrated to your tenant. Detection sensitivity is then tuned with you, not for you.
Login times, geos, devices, MFA habits, app reach, data-egress patterns.
Process trees, scheduled tasks, network destinations, parent-child binary lineage, signing chains.
Aggregate working-hours envelope, payroll cycles, M&A noise, vendor patterns. Used to score escalation context.
While baselines learn, ~120 universally-true detections (known bad IoCs, signed-malware hashes, suspicious OAuth grants) run from minute one.
Before we go live, we run a simulated incident on your environment — a fake compromised laptop, a fake exposed credential, a fake suspicious payment. You decide who in the business gets paged for what, what we can act on automatically, and what needs a human approval.
Tailored to your industry. We've run thousands of these — your scenarios will feel uncomfortably familiar.
Who gets paged at 3am? Who's the backup? What's the SMS vs phone-call threshold? Documented and tested.
For each detection class, you choose: notify-only, propose-and-approve, or pre-authorised auto-action.
The tabletop output is exactly the artefact most cyber-insurance carriers ask for at renewal.
No fanfare. The SOC takes ownership. Your customer portal lights up. The on-shift Tier 2 introduces themselves over a 5-minute call. The first weekly digest lands in the owner's inbox the following Tuesday at 8am local time.
Meet the on-shift analyst. Confirm contact tree. Get a direct phone number that's manned, always.
Owner, IT lead, finance lead — each with the right view. SAML-based for Keep and Citadel.
Whatever fires first — even a low-severity policy nudge — gets human eyes inside your tier's response SLA.
Your CSM books a 30-day review on day 6. We measure what we promised against what happened.
Onboarding is the easy part. The work is in the years that follow — staying calibrated as your business changes, your tooling drifts, and the threat landscape moves.
Tier 1 / Tier 2 analysts on shift in Sydney and Dubai, with Tier 3 on call. Someone is always reading your alerts.
Tuesday 8am local. One page. Score, three fixes, anything noteworthy. Read in three minutes between coffees.
A 30-minute video call with your CSM. Review fleet score, retire stale risks, queue up next month's three fixes.
A fresh simulated incident. Different scenario. Sharpens your contact tree. Refreshes your auto-response policy.
Our detection engineering team ships new rules and model improvements every week. They light up across your tenant automatically — no upgrade window.
A button in the portal. A phone number on every page. A direct Slack/Teams channel if you want one.
Method exists because we have a strong opinion about what good managed security looks like for an SMB. These are the three positions we won't compromise on.
If we wake you up, it's worth waking up for. We hold ourselves to a strict noise budget per tenant per month. If we exceed it, we tune ourselves before tuning your patience.
Every owner-facing artefact passes a readability check before it ships. If a non-technical board member can't read your monthly report in 90 seconds, we've failed.
AI proposes; analysts approve. We will never auto-action high-impact responses without explicit, customer-configured pre-authorisation. The model serves the analyst, not the other way around.