cat ./security.md
Threat-modelfirst. Audit-ready always.
SAMA-aligned, zero-trust by default. Reviewed by humans who care. We find the gaps before regulators — and before attackers — do.
security-posture
What "production-grade" actually means here.
Identity & auth
OIDC + mTLS by default. Service-to-service identities are vaulted, rotated, and never share long-lived secrets. SSO integrations to NCA-compliant providers.
Data protection
Envelope encryption at rest. TLS 1.3 in transit. Field-level encryption for PII. KMS keys are customer-managed when regulators ask.
Network & perimeter
Zero-trust segmentation. Egress is allow-listed. Every service speaks through an authenticated mesh — no "internal-only" assumptions.
Audit & observability
Immutable, append-only audit logs. Structured events route to a SAMA-aligned SIEM. Every privileged action is replayable for compliance review.
compliance
Aligned with the rulebook.
security-services
What we run.
Threat modeling
Whiteboard with your engineers, walk the data flow, identify trust boundaries. Output: a written threat model your CISO can sign and the audit team will accept.
Architecture review
Read your repo, your infra, your deploy pipeline. Find the gaps, write them up, prioritise by exploitability and blast radius.
Pen-test readiness
Make sure the test is worth running. We close the obvious holes first so the pen-test team can find the interesting ones.
Incident runbooks
Written, drilled, version-controlled. Your on-call team should know exactly what to do at 2am. We make sure they do.
scoreboard
What 14 days of operations looks like.
Have a problem worth our attention?
Tell us what you're trying to do. We'll reply within one business day with a candid take.