// 03 · Service catalogue

What I do for clients.

6 service lines · all sectors

Six overlapping practices. Most engagements pull from two or three at once — that's the point. Offensive testing pairs with privacy governance; product ownership pairs with strategic advisory. Pick a starting point and we'll scope from there.

01
/ OFFSEC
// Adversary simulation

Offensive Security

If your defences haven't been pressure-tested by someone thinking like an attacker, they haven't been tested. Web, mobile, network, cloud — pick a perimeter.

Penetration Testing

Identify exploitable vulnerabilities in web, mobile, network, and cloud systems. CEH Master methodology, fully documented findings, prioritised remediation plan.

Red Team Exercises

Simulate real-world attackers to test the resilience of people, processes, and technology in a coordinated, multi-vector engagement.

OSINT Reconnaissance

Map your organisation's digital footprint to expose what's already visible to criminals — credentials, exposed services, social engineering hooks.

02
/ DEFSEC
// Posture & readiness

Defensive & posture reviews

The opposite end of the table. Assess your alignment against the frameworks regulators and clients actually ask about, and harden the configurations that matter.

Security Posture Reviews

Assess alignment with NIST CSF, ISO/IEC 27001, CIS benchmarks, and ENISA guidance — with a gap analysis your board can sign off on.

Cloud & SaaS Security Audits

Harden Azure, AWS, GCP and Microsoft 365 environments against the misconfigurations that cause most real-world breaches.

Incident Readiness

Tabletop simulations and playbooks to prepare your teams for the day something does land — before it does.

03
/ PRIV
// Data privacy & compliance

Privacy & Protection

EU and Southern African regulatory contexts in equal depth. UCT-certified Data Privacy & Protection (95%). The unsexy work that keeps your fines off the front page.

GDPR Readiness Assessments

End-to-end review of your compliance posture against EU data protection regulations — DPIAs, ROPAs, lawful-basis mapping, subject-rights workflows.

Cross-border Compliance

Specialist support for businesses operating between EU and South African privacy landscapes (GDPR ↔ POPIA), or with mixed cloud-hosting geographies.

Data Classification & Governance

Implement sensitivity labels, records of processing, retention schedules and access policies — actually configured, not just documented.

04
/ INTEL
// Threat intelligence & monitoring

Threat intelligence

Know what's coming before it arrives. Dark-web monitoring, phishing simulation, and industry-specific threat landscape reporting your CISO can quote.

Dark Web Monitoring

Track leaked credentials, brand mentions, and sensitive data across underground forums and credential dumps.

Phishing & Social Engineering

Evaluate employee resilience against the attack vectors that actually land — phishing, vishing, pretexting, USB drops.

Threat Landscape Reports

Industry-specific intelligence briefings to anticipate sector-relevant risks — quarterly, customised, board-ready.

05
/ TRAIN
// Awareness & enablement

Training & awareness

Humans are the most porous layer of every stack. Training that respects everyone's time — from the boardroom briefing to the developer secure-coding session.

Executive Briefings

Board-level updates on emerging cyber threats and regulatory obligations — translated out of vendor speak.

Cyber Awareness Workshops

Interactive training to reduce human risk across the wider organisation, designed for retention not just compliance ticks.

Developer & IT Training

Secure coding, system hardening, and threat-modelling sessions tuned to your stack and your team's seniority.

06
/ STRAT
// Strategic advisory

Strategy & vCISO

For organisations not yet ready for a full-time CISO, or that need senior cybersecurity leadership on retainer. The connective tissue between security, product and the rest of the business.

Cybersecurity Roadmaps

Build a security programme aligned to your business strategy — sequenced, budgeted, defensible to the board and auditors.

Virtual CISO (vCISO)

Interim or ongoing executive-level cybersecurity leadership. Monthly retainer, fractional hours, full ownership of the security posture.

Third-Party Risk Management

Reduce supply-chain vulnerabilities through structured vendor assessments and contractual security baselines.

// Engagement_models.txt

Format Best for Duration Status
Targeted Engagement One-off pen test, GDPR readiness review, or architecture audit. 2 – 6 weeks ● Available
vCISO Retainer Fractional CISO leadership; monthly cadence, multi-quarter horizon. 3 – 12 months ● 1 slot open
Red Team Programme Repeatable adversary-simulation cadence with continuous reporting. Ongoing ● Available
Workshop / Briefing Board briefings, exec tabletops, developer training sessions. 1 – 3 days ● Available
Incident Support Forensic investigation, breach response, post-incident reporting. As needed ● On-call

Scoping a piece of work? Let's talk.

Initial calls are free. Most NDAs and statements of work close within a week.

Open a thread
SYS · OPERATIONAL
LOC: PT-PRT
CRYPTO: TLS 1.3 / AES-256
00:00:00Z
SIMONE@HAX · v2.0