Security Maturity Assessment

Security architecture for central bank digital currency (CBDC) and digital currency infrastructure covering retail and wholesale CBDC models, dual-led...

Security architecture for zero-knowledge proof (ZKP) systems covering ZK-SNARK and ZK-STARK proof systems, trusted setup ceremony security, ZK-rollup ...

Security architecture for decentralised identity (DID/SSI) systems covering W3C DID method selection and resolution, Verifiable Credential (VC) issuan...

Security architecture for institutional tokenised asset platforms covering custody architecture (HSM, MPC, threshold signatures), smart contract secur...

Comprehensive mobile security architecture pattern covering certificate pinning, secure enclave usage, biometric authentication, mobile payment securi...

Security architecture for the use of AI in defensive security operations — AI-augmented threat detection, AI-assisted incident triage and response, AI...

Enterprise security architecture for adopting agentic AI frameworks (LangChain, CrewAI, AutoGen, LangGraph, and similar orchestration platforms) safel...

Comprehensive pattern for discovering, monitoring, and managing an organisation's internet-facing digital assets. Covers automated asset discovery, DN...

A governance pattern for establishing and operating an AI management system (AIMS) across the enterprise. Covers training data governance, model lifec...

A security architecture pattern for managing the full identity lifecycle across SaaS applications -- from provisioning and role assignment through acc...

Architecture pattern bridging the gap between security control frameworks and practical software implementation. Provides developer-centric guidance f...

Architecture pattern for migrating enterprise cryptographic infrastructure to post-quantum algorithms. Covers crypto agility, cryptographic inventory ...

Pattern for implementing client-side encryption to protect sensitive user data before it reaches the server. Covers browser-based cryptography via Web...

End-to-end vulnerability management pattern covering asset discovery, vulnerability scanning, risk-based prioritisation, patch management lifecycle, e...

Comprehensive privileged access management pattern covering credential vaulting, just-in-time access, session recording, standing privilege eliminatio...

End-to-end incident response pattern covering preparation, detection, triage, containment, eradication, recovery, and post-incident review. Addresses ...

Governance and execution pattern for red teaming, blue teaming, purple teaming, and intelligence-led penetration testing (CBEST, TIBER-EU). Covers thr...

Enterprise architecture pattern for designing systems that survive cyber attacks, maintain critical operations under degraded conditions, and recover ...

Deep-dive pattern for implementing phishing-resistant passwordless authentication using FIDO2 WebAuthn and passkeys. Covers platform authenticators, r...

Enterprise authentication architecture pattern covering directory services, federation, and token-based authentication using OIDC, OAuth 2.0, and JWT....

End-to-end security operations pattern covering the full detection and response lifecycle: telemetry collection from endpoints, networks, and cloud; c...

Comprehensive security pattern for protecting application programming interfaces across their full lifecycle. Maps 45 NIST 800-53 controls to the crit...

Enterprise security architecture pattern that eliminates implicit trust, enforcing continuous verification of every user, device, and workload before ...

Security architecture for CI/CD pipelines, DevSecOps practices, and software delivery automation. Covers pipeline infrastructure hardening, secrets ma...

Security architecture for integrating large language models (LLMs) into enterprise environments. Covers prompt injection and jailbreaking defences, ou...

Security architecture for a fully PCI DSS compliant cardholder data environment. Covers CDE scoping and segmentation, cardholder data protection with ...

Security architecture for building advanced detection and response capabilities against sophisticated threats. Covers SIEM deployment, security operat...

Security architecture for protecting industrial control systems (ICS), SCADA, and operational technology environments. Covers network segmentation bet...

Security architecture for enabling secure, business-driven file sharing with external partners without pre-established federation. Covers encrypted fi...

Security architecture for establishing, operating, and continuously improving an Information Security Management System aligned with ISO 27001. Covers...

Security architecture for designing and operating a demilitarized zone (DMZ) network segment. Covers multi-tier firewall topologies, bastion host hard...

Comprehensive remote and hybrid working security pattern covering endpoint hardening, ZTNA and VPN architectures, BYOD and corporate device management...

Security architecture for classifying, protecting, and controlling data throughout its lifecycle. Covers data classification schemes, encryption at re...

End-to-end secure SDLC pattern covering threat modelling in design, secure coding standards, static and dynamic analysis, software composition analysi...

Security architecture for organisations consuming or providing cloud services, addressing the shared responsibility model, data sovereignty, identity ...

Security architecture for internet-facing web applications, covering network segmentation, input validation, session management, TLS configuration, DD...

Reusable security module defining the standard control baseline for server systems including physical, virtual, and cloud-hosted instances. Referenced...

Reusable security module defining the standard control baseline for client endpoints including desktops, laptops, and workstations. Referenced as a bu...