09 · SECURE

Security by design, from specialists.

Audit, penetration testing, hardening, DevSecOps, incident response. We help clients reach compliance with standards such as ISO 27001, GDPR, NIS2, DORA. We work to protect products and data with the same care we would for our own.

Start a project→How we work↓

They've used our services

All our projects are covered by £10 million of professional indemnity insurance (verify here)
+ an additional £1 million dedicated to data security (verify here).

AUDIT & VULNERABILITY ASSESSMENT

Knowing what you have, knowing what you risk.

You can't protect what you don't know you have. Asset discovery, external and internal attack surface mapping, data classification, vulnerability identification. Automated vulnerability assessment + manual verification to reduce false positives.

Risk-based prioritisation: not all vulnerabilities have the same impact. A critical CVE on an exposed server weighs more than the same on an isolated, dataless system. Realistic, actionable remediation roadmap, not a hundred-page report that's hard to follow.

External attack surface — What does an attacker see from the Internet? Complete mapping: domains, IPs, ports, exposed services, leaks on deep/dark web.

Internal asset inventory — Servers, endpoints, IoT, cloud workloads, shadow IT SaaS. Complete visibility, no 'we didn't know it existed'.

Risk-based remediation — Top 20 real risks with owner, effort, deadline. Not 5000 entries clogging Jira and never closing.

AUDIT EXAMPLE

OSCP+

Team certifications

5-15

Vuln per webapp avg

OWASP

Standard methodology

Re-test

Always included

PENETRATION TESTING

An attacker-oriented approach.

Manually conducted penetration tests, not just automated scans. Web application, API, mobile, internal/external network, cloud, social engineering. Run by certified ethical hackers (OSCP, CRTE, OSEP), following OWASP, OSSTMM, PTES methodologies.

Output: actionable report with reproducible PoCs, screenshots, impact ratings, step-by-step remediation. Re-test included. Adversary simulation (red team) for mature organisations: targeted attacks to validate the real effectiveness of controls, beyond the theoretical.

Web app pentest — OWASP Top 10 + business logic + API. Typically 5-15 vulnerabilities found, 1-3 critical for never-tested apps.

Cloud pentest — AWS/GCP/Azure: IAM misconfig, exposed S3, lateral movement, privilege escalation. Cloud attack surface is huge.

Red team & social — Full-scope simulation: phishing, physical, network. Validates real controls, field training for the SOC team.

HARDENING & DEVSECOPS

Layered defenses.

Relying on a single defense is risky. Defense in depth: WAF in front, identity layer (OAuth + MFA), secret management (Vault), encryption at-rest and in-transit, runtime protection, EDR on endpoints, network segmentation. More layers means a higher chance of intercepting an attack before it does damage.

DevSecOps: security inside the pipeline. SAST (Semgrep, SonarQube), DAST (ZAP, Burp), SCA (Snyk), IaC scanning (Checkov, tfsec), container scanning (Trivy). Vulnerabilities are intercepted at merge time, not discovered months after deploy.

Zero-trust networking — No implicit trust. Every request authenticated, authorized, encrypted. Lateral movement blocked by default.

Pipeline security — Mandatory scan stages: SAST + DAST + dependency + secret. Merge blocked on critical vulns.

EDR + SIEM — Endpoint monitoring (CrowdStrike, SentinelOne) + SIEM (Sentinel, Splunk) + SOAR. Detection in minutes, not days.

HARDENING EXAMPLE

< 1h

Retainer response SLA

72h

GDPR breach notify

24/7

SOC monitoring

Forensics

Post-incident

INCIDENT RESPONSE

When an incident happens.

Sooner or later every organisation faces an incident. What makes the difference is how quickly you identify, contain and recover. Pre-defined incident response playbooks, periodic table-top exercises, 24/7 SOC where needed.

Post-incident forensics to reconstruct what happened. Structured lessons learned, implemented. Communication to authorities (Garante Privacy within 72h for GDPR breach), customers, press: managed with a process, not in firefighting mode.

IR retainer — 24/7 availability with 1h SLA. Onboarding playbook + table-top exercise. Pay only if incident occurs.

