A security firm built by practitioners.

Grilli Security is built by senior practitioners — not resellers or generalist consultants. We work with organisations that need measurable security outcomes: reduced exposure, faster detection, audit success, and the capability to respond when something goes wrong.

WHO WE ARE

Three things make a partner worth paying for.

Practitioners, not generalists

  • Every engagement is staffed by specialists in the relevant discipline — red team operators who have run full-chain campaigns, DFIR analysts who have handled major breaches, and engineers who build secure systems for a living.
  • No account managers in the room. The person who scopes your engagement is the person who delivers it.

Outcomes, not reports

  • We measure success by what changes: reduced MTTD/MTTR, fewer critical findings, clean audit outcomes, and post-breach environments that hold.
  • Every deliverable includes what to fix, how to fix it, and validation that the fix works.

Worldwide 24/7

  • Continuous coverage for SOC, incident response, and emergency engagements — every hour of every day.
  • Worldwide coverage with a European-centric delivery model and senior on-call escalation for off-hours emergencies.
  • All data is processed within the EU by default; alternative locations available on client request.
HOW WE WORK

No ambiguity. No undisclosed subcontracting.

Our engagement model is designed to protect clients, eliminate ambiguity, and produce work that holds up to external scrutiny — legal, regulatory, and technical.

Before work begins

  • Mutual NDA executed before any information is shared
  • Defined scope, objectives, and deliverables agreed in writing
  • IP ownership terms finalised — all work-for-hire belongs to the client on completion
  • Rules of engagement and authorisation chain documented for technical engagements
  • Data processing agreement in place where personal data is in scope

During engagements

  • Interim findings issued for critical and high severity issues — no waiting for the final report
  • Encrypted, out-of-band communication channels for sensitive engagements
  • Access limited to named personnel on a least-privilege, need-to-know basis
  • All activity logged with analyst identity and timestamp for auditability
  • No undisclosed subcontracting — specialists disclosed and client-approved in advance

At engagement close

  • All access revoked on the day the engagement ends
  • Evidence, exploits, and sensitive artefacts returned or securely destroyed with certificate
  • Retest availability: validation that remediation was effective, not just attempted
  • Retention period defined per contract; no open-ended storage of client data
WHO WE WORK WITH

Sectors and engagement models.

Industries we serve

  • Payments & Finance PCI DSS 4.0 compliance, cardholder data environment testing, and fraud-path red teaming
  • Health & Life Sciences HIPAA breach preparedness, medical device security, and clinical system hardening
  • SaaS & Cloud multi-tenant architecture review, supply chain security, and continuous compliance programmes
  • Retail & eCommerce PCI DSS scope reduction, API security, and fraud-vector penetration testing
  • Public Sector & Critical Infrastructure NIS2/DORA compliance, ICS/OT security assessment, TIBER-EU-aligned red teaming
  • Defence & Aerospace high-assurance engineering, Common Criteria readiness, FIPS 140-3 preparation, DO-178C alignment

Engagement types

  • Project-based defined scope, timeline, and deliverables for assessments, audits, and research campaigns
  • Retainer guaranteed response capacity with pre-agreed SLAs; recommended for SOC, DFIR, and ongoing advisory
  • Embedded engineering our practitioners integrated into your team for the engagement duration
  • Advisory design review, threat modelling, and strategic guidance without full implementation access
  • Emergency 24/7/365 incident response available on retainer or as an ad-hoc engagement with SLA commitments
STANDARDS

What we hold ourselves to.

Our internal standards

  • ISO/IEC 27001:2022-conformant information security programme — not yet externally certified; attestations available under NDA
  • Wassenaar Arrangement export-control compliance for security tooling and research
  • GDPR and CCPA data protection practices with privacy impact assessments; engagement-specific DPAs negotiated on request
  • Secure software development lifecycle aligned to OWASP SAMM
  • We coordinate with certified assessors (QSA, 3PAO) and provide advisory supporting client certification — we do not issue certifications ourselves

Assurance & governance

  • Criminal background check on every hire — Karistusregister (Estonian criminal records register) for EU personnel, equivalent national check for non-EU personnel. Refreshed annually. Least-privilege access to client systems and data throughout.
  • Encrypted data in transit and at rest; time-bound retention with secure destruction
  • On-premises servers and equipment available for air-gapped, classified, or ultra-sensitive engagements — no third-party cloud involvement
  • Change control, peer review, and documented runbooks for all operational procedures
  • Business continuity and disaster recovery planning with tested recovery procedures
  • Third-party tooling and supply-chain risk evaluation before integration into engagements
  • Quarterly access reviews; all client access revoked same day upon engagement close
ACTIVE INCIDENT?