lockpoint
ENDEHR

Lockpoint Cybersecurity & IT engineering · DACH / Adriatic / UK

Something about your IT feels off. You’re right.

You feel it in every slow onboarding, surprise cloud invoice, and unanswered client questionnaire, even when nobody can name the cause. We can. Fifteen years running exchange infrastructure in Frankfurt, Zürich, and New York taught us what well-designed looks like. We build it for firms of 30 to 500 people, then run it.

Book a call Name the feeling
Lockpoint / register2026
In-house specialists
18
Vetted expert network
~40
Exchange operations
15 yrs
Hubs
FRA · SPU · BEG
Working languages
EN · DE · HR
Vendor partnerships
0, by design

The feeling, named

You can’t point at it. But you keep hearing it.

Every new hire waits days for access. Nobody can say why.

Heard from a COO

The cloud bill doubled in a year. Nobody can say which half does anything.

Heard from a CFO

One admin knows how it all hangs together. He’s on holiday.

Heard from a CEO

The architecture diagram is from 2021. It was already wrong in 2021.

Heard from a CTO

A client sent a two-hundred-question security DDQ. The room went quiet.

Heard from a Head of Sales

We passed the audit. I still couldn’t explain our own setup to the auditor.

Heard from a Managing Director

If three of these sound familiar, you don’t have an IT problem. You have design debt: a system that grew by accident and now runs your company. Naming what’s off, precisely and in your language, is the first thing we do.

See the Clarity Assessment

Why now

“We’re not a bank” stopped being a defence.

Regulation used to be someone else’s problem. Now it reaches you in one of three ways, and two of them apply to companies that have never spoken to a supervisor.

Seat 1 · Directly regulated

The supervisor writes to you.

Banks, payment firms, asset managers, insurers, fintech, crypto. DORA has been enforced since January 2025, with ICT registers, third-party oversight, and a 72-hour incident clock. Many entities are still non-compliant and under active supervision.

Seat 2 · In scope without knowing it

The law reaches further than you think.

NIS2 goes far beyond finance: healthcare, logistics, manufacturing, energy, digital providers. Enforcement proceedings are opening against thousands of entities across Germany, Austria, and the EU, and plenty of mid-sized firms are in scope and haven’t checked.

Seat 3 · In the supply chain

Your biggest client inherits you as a risk.

Not regulated yourself? If you sell to a bank or an enterprise, their obligations flow down their outsourcing chain into your contract. Most enterprise breaches start at a vendor, so SOC 2, ISO 27001, and DORA third-party questionnaires now decide who keeps the deal.

17 JAN 2025 DORA applies to all EU financial entities 2024 → 2026 NIS2 lands across DE, AT and the wider EU TODAY YOU ARE HERE Active supervision, open proceedings, procurement audits

DORA’s 72-hour incident clock doesn’t care which of your three vendors is responsible. Whichever seat you sit in, the pressure arrives the same way: a questionnaire, a letter, a deadline. One accountable partner means one phone number when it does.

The consultant problem

Consultants hand you a binder. We hand you a running system.

The usual answer to compliance pressure is a consultancy that produces paperwork and leaves the building. The usual answer to IT pressure is an MSSP that recommends whatever it resells. Lockpoint puts both halves in one team: engineers who ship infrastructure, and GRC practitioners who know how your client’s DDQ will be scored. We answer them line by line, and we can carry yours for you.

The consulting pattern

  • A binder of policies nobody operates
  • Findings without fixes. The fix is a second engagement.
  • Juniors learning on your invoice
  • Recommendations shaped by vendor resale margins
  • Gone the day the report lands

The Lockpoint pattern

  • Running systems plus the evidence they generate daily
  • We build the fix: MDM, SCIM, PAM, MDR, in production
  • Practitioners from exchange operations on your account
  • Zero partner status, zero resold licenses, by design
  • On call, on retainer, or operating the estate for you

The internal-team question

“We already have IT people.” Good. Keep them.

Your team is built to operate: tickets, uptime, today. Re-architecting identity, endpoints, and cloud is a different job that comes up once every few years, and doing it well means having done it many times before. We have. We design the target state with your team in the room, automate the repetitive work out of their day, and stay on call behind them.

TODAY · UNMAPPED shadow SaaS leaver, still admin unowned tool lockpoint 1 · CLARITY 2 · AUTOMATION 3 · SECURITY AFTER · FIVE DOMAINS, NAMED OWNERS Identity & access SCIM lifecycle · PAM · from HR data Endpoints zero-touch MDM · encrypted · wipeable Cloud workloads AWS / GCP / Azure · CIS-hardened · right-sized Detection & response MDR across endpoints, identity, cloud Governance & evidence ISO 27001 · DORA · NIS2 · DDQ-ready Every tool keeps a job or loses its license. Your team runs the result; we stay on call behind them.
Fig. 02 / the same company, redrawnClarity → Automation → Security

This is the honest division of labour: your team knows your business; we know what this transformation looks like, because we’ve run it before. Most internal teams never get to do it twice. Ours does it for a living.

