Notes from the
audit table.

Playbooks, war stories, and plain-English guides from senior consultants. New posts every few weeks.

Compliance

Featured · 6 min read

The 12-week path to ISO 27001 certification. How we get it done.

A step-by-step breakdown of how we take organisations from zero ISMS to certified in 12 weeks, with the artefacts auditors actually look for at each stage.

Read article →

Pen Testing

Why your last pen test missed the bug that mattered.

Scope, methodology, and the difference between "checklist testing" and finding real risk.

5 min read

AI Security

Continuous pentesting vs quarterly: when does AI win?

Where autonomous AI pentesting beats traditional engagements. And the cases where humans still matter.

7 min read

Compliance

SOC 2 isn't a tickbox. Here's what auditors actually check.

A senior auditor's view of what separates "compliant on paper" from "compliant when challenged."

8 min read

Cloud

The shared-responsibility model nobody actually reads.

What AWS, Azure, and GCP are responsible for. And the gaps you have to cover yourself.

6 min read

vCISO

When does it make sense to hire a vCISO instead of a CISO?

A pragmatic break-even guide for scale-ups weighing fractional vs full-time security leadership.

4 min read

Compliance

NIS2 and DORA: what changes for UK and EU businesses.

The new regulatory pressure on financial services and critical infrastructure, and what to do first.

9 min read

Notes from the audit table.

The 12-week path to ISO 27001 certification. How we get it done.

Why your last pen test missed the bug that mattered.

Continuous pentesting vs quarterly: when does AI win?

SOC 2 isn't a tickbox. Here's what auditors actually check.

The shared-responsibility model nobody actually reads.

When does it make sense to hire a vCISO instead of a CISO?

NIS2 and DORA: what changes for UK and EU businesses.

Make compliancefeel inevitable.

Notes from the
audit table.

Make compliance
feel inevitable.