Digital risk doesn't announce itself. The organisations I work with have stopped waiting for it to.
Cybersecurity Strategy
Most cybersecurity problems are not technical problems. They are organisational ones—governance that hasn’t kept pace with the threat surface, leadership that doesn’t have the language to make sound decisions, or strategy documents that exist but don’t travel.
Depending on what the situation requires, I work in two modes. Some organisations need a rigorous outside assessment and a strategic roadmap they can execute—a clear picture of where they are, where they need to be, and how to get there. Others need an embedded advisory presence: someone alongside leadership as decisions are being made, not arriving after the fact with a report.
Both start from the same place: understanding what the organisation is actually protecting, and what it would mean to lose it.
Vulnerability Management
Vulnerabilities don’t wait for the compliance calendar. Neither do the researchers who find them, the customers who depend on the products, or the regulators who will ask what happened and when.
The underlying need is operational: the capability to identify, handle, and document vulnerabilities in a way that holds—under regulatory scrutiny, under incident pressure, and across the full lifecycle of products already on the market.
Start with Assessing Your Maturity
What's assessed across five capability domains
What you get
Organisation: governance, roles, accountability structure
Engineering: detection, triage, and remediation processes
Communication: internal and external notification workflows (including the 24h/72h CRA timelines)
Analytics: prioritisation logic, tracking, metrics
Continuous improvement: feedback loops, post-incident learning, maturity progression
Easy Adoption
Maturity scorecard (Basic / Advanced / Expert per domain)
Executive summary: one-page dashboard with business case
Wherever relevant, a CRA alignment map with prioritised action plan
Out of scope: modification of existing documentation; implementation of recommendations. This is a diagnostic, not a remediation programme.
Build Further
Where the programme already exists—and needs to hold.
Some organisations need the vulnerability management programme they have to survive regulatory scrutiny, handle third-party components, and operate at the pace notification timelines actually require.
Depending on what the maturity assessment surfaces, the next phase may include:
- CVD programme design: a structured, externally-facing channel for researchers and third parties to report vulnerabilities in your products: scope definition, response SLAs, coordination with national CERTs, and integration with your patch release cycle.
- Bug bounty architecture: for organisations whose internal triage and remediation process is already solid: scope definition, rules of engagement, platform selection, and support through the first triage cycles. A bug bounty amplifies a programme that works; it does not fix one that doesn't.
- Notification process alignment: mapping existing notification workflows against CRA (24h/72h timelines), NIS2, and where relevant, SEC breach notification requirements. The goal is a single, coherent notification architecture — not three parallel processes running in silos.
- SBOM-informed vulnerability tracking: for manufacturers with complex supply chains: integrating third-party component visibility into the prioritisation and remediation workflow, in line with CRA Annex I obligations.
CRA Compliance
The Cyber Resilience Act (CRA) is not a compliance exercise. It is an architectural requirement—for how products are designed, how vulnerabilities are handled, and how accountability is documented across the organisation. Most companies are still in the process of understanding what it will actually demand of them.
CRA Gap Analysis
The starting point is knowing where you stand. The gap analysis maps your current posture against CRA requirements with precision: what is already in place, what is structurally absent, and what the remediation pathway looks like in practice.
The deliverable is not a report that sits on a shelf. It is a working document that opens the next phase—whether that means policy design, internal governance restructuring, vulnerability management capability, or regulatory engagement. What comes next depends on what the gaps reveal.
Scope:
- Review of secure development process, audit processes, and associated policies
- Review of secure operations (RUN) policies and associated processes
- Gap analysis against CRA legal requirements and essential requirements (Art. 13, Art. 14, Annex I)
Deliverable: Prioritised recommendations list for CRA compliance implementation
A note on standards: harmonised standards are not yet available. The analysis is grounded in the legal text and built on close involvement in the ongoing standards development process—which means the assumptions are informed, tracked, and updated as the landscape evolves.
