Systems operational /// Red team on call
// NM · USA · EU REMOTE // Booking Q3 '26
v2026.05 · Independent cyber consultancy

Senior [cybersecurity]. Without the Big Four bill. Just the judgment.

We're a team out of DXC, KPMG, Accenture, IBM and Deloitte. Same rigor, same methodologies, same senior people who signed your last audit — at a fraction of the overhead.

Start engagement → See services
EX — TEAMS FROM Senior talent democratized. We know that bill — we used to send it.
DXC·KPMG·Accenture·IBM·Deloitte·PwC
01 · Who we are

We came from the Big Four.
And from the trenches.

We've run critical banking infrastructure. We responded to real incidents. We signed audits that passed audits. That's not something you learn in a deck.

We built Slapsec because enterprise cyber consulting got expensive, slow and full of noise. We go straight at the problem. Same rigor as tier-1, without the overhead.

We missed the craft. We missed telling clients what we actually thought. We missed engagements that ended when the work was done.

We don't sell you frameworks. We fix things.

ex-DXCex-KPMGex-Accentureex-IBMex-Deloitte senior team zero juniors
§ · The Slapsec Code

Six things we won't
compromise on.

Consulting lives or dies on trust. After a decade at tier-1 firms we know exactly which corners get cut and when. These are ours.

the founders
PRINCIPLE · 01

Tell the truth.

Even when it costs us the engagement. Especially when it costs us the engagement. A good "no" is worth more than a comfortable "yes".

PRINCIPLE · 02

Senior work.
Senior signature.

The person who signs the report is the person who did the work. No ghost juniors.

PRINCIPLE · 03

Leave them stronger.

Transfer is the real deliverable. Dependency is a failure mode.

PRINCIPLE · 04

Findings are yours.

The moment we see them. No strategic timing. No saved-up follow-on sales.

PRINCIPLE · 05

Vendor-neutral.
By default.

Every partnership disclosed before the advice.

PRINCIPLE · 06

Not ours?
We say so.

We'd rather lose the project than sell one we can't deliver.

02 · Portfolio

Four fronts.
One standard of craft.

We cover the full risk cycle — attack to discover, architect to resist, protect the data, automate the operation. We engage where you need us and leave when it's solved.

01 / 04Operational

Offensive Security
& Intelligence

Red team and pentesting — manual and automated — plus continuous external threat monitoring with our Digital Risk Radar. We find what a real attacker would exploit, before they do. PTES, OWASP, MITRE ATT&CK.

  • Web & API Pentest
  • Red Team Ops
  • Infra & AD Pentest
  • Cloud Pentest (AWS/Azure/GCP)
  • OT/ICS Pentest
  • Mobile Pentest
  • Social Engineering
  • Bug Bounty & Retainer
  • Digital Risk Radar
  • Dark Web Monitoring
02 / 04Operational

Zero Trust
Architecture

Design, implement and operate 'never trust, always verify' architectures. Identity-first, segmented, verified, measured — vendor-agnostic, with the market's leading platforms.

  • IAM & PAM
  • Microsegmentation
  • SASE & ZTNA
  • EDR / XDR
  • Cloud Posture (CSPM/CIEM)
  • Design & Governance
03 / 04Operational

Data
Security

Protect information across its full lifecycle — discover, classify, protect, monitor, respond. DLP, IRM and DSPM with leading platforms (SealPath, arexdata, Microsoft Purview).

  • DLP
  • IRM (SealPath)
  • DSPM (arexdata)
  • Discovery & classification
  • Microsoft Purview
  • GDPR & PCI mapping
04 / 04Operational

AI &
Automation

Intelligent, continuous operation. We orchestrate, harden and automate critical tasks — from AI-assisted triage to unattended SSL certificate rotation.

  • AI-assisted triage
  • SOAR orchestration
  • Continuous hardening (CIS)
  • Vulnerability mgmt
  • Certificate automation
  • Integration & APIs
03 · Industries

Regulated. Complex.
No room for error.

We work where cyber failures are expensive, visible and regulated. Every engagement maps to the threat model and compliance obligations of your sector.

SEC/FIN.01

Financial Services

Retail, commercial and investment banking, insurance, fintech. DORA, EBA ICT, PSD2, PCI-DSS scope reduction.

DORAEBAPCI-DSS
SEC/ENE.02

Energy & Utilities

Generation, distribution, O&G. OT/IT convergence, NIS2 essential entity compliance, SCADA hardening.

NIS2IEC-62443OT
SEC/DEF.03

Defense & Aerospace

Supply-chain assurance, ENS Alta hardening, segmentation and air-gapped / OT environments for critical defense and aerospace systems.

ENS AltaSupply-chainAir-gap
SEC/HLT.04

Healthcare & Pharma

Patient data protection, medical device security, clinical systems hardening, GDPR Art.9 special category data.

HIPAAMDRGDPR-9
SEC/PUB.05

Public Sector

Central and regional administration, critical digital services, transparent procurement, ENS CCN-STIC.

ENSCCN-STICeIDAS
SEC/RET.06

Retail & E-commerce

Omnichannel architecture, card data scope reduction, fraud prevention, bot mgmt, account takeover defense.

