English

|


Deutsch

Frequently asked questions

Below are answers to common questions about how I work and what you can expect.

What types of organisations do you work with?

I mainly work with small and mid-sized organisations that already have IT systems in place but want clearer security structure,
stronger access controls, and more confidence in how their systems are protected.

Typical clients include professional services firms, non-profits, engineering companies, research groups,
and private-sector SMEs in the UK and Europe.

Do you provide hands-on implementation, or only advice?

Both, depending on what you need.

Most organisations start with the Baseline Security Sprint to establish where exposure is concentrated
and what should be fixed first. Implementation support can then be provided if you want help delivering the actions.
Implementation is always scoped separately.

Many clients prefer a done-with-you approach rather than receiving a report and being left to work through it alone.

How are you different from managed IT providers or large consultancies?

  • No product sales or lock-in. I do not sell software or push subscriptions.
  • Focus on fundamentals. Work starts with the controls that reduce risk most effectively.
  • Direct access. You work directly with me, not through layers of account management.

How does the Baseline Security Sprint differ from a traditional security risk assessment?

The Baseline Security Sprint includes a focused security risk assessment, but it does not stop at identifying risk.

Traditional risk assessments often produce long lists of issues or rely on abstract scoring models.
The Sprint is designed to produce decisions.

It prioritises the risks that matter most in your environment and turns them into a clearly ordered action plan, so you know what to fix first, what can safely wait, and what is explicitly out of scope.

 

What types of cybersecurity services do you not provide?

I focus on practical, hands-on security improvement and advisory work.

I do not provide certain types of services such as full compliance programme builds, managed SOC services, 24/7 monitoring, penetration testing, or vendor-reseller offerings.

These boundaries are intentional and help ensure work stays focused, effective, and proportionate.

A clear overview of what I do not offer is available here: → What I Don’t Offer

Do you provide penetration testing?

No. I do not provide penetration testing or red-team services.

However, I can help you determine whether a penetration test is appropriate, define the right scope,
and interpret the results in context. This helps ensure testing effort is well targeted and that findings
lead to meaningful improvements rather than generic remediation lists.

What does a typical engagement look like?

Work follows a simple, structured flow so you always know what is happening:

  • Initial call. Confirm fit, constraints, urgency, and the right starting point.
  • Baseline Security Sprint. Discovery and analysis that results in a prioritised action plan and clear sequencing.
  • Optional implementation support. If required, improvements are delivered in a controlled way and scoped separately.
  • Handover. Clear documentation, evidence, and agreed next steps.

Do you work remotely or on-site?

Most work is done remotely, which is efficient and cost-effective for many organisations.

On-site work can be arranged where it adds value, for example for access reviews,
internal network assessments, or identity and workflow analysis.

How long does a typical engagement take?

Smaller hardening or access-control improvements often take two to four weeks,
depending on scope and availability.

Larger or more complex work is broken into clear phases with agreed milestones.

What technologies do you work with?

I work mainly in Linux-based and cloud environments. Common areas include:

  • Linux platforms (RHEL, Debian, Ubuntu)
  • Configuration and automation (Ansible, Satellite)
  • Identity and access controls (SSH keys, MFA, privilege models)
  • Virtualisation and container environments where relevant
  • AWS infrastructure
  • Monitoring, auditing, and baseline configuration
  • Secure remote access and system hardening

Do you work with organisations without an internal IT team?

Yes. Many clients have limited internal technical capacity.
Work is delivered in a clear, structured way that remains manageable for both technical and non-technical stakeholders.

Do you offer ongoing support after initial work?

Yes, where it makes sense. Some clients prefer periodic reviews or follow-up sessions to keep improvements on track.

There are no mandatory retainers or long-term commitments.

Are you professionally qualified and security-cleared?

Yes. I hold UK Security Check (SC) clearance and recognised certifications including CompTIA Security+,
LPIC, and AWS Solutions Architect Associate.

My experience spans more than 20 years across government, enterprise,
and academic environments in the UK and mainland Europe.

How are VAT and legal matters handled for German and EU clients?

I provide IT services via a UK limited company under a standard business-to-business (B2B) model. For German and EU VAT-registered clients, services are invoiced net of VAT under the reverse-charge mechanism. No German payroll, employment, or permanent establishment is created.

A short explanation of VAT, legal structure, and compliance for German clients is available here:

Cross-Border Contracting (UK – EU/Germany)

How much does it cost?

Pricing is transparent and based on clearly defined scope.
Where possible, work is offered as fixed-scope projects with predictable costs.

A short discovery call is the best way to confirm what is needed and agree the right next step.

Next step

If you want to confirm fit and discuss scope, book a short discovery call.

Book a discovery call
Baseline Security Sprint