what we do

strategy & policy

National cybersecurity strategy and policy development

We help governments develop, review, and update national cybersecurity strategies, action plans, and supporting policy instruments. The work spans desk research and institutional mapping. It includes multi-stakeholder facilitation across ministries, private sector, civil society, and academia. And it ends with measurable objectives tied to capacity that actually exists.

what we deliver
  • Stakeholder & institutional mapping. Who does what, where the gaps are.
  • Facilitated workshops. Government, private sector, civil society, academia. Co-ownership from day one.
  • Strategic objectives with KPIs. Tied to national priorities and to capacity that actually exists.
  • Action plan & review mechanisms. Ownership, timelines, resources, periodic updates.
maturity

Maturity assessment and roadmapping

Cybersecurity maturity assessments at national, sectoral (energy, finance, health, telecoms), and organisational level. We use established frameworks when they fit the context. When they do not, we design the methodology from the ground up. Every assessment ends with a phased roadmap the client can actually execute.

SIM3-certified assessors. Track record across 30 plus countries.

what we deliver
  • Framework selection or design. Adapted to the client's context, never applied uncritically.
  • Mixed data collection. Structured interviews, document review, technical questionnaires.
  • Validation workshops. Findings tested with the people who know the ground reality.
  • Phased roadmap. Quick wins, medium-term actions, long-term investments.
governance

Institutional governance for cybersecurity

We design the institutional architecture for national cybersecurity. Mandates and operating models for cybersecurity authorities and sector regulators, coordination mechanisms across agencies, and clear escalation and reporting frameworks. The work covers what each actor is supposed to do, who answers to whom, and how decisions move under pressure.

what we deliver
  • Institutional mapping. Gaps, overlaps, accountability lines.
  • Legal & regulatory analysis. Mandates, authorities, enforcement mechanisms.
  • Governance model design. Reporting lines, oversight processes, inter-agency coordination.
  • Review loops & sunset clauses. Structures stay fit for purpose over time.
implementation

Implementation and operational support

We support governments in standing up and strengthening the operational backbone of national cybersecurity: incident response capability and the protection of critical infrastructure.

SIM3-certified assessors. Coverage of critical infrastructure protection regimes end to end, from defining what counts as critical to setting and enforcing operator obligations.

what we deliver
  • CSIRT Design/establishment/enhancement. Mandate, organisational structure, staffing model, service catalogue, operational procedures, tooling baseline, constituency engagement, FIRST and Trusted Introducer pathways, SIM3 maturity assessment.
  • CI/CNI/CII Identification and protection. Sector criteria, operator designation methodology, dependency mapping, requirement baselines.
training

Simulation, training, and exercises

Tabletop exercises for senior decision-makers, technical drills for CSIRT teams, full-scale national and cross-border simulations. We design the scenario, facilitate the exercise, and write the after-action report that turns the experience into institutional learning. The point is to stress procedures and surface the gaps that matter under pressure.

what we deliver
  • Scenario-based workshops. Tailored to the client's actual threats and institutional maturity, with operators, regulators, and policy owners in the room.
  • Exercise planning. Including multi-stakeholder and cross-border formats.
  • Facilitation under pressure. Structured inject sequences that stress decision-making.
  • After-action review. Recommendations integrated into policy and operational improvement cycles.
risk & foresight

Risk assessment and strategic foresight

Risk workshops on critical infrastructure and digital ecosystems. Strategic foresight on evolving cyber threats, regulatory shifts, and emerging technologies relevant to the public sector.

Useful when a government or international organisation needs to set priorities for the next planning cycle, justify a regulatory intervention, or stress-test a strategy against plausible futures.

what we deliver
  • Risk identification. Across people, processes, technology, and supply chain.
  • Foresight on technology & regulation. What is shifting, on what horizon, and what it means for the mandate.
  • Prioritised recommendations. Tied to budget cycles and decision points.