Home / Casework

The same problems, in five different rooms.

Every profile below is a real engagement, anonymized. We work for regulated firms and the vendors that serve them; publishing client names would say more about us than about the work. The pattern to notice: each one starts with pressure, runs through Clarity, Automation, Security, and ends with less to manage, not more.

Before the profiles What a first assessment typically finds

The numbers behind the feeling, for a typical 200-seat firm.

Your numbers will differ. Measuring them is the point.

60–80

SaaS tools in the estate, about a third duplicated, unused, or owned by nobody

12–20

accounts of former employees still holding live access at the first scan

25–35^%

of cloud spend attached to workloads nobody can name a current use for

DORA under BaFin supervision, without a security team

Private bank · Frankfurt · ~220 FTE

The situation

DORA enforced, BaFin attentive, and an internal IT team built for operations, not for an ICT risk framework. The bank needed a compliance programme that would satisfy a supervisor and a security lead who could sit across from one.

What we did

Built the DORA programme end to end: ICT risk framework, asset register, third-party register, and an incident process rehearsed against the 72-hour clock. A Lockpoint vCISO took ownership of posture, board reporting, and the regulator interface, on retainer.

Where it landed

Registers that update from daily operations instead of yearly panic, an incident process the team has actually run, and one named person accountable for every supervisory question. The co-managed model: their IT kept the keys.

ISO 27001 on the cloud they actually ran

Asset manager · Zürich · ~75 FTE

The situation

An AWS and Google Workspace estate that had grown deal by deal, FINMA expectations rising, and previous advisers pushing a platform migration the firm didn’t need. They wanted ISO 27001 without rebuilding their stack to suit someone’s resale margin.

What we did

Architecture cleanup first: mapped the estate, standardized configuration against CIS Benchmarks, consolidated duplicate tooling, then implemented ISO 27001 on the result. No migration, no new platform, no licenses sold.

Where it landed

Certification-ready ISMS on the infrastructure they already understood, a smaller tool estate than they started with, and an architecture diagram the partners can explain to FINMA themselves.

Surviving the banks’ questionnaires

B2B SaaS serving EU banks · Amsterdam · ~110 FTE

The situation

Not regulated themselves, but every customer is. DORA third-party requirements started arriving as contract clauses and two-hundred-question DDQs, and a stalled questionnaire was blocking a renewal. Sales was negotiating security claims nobody could evidence.

What we did

DORA third-party readiness mapped to what banks actually ask, a SOC 2 programme to answer the questions permanently, and penetration testing through our vetted specialist network. We answered the live DDQs with them, line by line.

Where it landed

Questionnaires stopped being a fire drill: standard answers backed by standing evidence, a pentest report on file before procurement asks, and security turned from a sales blocker into part of the pitch.

Fifty new hires, no IT team

Insurance group · Croatia · ~380 FTE

The situation

A growing group with IT spread across departments, vendors nobody owned, and NIS2 on the horizon. Hiring and running an internal IT and security team at this size would have cost more and delivered less than the problem deserved.

What we did

Full MSP plus MSSP under one contract: zero-touch device lifecycle through MDM, identity and access through SCIM, helpdesk, privileged access management, hardening, and managed detection and response. Vendor register consolidated, duplicate tools cancelled.

Where it landed

One accountable party for everything from a new laptop to a 3 a.m. alert. Onboarding and offboarding run from HR data, the toolset is smaller than before we arrived, and NIS2 evidence comes from how the estate already operates.

Compliance at fundraising speed

Payments firm · Vienna · ~55 FTE

The situation

Series B underway, investor due diligence already asking security questions, and DORA plus ISO 27001 both unanswered. A traditional consulting timeline would have outlived the funding round.

What we did

Ran Clarity, Automation, and the compliance build in parallel where the sequence allowed it: asset and access mapping feeding the DORA register, SCIM and MDM closing the gaps the auditors would flag, ISO 27001 implementation scoped to what a payments firm of 55 actually runs.

Where it landed

DORA alignment and ISO 27001 delivered inside the deal window, due-diligence answers backed by evidence instead of intentions, and an automation layer the firm keeps growing into after the round.

The common thread: none of these firms got a binder. They got running systems, standing evidence, and in four of five cases a smaller estate than they started with.

Next step

Your situation is on this page somewhere.

Thirty minutes with an engineer. Bring your version of it.

Book a call Or start with the assessment