Forensics & malware analysis — Reverse engineering, indicators of compromise, reconstructed timeline. We can say 'what' happened, 'how', 'since when'.

Breach notification — GDPR Art. 33-34, NIS2, DORA: notifications to regulators and subjects within deadline. Coordinated PR and legal management.

COMPLIANCE

We help you achieve compliance.

Adam Key Group is not a certifying body and does not present itself as certified against these standards: we help our clients bring their products, processes and organisation into compliance with ISO 27001, ISO 27017/27018, SOC 2, GDPR, NIS2, DORA, AI Act, HIPAA, PCI-DSS. We work with you to build an ISMS (Information Security Management System) that is operational and integrated into real processes, rather than a body of purely formal policies.

Continuous compliance: automatically verified controls, real-time evidence collection, internal pre-certification audits. The aim is to reach the certifying body's audit with as few surprises as possible, having simulated and validated the scenarios upfront.

ISO 27001 readiness — ISMS set up from scratch or gap analysis on existing one. 6-12 month roadmap to certification. Pre-cert internal audit.

NIS2 & DORA — For essential/important entities and financial sector: gap analysis, critical supplier registry, supply chain risk, BCP/DRP.

Privacy by design — GDPR + AI Act integrated in dev lifecycle. DPIA, ROPA, automated DSR handling, team training.

COMPLIANCE EXAMPLE

VALUE FOR PEOPLE

Security is trust, built over time.

Your customers entrust you with their data, money, identity. That trust is built over time and can be compromised very quickly. A high-profile breach can cost far more than years of careful security work.

Our approach isn't built on creating fear, but on supporting informed decisions. In many cases you don't need a platform costing hundreds of thousands per month — you need to know what to protect, how to do it, and with which priority. We're transparent about the level of intervention actually required.

FREQUENTLY ASKED QUESTIONS

What we get asked the most.

Transparency first. If your question isn't here, write to us: we reply within 24h, from a real person.

What's the difference between audit and pentest?

Audit/vulnerability assessment: systematic scan and identification of known vulnerabilities, prioritization, remediation roadmap. Broader, shallower. Pentest: real attack simulation to try entering systems, demonstrate impact. Deeper, scoped. Both complement: audit says 'what could break', pentest 'what actually breaks'.

How much does a penetration test cost?

Depends on scope, depth, methodology. Single web app: €5-15k. Full APIs: €8-25k. Mobile app: €6-18k. External network: €5-12k. Full-scope red team: €30-100k+. Cloud assessment: €10-30k. Always with re-test included post-remediation. Discounts for continuous assessment.

How long to get ISO 27001 certified?

6-12 months from kickoff to certification, depending on starting maturity. Phase 1: gap analysis (1 month). Phase 2: implementing controls, policies, procedures (3-6 months). Phase 3: internal audit + management review (1-2 months). Phase 4: certification audit (1-2 months).

What is NIS2 and do I need to comply?

EU directive on cybersecurity, transposed in IT October 2024. Applies to essential entities (energy, health, finance, transport, critical PA) and important ones (medium-large manufacturing, food, postal, digital infrastructure). Obligations: risk management, incident reporting (24h initial, 72h notification), supply chain security, training. Fines up to €10M or 2% revenue.

Difference between EDR and antivirus?

Traditional antivirus: signature-based, stops known malware. EDR (Endpoint Detection and Response): behavioral analysis, stops also unknown threats (zero-day, fileless, living-off-the-land), automatic response, forensics. For enterprise environments today EDR is the minimum, not antivirus. We work with CrowdStrike, SentinelOne, Microsoft Defender XDR.

Do you have 24/7 SOC?

Yes, with managed SOC partners (SOCaaS) operating 24/7 with certified analysts. Tier 1 (monitoring + triage), Tier 2 (investigation), Tier 3 (advanced hunting). We integrate with your infrastructure, customize playbooks, escalate with tight SLA. Or, we build internal SOC with dedicated consulting/staffing.

Want to understand your risk level?

A 30-minute call to understand where you're exposed today. No FUD: we share a realistic view of the risk and what is internally manageable.

Let's talk about your project→