Hardened by design. Rebuilt after a breach.
Security-hardened infrastructure built to measurable standards — and the capability to eradicate an adversary and rebuild after one gets in. We design, implement, and operate environments where security controls are first-class requirements, not afterthoughts bolted on at the end of a project.
CIS BenchmarksDISA STIGsNIST 800-207NIST 800-53CSA CCM
HARDENING
Systems, endpoints, identity.
System & Endpoint Hardening
- CIS Benchmark Level 1 & 2 — OS hardening for Linux (RHEL, Ubuntu, Debian), Windows Server, macOS, and container base images
- DISA STIGs — applied where defence, government, or regulated industry mandates the standard
- Kernel hardening — seccomp profiles, AppArmor / SELinux policies, sysctl tuning, and module blacklisting
- Container hardening — rootless execution, read-only filesystems, capability dropping, Kubernetes Pod Security Standards enforcement
- Endpoint protection — EDR deployment and tuning, application allowlisting, script execution controls, and USB/removable media policy
- Automated compliance drift detection — baselines enforced continuously, not just at build time
Identity & Privileged Access
- Privileged Access Management (PAM) — vault-based credential management, session recording, and checkout/check-in workflows for administrative accounts
- Just-in-time (JIT) access — time-limited privilege elevation with approval workflows; no standing admin accounts
- Privileged Access Workstations — hardened, isolated workstations for administrative tasks; separated from general-purpose endpoints
- Directory service hardening — tiered administration model, Kerberoastable account elimination, local admin password management, and legacy protocol disablement
- Conditional access & MFA — phishing-resistant MFA (FIDO2/passkeys), risk-based access policies, and device compliance enforcement
ZERO TRUST
Continuous verification, end to end.
Aligned to NIST SP 800-207. Perimeter trust replaced by continuous verification of identity, device health, and context at every access decision.
Network Segmentation
- Micro-segmentation with host-based firewalls and east-west traffic controls
- VLAN / VPC design with explicit trust boundaries and inter-segment access lists
- Service mesh for mutual TLS and fine-grained workload authorisation
- Network access control (NAC) for device trust before admission to corporate segments
Cloud Security Posture
- CSPM — cloud security posture management deployment with benchmark mapping and continuous alerting
- IAM least-privilege analysis and standing permission elimination
- Object storage public access auditing and data classification enforcement
- Cloud provider activity log integrity and centralised SIEM ingestion
- IaC security scanning integrated into deployment pipelines
Perimeter & Remote Access
- Zero Trust Network Access (ZTNA) replacing legacy VPN — identity and device-aware access
- WAF deployment and tuning with OWASP rule sets and custom application logic
- DNS security (DNSSEC, RPZ, DoH/DoT) and threat intelligence-backed DNS filtering
- DDoS protection and rate-limiting architecture for externally exposed services
POST-BREACH REMEDIATION
Eradicate, rebuild, re-harden.
Incomplete remediation — leaving a single persistent backdoor, a reused credential, or an unpatched initial access vector — means the attacker returns. We execute structured remediation that addresses the root cause, not just the visible symptoms.
Eradication
- Removal of all confirmed persistence mechanisms: scheduled tasks, services, registry keys, cron jobs, startup items, and implants
- Credential reset programme: domain-wide forced rotation of all accounts exposed within adversary blast radius, prioritised by privilege tier
- Certificate and API key revocation for any secrets present in compromised systems
- C2 infrastructure blocking: IOC-based firewall rules, DNS sinkholes, and email gateway blocks
Rebuilding
- Clean-image rebuilds from known-good baselines for confirmed compromised systems — no in-place cleaning of high-value targets
- IaC-driven environment reconstruction with hardened baseline applied from first boot
- Integrity verification of rebuild outputs before systems return to production
- Staged return-to-service under enhanced monitoring to detect adversary re-entry attempts
Re-hardening & Gap Closure
- Initial access vector closure: patch, configuration change, or architectural fix for every confirmed entry point
- Control gap remediation mapped directly from forensic findings to specific infrastructure changes
- Detection engineering: new SIEM rules and EDR detections covering TTPs used in the incident
- Hardening re-baseline: CIS benchmark re-assessment across the affected scope post-rebuild
OPERATIONS
Security-first managed operations.
Managed Security Operations
- 24/7 security monitoring — SIEM-driven alerting with triage by security-qualified analysts, not generic helpdesk
- Patch management — vulnerability-prioritised patching cadence aligned to CVSS severity and active exploitation status
- Configuration management — IaC-driven drift detection; no manual changes without documented approval and change record
- Vulnerability scanning — continuous authenticated scanning with prioritised remediation tracked against SLA
- Backup & DR testing — backup integrity verified by actual restoration test, not just backup-job success logs
- Monthly security posture reports with trend metrics and open risk register
SLAs & Governance
- Incident response SLAs — Critical: ≤15 min acknowledgement; High: ≤30 min; Medium: ≤2 hours; all tracked and reported monthly
- Change management — no significant configuration changes without client-approved change record; emergency changes ratified within 24 hours
- Responsibility matrix (RACI) — explicit documentation of every operational task ownership before engagement start
- Access governance — quarterly review of all Grilli Security access to client systems; access revoked same day upon engagement close
- All operational work covered by NDA; client retains ownership of all infrastructure, IaC, and documentation
DELIVERABLES
What you take away.
Engineering
- IaC modules with security controls encoded, tested, and documented
- Hardening scripts and configuration baselines mapped to CIS Benchmark level and version
- Network diagrams with trust boundaries, data flows, and security control placement
- PAM/JIT configuration with access policy documentation
- CI/CD pipeline security gate configuration and policy-as-code rules
Remediation
- Eradication plan with system-by-system action log and verification record
- Credential reset scope and completion confirmation
- Rebuild documentation: baseline version, hardening applied, and integrity verification results
- Post-remediation hardening report: CIS benchmark re-assessment scores before and after
- Root cause and control gap closure evidence suitable for regulatory or insurance reporting
Operations
- Runbooks for all operational procedures: incident, change, backup, DR, and escalation
- Architecture decision records (ADRs) with security rationale for all significant design choices
- Monthly security posture report with vulnerability trends, patch compliance, and open risk register
- Quarterly DR test report with actual RTO/RPO achieved vs. target
Get a written proposal
Send scope + timeline. Detailed SoW within 1 business day.
Open the form →
Email a senior practitioner
Direct line for scoping questions. NDA available on request before you share details.
hello@grillisecurity.com →
Active incident?
24/7 incident line. Triage call + retainer set-up inside the hour for new engagements.
+372 5610 1641 →