After the redraw, your people operate a system that explains itself: access from HR data, devices that configure themselves, evidence that exports on demand. The work that made IT thankless is the work we automate away. See how we fit beside a team →

Tailored, not templated

Best practices go in. Your architecture comes out.

We arrive with blueprints: patterns proven where failure makes headlines, anchored to international standards like CIS Benchmarks and ISO 27001. But no two firms get the same build. The blueprint bends to your business, your tools, and your obligations, never the other way around.

  • Designed with you, not delivered to you. Your team is in the room, every decision is explained, and the final diagram is one you could redraw on a whiteboard. Understanding is the deliverable; ownership is the result.
  • No one-size-fits-all stack. We hold no vendor partnerships and resell nothing, so the design fits your estate and your budget, not a reseller’s price list.
  • It stays yours. Documentation, runbooks, registers, and diagrams are handed over as we go. If we disappeared tomorrow, your system wouldn’t.
GROWN Tools nobody mapped · owners nobody named DESIGNED Identity & access Devices & endpoints Workloads & data SCIM MDM MDR Mapped · automated · explainable
Fig. 01 / accidental vs. engineered architectureLockpoint blueprints

Most providers leave you with more. Our engagements usually end with less.

Fewer tools

Duplicate software found, consolidated, and cancelled. In a typical engagement, 20 to 40% of SaaS licenses don’t survive the first review.

Lower spend

Cloud estates on AWS, GCP, and Azure right-sized and cleaned up. Bills commonly land 25 to 35% lighter once workloads match actual use.

One standard

Infrastructure, operations, and governance standardized on CIS Benchmarks and ISO 27001, so every audit answer is the same answer.

“Your IT didn’t fail. It was never designed. We design it, then we automate it.

The Lockpoint method, in one sentence

How we work

Clarity, then automation, then security. In that order.

Most providers sell security first, because it’s the line item you’ll approve fastest. It fails on an undocumented environment. We sequence it last, because that’s when it works.

1 · Clarity 2 · Automation 3 · Security
STEP 1

Clarity

We map every tool, account, and vendor you actually run, produce the real architecture diagram, and cut the bloat. About 30% of what most companies spend on IT is wasted. We find it and eliminate it. The same map doubles as your DORA ICT asset register.

Asset mapAccess inventoryVendor registerWaste analysis
STEP 2

Automation

Zero-touch device setup through MDM. SCIM provisioning and deprovisioning wired to your HR system. Privileged access management with an audit trail. Offboarding that runs itself. When someone leaves, how long until their access is fully revoked? Most companies don’t know. Our clients can answer in minutes.

MDMSCIMPAMAuto-offboarding
STEP 3

Security

On a clean, documented environment, detection and response actually works. Managed detection and response across endpoints, identity, and cloud, with compliance evidence falling out of daily operations instead of a yearly scramble.

HardeningMDRCompliance evidence

What actually changes

One process, before and after.

Offboarding is where undesigned IT gets expensive. Here is what it looks like in a typical engagement, before we touch it and after the automation phase ships.

BEFORE HR sends an email Someone opens a ticket Admin clicks through every system, by hand Days or weeks of live access, orphaned accounts left behind AFTER HR sets the leave date SCIM deprovisions every system Access dead in minutes, device wiped, audit log written automatically

Before / undesigned

  • Laptops imaged by hand, days before a new hire is productive
  • Access granted by ticket, revoked by memory
  • Nobody owns the vendor list or knows what it costs
  • Admin rights handed out and never reviewed
  • Audit evidence assembled in a panic, once a year

After / engineered

  • Zero-touch MDM enrollment: a laptop configures itself out of the box
  • SCIM creates and removes accounts straight from the HR system
  • One vendor register with owners, costs, and contract dates
  • Privileged access gated, time-boxed, and logged
  • Evidence exports on demand, mapped to DORA, ISO 27001, SOC 2

How we fit

Beside your team, or instead of one.

Tailored applies to the relationship too. Some clients want a partner sitting next to their internal IT. Some want the whole estate run for them. Both get the same engineers and the same accountability.

Model A · Co-managed

We sit next to your internal team.

Your IT team Lockpoint shared design · escalation

Your people keep the keys and learn the design. We bring the blueprints, the build, and the backup.

  • Architecture and blueprints, designed with your team in the room
  • Deployments and automation: MDM, SCIM, PAM, hardening
  • On-call and escalation behind your first line
  • Audit and DDQ support, answered together, line by line
Model B · Fully managed · €100–250 per seat / month

We run, maintain, and operate it for you.

Your company lockpoint · IT ops + security + evidence

Hire fifty people. Don’t hire an IT team. One contract, one accountable party.

  • Complete IT operations: device lifecycle, identity, helpdesk
  • Managed detection and response across endpoints, identity, cloud
  • Compliance evidence generated by daily operations
  • Vendor and cost management with the ~30% waste cut out

Casework

Engagements across the exact firms regulators are watching.