PCI-DSSBot-MgmtFraud
04 · Why us

Same rigor.
Half the bill.
Zero games.

We came from there. We know what the Big Four invoice. We know what's worth it — and what isn't.

Criteria
Slapsec
Big Four
Boutique
Senior-only team
~
Same senior through whole project
Fixed-price proposals
~
Proposal in under 72h
~
Direct comms with exec team
Vendor-independent advice
~
Retesting & remediation included
~
~
Internal capability transfer
~
Zero subcontracting
~
Typical day rate
€·€
€·€·€·€
€·€·€
Deck-to-code ratio
1:9
9:1
5:5
05 · Selected work

Results you can defend
to your board.

One flagship build, real numbers — the kind of recurring operational risk we turn into an autonomous process.

Security Automation · Certificate Ops#CASE-SSL

Unattended SSL/TLS certificate rotation

The problem. Certificates expiring without warning caused service outages, incidents and urgent manual work. Hundreds of certs scattered across services — no reliable inventory, no clear owner.

Our solution. A pipeline that discovers, inventories and rotates every certificate via ACME, deploys to the services and verifies the result end to end — with zero manual intervention.

Discover Issue Rotate Deploy Verify
0Outages from expired certs
100%Inventory under control
24/7Unattended renewal
06 · What backs us

Round numbers.
No fine print.

Senior-only team, real impact, real measures. We don't inflate KPIs.

15+
Avg. years senior exp.
200+
Projects delivered
40+
Team certifications
96%
Client satisfaction
0
Subcontracted staff
72h
Max. proposal turnaround
24/7
Continuous monitoring
100%
Senior staff ratio
07 · How we engage

No smoke. No
deck marathons.
Just judgment.

We engage fast, diagnose precisely, execute what's needed, and leave when it's solved. No manufactured dependency.

PHASE 01

Honest
diagnosis

45-minute discovery call. We tell you if it's our terrain — straight up. If it fits, clear proposal back to you in under 72h.

< 72h
PHASE 02

Scope
& price

Fixed-price when possible. Clear deliverables, clear timeline. No time-and-materials roulette. You know exactly what you're signing.

Fixed
PHASE 03

Senior
execution

You work with the people who sign the document. No junior army. One contact, real answers, readable reports, prioritized by actual risk.

Sr. only
PHASE 04

Transfer
& exit

We leave internal capability behind. The goal isn't a 5-year retainer — it's your team owning what they should own. Clean handover.

Handover
08 · Team & credentials

The people on your
engagement are senior.

Averages that mean something. We don't bench-warm juniors on your project and bill senior rates. You see the people, you get the people.

15+Years avg.
100%Senior staff
5Languages
40+Certifications
24/7Monitoring
0Subcontractors
CISSPCISMCISAOSCPOSEPOSWECRTPCRTOCRTLeMAPTCEHCCSPCCSKISO 27001 LAISO 27001 LIISO 22301 LAGIAC GCIHGIAC GPENGIAC GCFACISO-GSABSATOGAFPMPAZ-500AWS Sec SpecialtyGCP Pro Sec
Microsoft EntraOktaCyberArkSailPointZscalerPalo Alto NetworksCiscoFortinetCrowdStrikeMicrosoft DefenderSentinelOneWizPrisma CloudSealPatharexdataMicrosoft PurviewForcepointAWSAzureGCP
PTESOWASP Top 10OWASP ASVSMITRE ATT&CKNIST CSF 2.0NIST SP 800-53ISO 27001ISO 27701SOC 2PCI-DSS 4.0GDPRHIPAAENSENS AltaCCN-STIC
09 · Insights

Sharp takes on
what's actually moving.

Short, technical, opinionated. No vendor fluff, no listicles.

OFFENSIVE SECURITY · FEATURED12 MIN

Red team vs. automated pentest: where each one actually earns its budget

Read article →
ZERO TRUST11 MIN

Zero Trust without the marketing: a rollout that survives contact with production

Read →
AUTOMATION09 MIN

Automating SSL/TLS rotation: engineering zero expired-cert outages

Read →
✓ · Commitments

What you can
hold us to.

Our Code is what we believe. These are what we sign. Six operational commitments written into every engagement.

C · 01Senior team on every billable hour.100 %
C · 02Proposal back in 72 hours — or not at all.≤ 72 h
C · 03Same senior from kickoff to closeout.1 : 1
C · 04Fixed price when the scope is clean.Fixed
C · 05Critical findings reported the day we see them.D + 0
C · 06Your data stays yours. Ours is deleted on exit.D + 0
10 · Frequent questions

What CISOs ask
before signing.

The honest answers we give in every first call. If something's missing, tell us and we'll add it.

We came from there. We know exactly how their engagements are built.
Depends on scope.
Yes.
We maintain a formal conflict register.
Four tiers, matched to your maturity and budget.
Yes.
Yes.
We tell you. Always.
Minimum 10 years.
11 · Start here

Got a problem
worth solving?

One 45-minute call. We'll tell you straight whether it's our terrain — and if it is, you get a clear proposal back in under 72 hours.

General info@slapsec.com Book a call 45-min discovery → Disclosure Report a vulnerability →
slapsec@intake — secure
🔒 Encrypted in transit · NDA on request · No spam, ever