Hardened by design. Rebuilt after a breach.

Security-hardened infrastructure built to measurable standards — and the capability to eradicate an adversary and rebuild after one gets in. We design, implement, and operate environments where security controls are first-class requirements, not afterthoughts bolted on at the end of a project.

CIS BenchmarksDISA STIGsNIST 800-207NIST 800-53CSA CCM
HARDENING

Systems, endpoints, identity.

System & Endpoint Hardening

  • CIS Benchmark Level 1 & 2 OS hardening for Linux (RHEL, Ubuntu, Debian), Windows Server, macOS, and container base images
  • DISA STIGs applied where defence, government, or regulated industry mandates the standard
  • Kernel hardening seccomp profiles, AppArmor / SELinux policies, sysctl tuning, and module blacklisting
  • Container hardening rootless execution, read-only filesystems, capability dropping, Kubernetes Pod Security Standards enforcement
  • Endpoint protection EDR deployment and tuning, application allowlisting, script execution controls, and USB/removable media policy
  • Automated compliance drift detection — baselines enforced continuously, not just at build time

Identity & Privileged Access

  • Privileged Access Management (PAM) vault-based credential management, session recording, and checkout/check-in workflows for administrative accounts
  • Just-in-time (JIT) access time-limited privilege elevation with approval workflows; no standing admin accounts
  • Privileged Access Workstations hardened, isolated workstations for administrative tasks; separated from general-purpose endpoints
  • Directory service hardening tiered administration model, Kerberoastable account elimination, local admin password management, and legacy protocol disablement
  • Conditional access & MFA phishing-resistant MFA (FIDO2/passkeys), risk-based access policies, and device compliance enforcement
ZERO TRUST

Continuous verification, end to end.

Aligned to NIST SP 800-207. Perimeter trust replaced by continuous verification of identity, device health, and context at every access decision.

Network Segmentation

  • Micro-segmentation with host-based firewalls and east-west traffic controls
  • VLAN / VPC design with explicit trust boundaries and inter-segment access lists
  • Service mesh for mutual TLS and fine-grained workload authorisation
  • Network access control (NAC) for device trust before admission to corporate segments

Cloud Security Posture

  • CSPM cloud security posture management deployment with benchmark mapping and continuous alerting
  • IAM least-privilege analysis and standing permission elimination
  • Object storage public access auditing and data classification enforcement
  • Cloud provider activity log integrity and centralised SIEM ingestion
  • IaC security scanning integrated into deployment pipelines

Perimeter & Remote Access

  • Zero Trust Network Access (ZTNA) replacing legacy VPN — identity and device-aware access
  • WAF deployment and tuning with OWASP rule sets and custom application logic
  • DNS security (DNSSEC, RPZ, DoH/DoT) and threat intelligence-backed DNS filtering
  • DDoS protection and rate-limiting architecture for externally exposed services
POST-BREACH REMEDIATION

Eradicate, rebuild, re-harden.

Incomplete remediation — leaving a single persistent backdoor, a reused credential, or an unpatched initial access vector — means the attacker returns. We execute structured remediation that addresses the root cause, not just the visible symptoms.

Eradication

  • Removal of all confirmed persistence mechanisms: scheduled tasks, services, registry keys, cron jobs, startup items, and implants
  • Credential reset programme: domain-wide forced rotation of all accounts exposed within adversary blast radius, prioritised by privilege tier
  • Certificate and API key revocation for any secrets present in compromised systems
  • C2 infrastructure blocking: IOC-based firewall rules, DNS sinkholes, and email gateway blocks

Rebuilding

  • Clean-image rebuilds from known-good baselines for confirmed compromised systems — no in-place cleaning of high-value targets
  • IaC-driven environment reconstruction with hardened baseline applied from first boot
  • Integrity verification of rebuild outputs before systems return to production
  • Staged return-to-service under enhanced monitoring to detect adversary re-entry attempts

Re-hardening & Gap Closure

  • Initial access vector closure: patch, configuration change, or architectural fix for every confirmed entry point
  • Control gap remediation mapped directly from forensic findings to specific infrastructure changes
  • Detection engineering: new SIEM rules and EDR detections covering TTPs used in the incident
  • Hardening re-baseline: CIS benchmark re-assessment across the affected scope post-rebuild
OPERATIONS

Security-first managed operations.

Managed Security Operations

  • 24/7 security monitoring SIEM-driven alerting with triage by security-qualified analysts, not generic helpdesk
  • Patch management vulnerability-prioritised patching cadence aligned to CVSS severity and active exploitation status
  • Configuration management IaC-driven drift detection; no manual changes without documented approval and change record
  • Vulnerability scanning continuous authenticated scanning with prioritised remediation tracked against SLA
  • Backup & DR testing backup integrity verified by actual restoration test, not just backup-job success logs
  • Monthly security posture reports with trend metrics and open risk register

SLAs & Governance

  • Incident response SLAs Critical: ≤15 min acknowledgement; High: ≤30 min; Medium: ≤2 hours; all tracked and reported monthly
  • Change management no significant configuration changes without client-approved change record; emergency changes ratified within 24 hours
  • Responsibility matrix (RACI) explicit documentation of every operational task ownership before engagement start
  • Access governance quarterly review of all Grilli Security access to client systems; access revoked same day upon engagement close
  • All operational work covered by NDA; client retains ownership of all infrastructure, IaC, and documentation
DELIVERABLES

What you take away.

Engineering

  • IaC modules with security controls encoded, tested, and documented
  • Hardening scripts and configuration baselines mapped to CIS Benchmark level and version
  • Network diagrams with trust boundaries, data flows, and security control placement
  • PAM/JIT configuration with access policy documentation
  • CI/CD pipeline security gate configuration and policy-as-code rules

Remediation

  • Eradication plan with system-by-system action log and verification record
  • Credential reset scope and completion confirmation
  • Rebuild documentation: baseline version, hardening applied, and integrity verification results
  • Post-remediation hardening report: CIS benchmark re-assessment scores before and after
  • Root cause and control gap closure evidence suitable for regulatory or insurance reporting

Operations

  • Runbooks for all operational procedures: incident, change, backup, DR, and escalation
  • Architecture decision records (ADRs) with security rationale for all significant design choices
  • Monthly security posture report with vulnerability trends, patch compliance, and open risk register
  • Quarterly DR test report with actual RTO/RPO achieved vs. target
ACTIVE INCIDENT?