Private bank · Frankfurt~220 FTE

DORA programme under BaFin supervision

Full DORA compliance programme with an ongoing vCISO retainer: ICT risk framework, asset register, third-party register, incident process tested against the 72-hour clock.

DORAvCISOBaFin
Asset manager · Zürich~75 FTE

ISO 27001 on an AWS and Google Workspace estate

Architecture cleanup and ISO 27001 implementation built around FINMA expectations, on the cloud stack the firm actually runs rather than the one a vendor wanted to sell.

ISO 27001AWSFINMA
B2B SaaS for EU banks · Amsterdam~110 FTE

Surviving the banks’ questionnaires

DORA third-party readiness, SOC 2 programme, and penetration testing for a platform whose banking clients now audit their vendors as hard as regulators audit them.

DORA third-partySOC 2Pentest
Insurance group · Croatia~380 FTE

Full MSP and MSSP under one contract

Complete IT operations plus managed security: device lifecycle, identity, helpdesk, hardening, and detection and response, with one party accountable for all of it.

MSP + MSSPNIS2
Payments firm · Vienna~55 FTE

DORA and ISO 27001 against a Series B deadline

Compliance built at fundraising speed: DORA alignment and ISO 27001 delivered while investor due diligence was already underway.

DORAISO 27001Due diligence
Your firm30–500 FTE

Regulated, supplying the regulated, or just tired of the mess?

Financial entities and the vendors that serve them are our core. Healthcare, logistics, and manufacturing under NIS2 are in scope too.

Start with a call

Profiles are anonymized engagements. We work for regulated firms; we don’t publish their names.

Read the full casework

How to engage

Start small, fixed-price, and useful on its own.

No discovery theatre, no open-ended consulting. The first step has a price, a scope, and a deliverable you keep whether or not we ever speak again.

IT & Security Clarity Assessment

The entry point. We map your estate, find the waste and the exposure, and hand you a ranked risk report with a costed remediation plan. The asset map doubles as your DORA ICT register. Yours to keep, ours to execute or not.

€4,000–6,000 fixed price

Compliance programmes

DORA, NIS2, ISO 27001, SOC 2, and client DDQs. From gap analysis to audit-ready evidence, with a vCISO retainer available for ongoing ownership and regulator interface.

Scoped per programme

All-in IT + security

Full MSP, MSSP, or both under one contract: device lifecycle, identity, helpdesk, hardening, and managed detection and response.

€100–250 per seat / month

Direct projects

Clear-scope work without the programme: penetration test, MDM / SCIM / PAM deployment, hardening sprint, or a defined retainer.

Scoped fixed quote

Objections, answered

What buyers ask before they sign.

We’re not regulated. Why would any of this apply to us?

Two reasons. NIS2 reaches well beyond finance into healthcare, logistics, manufacturing, energy, and digital services, and many mid-sized firms are in scope without having checked. And even if no law names you, your biggest client’s obligations flow down their outsourcing chain into your contract. The security questionnaire that decides your renewal is regulation, just delivered by procurement instead of a supervisor.

How are you different from a consultancy?

Output. A consultancy’s deliverable is a document; ours is a running system and the evidence it generates. The same team that writes your ICT risk framework deploys the MDM, wires the SCIM lifecycle, and answers the client DDQ with you line by line. Paperwork without working infrastructure fails audits eventually. Infrastructure without paperwork fails them immediately. You need both, from one team.

Why don’t you have vendor partnerships or certifications from Microsoft, Google, or AWS?

Deliberately. Partner status comes with resale targets, and resale targets bend recommendations. We hold deep working expertise in Microsoft Entra, Defender, and M365, Google Workspace, and AWS, but we sell no licenses and take no kickbacks. When we tell you to drop a product, that advice costs us nothing and saves you money.

We’re regulated. Can a firm your size carry that responsibility?

Carrying responsibility is the point of the model. Your contract is with Lockpoint d.o.o., an EU-registered company in Split, Croatia, led by managing director Antonela Lukač. The people doing the work spent years running IT and security inside stock exchanges, environments where an outage is front-page news and a regulator is always in the room. And because the 18-person core is backed by a vetted network of around 40 specialists, you get the coverage of a large practice without the junior bench.

We have an internal IT team. Will this step on them?

The co-managed model exists for exactly this. We design with your team in the room, hand over documentation as we build, and take the on-call and specialist load they shouldn’t carry alone. Your people end up running a better system, not competing with us for it.

What does it cost?

The Clarity Assessment is €4,000–6,000, fixed. All-in IT and security runs roughly €100–250 per seat per month depending on footprint and obligations. Programmes and projects are quoted against a written scope before any work starts.

Can we just buy a penetration test?

Yes. Clear-scope work, including pentests, deployments, and retainers, can be engaged directly without an assessment first.

Next step

Thirty minutes with an engineer, not a salesperson.

Bring your deadline, your questionnaire, or the feeling that something is off. You’ll leave with a straight read on where you stand and what we’d do first.

Book a call