Defensive, practical cybersecurity, built on 25 years of operating real infrastructure
I don't sell smoke or ChatGPT-generated "cyber risk scores." I do concrete hardening, firewall audits, SIEM/EDR deployment (Wazuh open-source), and I help you get through NIS2 or an ISO 27001 pre-audit without wrecking your budget. CEH certified (in progress), experience on NATO projects and critical infrastructure.
Honest disclaimer
I'm not a full-stack offensive red-team pen-tester. What I do is blue-team defensive — hardening, detection, response, compliance. For pure offensive pen-testing, I work with OSCP/OSCE-certified partners and can put you in touch if you need it.
I'm not a full-stack offensive red-team pen-tester. What I do is blue-team defensive — hardening, detection, response, compliance. For pure offensive pen-testing, I work with OSCP/OSCE-certified partners and can put you in touch if you need it.
01 When you need this
- You've entered NIS2 scope (medium/large companies in critical sectors) and need urgent gap analysis
- You're preparing for ISO 27001 certification for a public contract or a major client
- You went through an incident (ransomware, data leak) and want to make sure it doesn't happen again
- You have a firewall that "has worked for 10 years" and nobody knows what rules are in there anymore
- Your internal or external auditor is asking for SIEM/EDR and you need a solution that doesn't cost €50k/year
- You have an Active Directory environment that hasn't been maintained for years, with obvious risks (Kerberoasting, delegation abuses, etc.)
02 What I deliver
Security audit & gap analysis
Assessment against CIS Controls v8, NIS2 gap analysis, executive + technical report, prioritization by risk & cost.
Server & AD hardening
CIS Benchmarks applied on Windows Server, Linux, Active Directory. GPO review, delegations, service accounts, password policies.
SIEM/EDR with Wazuh
Wazuh open-source deployment, log source integration (AD, firewall, servers, VMs), custom detection rules for your environment.
Firewall review & redesign
Rule set audit, elimination of redundant/dead rules, micro-network segmentation, rule documentation with business justification.
Incident response plan
Playbooks for scenarios (ransomware, phishing compromise, data exfil), roles & responsibilities, communication, table-top exercise.
NIS2 / ISO 27001 prep
Gap analysis vs. requirements, policy templates, evidence collection, pre-audit mock, coaching the team for the external auditor.
03 My working stack
| Category | Tool | Why |
|---|---|---|
| SIEM/XDR | Wazuh | Open-source, mature, includes FIM, vulnerability detection, compliance reports. Zero licensing. |
| Firewall | pfSense / OPNsense | Open-source, enterprise-grade, integrated IPS/IDS, transparent. Alternatives: FortiGate, Cisco ASA. |
| IDS/IPS | Suricata | Integrated into Wazuh/pfSense, rules updated from Emerging Threats. |
| AD Security | PingCastle · BloodHound | Audit & visualization of attack paths in Active Directory. |
| Vuln Scanning | OpenVAS / Nessus | Regular infrastructure scan, integration with Wazuh for reporting. |
| Backup security | Veeam · PBS | Air-gapped backup, immutable storage, restore testing — the 3rd line against ransomware. |
| Email security | Exchange Hardening · Proofpoint | MTA-STS, DMARC, SPF, DKIM properly configured, phishing protection. |
04 The audit & hardening process
PHASE 01
Scoping
Asset inventory, crown jewels identification, scope definition (what's in, what's out), NDA.
PHASE 02
Assessment
CIS Controls v8, MITRE ATT&CK mapping, vuln scan, config review, team interviews.
PHASE 03
Report & Prioritization
Findings in 3 tiers (Critical/High/Medium), remediation plan, cost-benefit on each.
PHASE 04
Hardening
Apply CIS Benchmarks on OS, fix critical configurations, GPO & firewall review, documentation.
PHASE 05
Monitoring & Detection
Deploy Wazuh, integrate log sources, custom rules, dashboards, alerting.
PHASE 06
Re-test & Handover
Post-remediation re-scan, before/after comparison, final documentation, team training.
05 Use cases
Automotive manufacturer, NIS2 scope
Gap analysis vs. NIS2 Art. 21 (risk management, incident handling, continuity, supply chain). 12-month compliance roadmap, policy templates.
MSP with 40 clients, pre-ISO 27001
ISMS maturity assessment, full policy set (25+ policies), SoA, Risk Register, evidence templates, internal mock audit.
Private clinic post-ransomware incident
Lightweight forensics, immediate hardening (patches, network segregation, EDR), compromised DC rebuild, immutable backup, IR playbook.
Retail company, 15 locations
Firewall standardization across all locations, POS/back-office/guest WiFi segmentation, central Wazuh for distributed monitoring.
06 Packages
Package 01
One-off Security Audit
from €3,500 / project
- CIS Controls v8 assessment
- AD security review (PingCastle/BloodHound)
- Vuln scan with OpenVAS
- Prioritized report + presentation
- Duration: 2-3 weeks
Package 02 · Most requested
Audit + Hardening + SIEM
from €9,500 / project
- Everything in Package 01
- Hardening on servers & AD
- Wazuh SIEM/EDR deployment
- Firewall review & rule redesign
- Incident response playbooks
- Re-scan & validation
- Duration: 6-10 weeks
Package 03
NIS2 / ISO 27001 Prep
Custom quote
- Full gap analysis
- Policy set & procedures
- Risk Register & SoA
- Pre-audit mock
- Coaching during external audit
- Optional post-certification retainer
07 FAQ
Why Wazuh and not Splunk/Sentinel/CrowdStrike?
Wazuh is open-source, mature, and includes FIM + vulnerability detection + compliance reports, with no licensing cost. For SMBs and mid-sized companies, it's unbeatable on cost/value. For enterprises with a large budget and complex integrations, Splunk/Sentinel make sense — I can deliver on those too.
Are you an authorized provider for ISO 27001 certification?
No. I don't issue the certification — that's done by an accredited body (TÜV, DNV, Bureau Veritas, etc.). I prepare you technically & organizationally to pass their audit. That's standard and clearly scoped practice.
How long does NIS2 preparation take?
Depends on current state. Companies with a zero-maturity ISMS: 6-12 months. With partial compliance: 3-6 months. The gap analysis in the first 2-3 weeks tells you realistic timing.
What do I do if I detect an active incident?
I immediately activate IR protocol: contain (network isolation), eradicate (identify & remove), recover (restore from clean backup). I don't do court-level forensics but I collaborate with specialized firms when needed (and I document the evidence chain).
Do you also cover security awareness training?
Yes, but it's not my main focus. I offer technical sessions (2-4h) for the IT team and short sessions (30 min) for end users. For extensive programs, I recommend specialized partners.
Let's start with a free one-hour gap analysis
You tell me your industry, what compliance is pressuring you, what you've already implemented. I'll tell you realistically what's still missing and how long it would take. No mandatory package.